In brief…

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.

In more detail…

What information must be supplied?

The GDPR sets out the information that you should supply and when individuals should be informed.

The information you supply is determined by whether or not you obtained the personal data directly from individuals. See the table below for further information on this.

Much of the information you should supply is consistent with your current obligations under the DPA, but there is some further information you are explicitly required to provide.

The information you supply about the processing of personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

The table below summarises the information you should supply to individuals and at what stage.

What information must be supplied?

Data obtained  directly from data subject Data not obtained directly from data subject
Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer                  
Purpose of the processing and the lawful basis for the processing                  
The legitimate interests of the controller or third party, where applicable                  
Categories of personal data               
Any recipient or categories of recipients of the personal data                  
Details of transfers to third country and safeguards                  
Retention period or criteria used to determine the retention period                  
The existence of each of data subject’s rights                  
The right to withdraw consent at any time, where relevant                  
The right to lodge a complaint with a supervisory authority                  
The source the personal data originates from and whether it came from publicly accessible sources               
Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data       
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.                  
When should information be provided? At the time the data are obtained. Within a reasonable period of having obtained the data (within one month)
If the data are used to communicate with the individual, at
the latest, when the first communication takes place; or
If disclosure to another recipient is envisaged, at the latest,
before the data are disclosed.

Next steps for the Article 29 Working Party

According to its workplan, the Article 29 Working Party will publish guidance on transparency in 2017