What information you must supply under the GDPR
| What information you must supply | Data obtained directly from data subject | Data not obtained directly from data subject |
| Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer |  |
|
| Purpose of the processing and the lawful basis for the processing | |
|
| The legitimate interests of the controller or third party, where applicable | |
|
| Categories of personal data | |
|
| Any recipient or categories of recipients of the personal data | |
|
| Details of transfers to third country and safeguards | |
|
| Retention period or criteria used to determine the retention period | |
|
| The existence of each of data subject’s rights | |
|
| The right to withdraw consent at any time, where relevant | |
|
| The right to lodge a complaint with a supervisory authority | |
|
| The source the personal data originates from and whether it came from publicly accessible sources | |
|
| Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data | |
|
| The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences. | |
|
| When should information be provided? | At the time the data are obtained. |
Within a reasonable period of having obtained the data (within one month) If the data are used to communicate with the individual, no later than the date when the first communication takes place; or If disclosure to another recipient is envisaged, no later than before the data are disclosed. |