What is the Right to be Informed?
Defined in Article 13 and Article 14, the Right to be Informed is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).
Right of be Informed Summary
- Individual data subjects have the right to be informed about the collection and use of their personal data
- Information an organization provides data subjects must be readily accessible, delivered in clear and plain language
- If an organization plans to further process the personal data for reasons other than the purposes the data initially was obtained, the organization needs to inform the data subject prior to any additional processing
- Clear distinctions, and obligations, between personal data collected directly (Article 13) and personal data collected indirectly (Article 14) from the data subject
- Closely related to the lawfulness, fairness and transparency principle and the purpose limitation principle
Business Considerations for Organizations to Understand
Right to be informed applies to:
- personal data you sell or process in transactions with other organizations
- personal data you buy or process in acquisitions from organizations
- publicly accessible personal data you process
- personal data processed using Artificial Intelligence and other treatments and sources
If personal data is collected directly from the data subject, the organization must inform the data subject at the time of the collection. If personal data is collected from other sources, not directly from the data subject, the organization must inform the data subject within a reasonable amount of time, but no later than one month from when the data was collected.
The privacy information an organization needs to provide data subjects is dependent upon the manner in which the personal data was collected. The table below indicates information to provide data subjects based upon whether or not the personal data was collected directly from the individual or indirectly. Checks indicate an affirmative determination from the organization regarding privacy information the organization will provide the data subject using one or more of the organization’s techniques.
|Privacy Information||Directly Collected Personal Data||Indirectly Collected Personal Data|
|Organization’s name and contact information||✔||✔|
|Name and contact details of representative (if applicable)||✔||✔|
|Name and contact details of DPO (if applicable)||✔||✔|
|Purpose of the processing||✔||✔|
|Lawful basis for the processing||✔||✔|
|Legitimate interests for the processing||✔||✔|
|Categories of personal data obtained||✔||✔|
|Recipients or categories of recipients of the personal data||✔||✔|
|Details of transfers of the personal data to any third countries or international organizations||✔||✔|
|Retention periods for the personal data||✔||✔|
|Data subject rights available to individuals in respect of the processing||✔||✔|
|Right to withdraw consent||✔||✔|
|Right to lodge complaints to a supervisory authority||✔||✔|
|Source of the personal data||✔||✔|
|Details of whether individuals are under a statutory or contractual obligation to provide the personal data||✔||✔|
|Details of the existence of automated decision-making, including profiling||✔||✔|
How should you provide privacy information to data subjects?
There are numerous techniques an organization can provide data subjects with privacy information, such as:
- Layered — usually short notices containing key privacy information that expand into additional layers containing detailed information
- Dashboards — management tools informing data subjects how their information is used, with preference controls to manage what data they allow the organization to process
- Just-in-time notices — relevant and targeted privacy information delivered at the time personal data is collected from the data subject
- Icons — small, meaningful, symbols that indicate the existence of a particular type of data processing
- Mobile and smart device functionalities — includes pop-ups, voice alerts and mobile device gestures
Depending on the context and resources, organizations can choose to deliver privacy information using a single technique multiple techniques among those above. However, a multi-technique approach is preferred and often is the most effective method to employ in providing privacy information to data subjects.