In detail

What information must we provide when we collect personal data from individuals?

The GDPR specifies what you need to tell individuals when you collect personal data from them. There are some types of information that you must always provide, while the provision of other types of information depends on the particular circumstances of your organisation, and how and why you use people’s personal data. The table below explains what information you need to provide, what to tell people, and when it is required.

What information do we need to provide? What should we tell people? When is this required?
The name and contact details of your organisation Say who you are and how individuals can contact you.
The name and contact details of your representative

Say who your representative is and how to contact them.

A representative is an organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU.

The contact details of your data protection officer

Say how to contact your data protection officer (DPO).

Certain organisations are required to appoint a DPO. This is a person designated to assist with GDPR compliance.

The purposes of the processing

Explain why you use people’s personal data. Be clear about each different purpose.

There are many different reasons for using personal data, you will know best the particular reasons why you use data. Typical purposes could include marketing, order processing and staff administration.

The lawful basis for the processing

Explain which lawful basis you are relying on in order to collect and use people’s personal data.

This is one or more of the bases laid out under Article 6(1) of the GDPR.

 
The legitimate interests for the processing

Explain what the legitimate interests for the processing are.

These are the interests pursued by your organisation, or a third party, if you are relying on the lawful basis for processing under Article 6(1)(f) of the GDPR.

The recipients, or categories of recipients of the personal data

Say who you share people’s personal data with.

This includes anyone that processes the personal data on your behalf, as well all other organisations.

You can tell people the names of the organisations or the categories that they fall within.

Be as specific as possible if you only tell people the categories of organisations.

The details of transfers of the personal data to any third countries or international organisations

Tell people if you transfer their personal data to any countries or organisations outside the EU.

Say whether the transfer is made on the basis of an adequacy decision by the European Commission under Article 45 of the GDPR.

If the transfer is not made on the basis of an adequacy decision, give people brief information on the safeguards put in place in accordance with Article 46, 47 or 49 of the GDPR. You must also tell people how to get a copy of the safeguards.

The retention periods for the personal data

Say how long you will keep the personal data for.

If you don’t have a specific retention period then you need to tell people the criteria you use to decide how long you will keep their information.

The rights available to individuals in respect of the processing

Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.

The rights will differ depending on the lawful basis for processing – make sure what you tell people accurately reflects this.

The right to object must be explicitly brought to people’s attention clearly and separately from any other information.

The right to withdraw consent

Let people know that they can withdraw their consent for your processing of their personal data at any time.

Consent must be as easy to withdraw as it is to give. Tell people how they can do this.

The right to lodge a complaint with a supervisory authority

Tell people that they can complain to a supervisory authority.

Each EU Member State has a designated data protection supervisory authority.

Individuals have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place.

It is good practice to provide the name and contact details of the supervisory authority that individuals are most likely to complain to if they have a problem. In practice, if you are based in the UK, or you regularly collect the personal data of people that live in the UK, you should inform people that they can complain to the ICO and provide our contact details.

The details of whether individuals are under a statutory or contractual obligation to provide the personal data

Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.

Often, this will only apply to some, and not all, of the information being collected. You should be clear with individuals about the specific types of personal data that are required under a statutory or contractual obligation.

The details of the existence of automated decision-making, including profiling

Say whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences.

Whilst this type of processing may be complex, you should use simple, understandable terms to explain the rationale behind your decisions and how they might affect individuals. Tell people what information you use, why it is relevant and what the likely impact is going to be.

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 published the following guidelines which have been endorsed by the EDPB:

Guidelines on Transparency

Guidelines on Data Protection Officers

Guidelines on Consent

Guidelines on the right to data portability

Guidelines on automated individual decision-making and profiling

What information must we provide when we obtain personal data from another source?

The information you need to provide is slightly different when you have obtained the personal data from a source other than the individual themselves.

You do not need to tell people about any statutory obligations to provide the personal data, but you do need to give people additional information on the categories of personal data you obtained and the source of that information. The table below details all the information you need to provide, what to tell people, and when it is required.

What information do we need to provide? What should we tell people? When is this required?
The name and contact details of your organisation Say who you are and how individuals can contact you.
The name and contact details of your representative

Say who your representative is and how to contact them.

A representative is an organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU.

The contact details of your data protection officer

Say how to contact your data protection officer (DPO).

Certain organisations are required to appoint a DPO. This is a person designated to assist with GDPR compliance.

The purposes of the processing

Explain why you use people’s personal data. Be clear about each different purpose.

There are many different reasons for using personal data, you will know best the particular reasons why you use data. Typical purposes could include marketing, order processing and staff administration.

The lawful basis for the processing

Explain which lawful basis you are relying on in order to collect and use people’s personal data.

This is one or more of the bases laid out under Article 6(1) of the GDPR.

 
The legitimate interests for the processing

Explain what the legitimate interests for the processing are.

These are the interests pursued by your organisation, or a third party, if you are relying on the lawful basis for processing under Article 6(1)(f) of the GDPR.

The categories of personal data obtained

Tell people what types of information you collect about them.

The recipients, or categories of recipients of the personal data

Say who you share people’s personal data with.

This includes anyone that processes the personal data on your behalf, as well all other organisations.

You can tell people the names of the organisations or the categories that they fall within.

Be as specific as possible if you only tell people the categories of organisations.

The details of transfers of the personal data to any third countries or international organisations

Tell people if you transfer their personal data to any countries or organisations outside the EU.

Say whether the transfer is made on the basis of an adequacy decision by the European Commission under Article 45 of the GDPR.

If the transfer is not made on the basis of an adequacy decision, give people brief information on the safeguards put in place in accordance with Article 46, 47 or 49 of the GDPR. You must also tell people how to get a copy of the safeguards.

The retention periods for the personal data

Say how long you will keep the personal data for.

If you don’t have a specific retention period then you need to tell people the criteria you use to decide how long you will keep their information.

The rights available to individuals in respect of the processing

Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.

The rights will differ depending on the lawful basis for processing – make sure what you tell people accurately reflects this.

The right to object must be explicitly brought to people’s attention clearly and separately from any other information.

The right to withdraw consent

Let people know that they can withdraw their consent for your processing of their personal data at any time.

Consent must be as easy to withdraw as it is to give. Tell people how they can do this.

The right to lodge a complaint with a supervisory authority

Tell people that they can complain to a supervisory authority.

Each EU Member State has a designated data protection supervisory authority.

Individuals have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place.

It is good practice to provide the name and contact details of the supervisory authority that individuals are most likely to complain to if they have a problem. In practice, if you are based in the UK, or you regularly collect the personal data of people that live in the UK, you should inform people that they can complain to the ICO and provide our contact details.

The source of the personal data

Tell people where you obtained their information from. If it was from a publicly accessible source you must say this.

Be as specific as possible and name the individual source(s) the personal data was obtained from. If you can’t do this because you don’t know the specific source, you should provide more general information.

The details of the existence of automated decision-making, including profiling

Say whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences.

Whilst this type of processing may be complex, you should use simple, understandable terms to explain the rationale behind your decisions and how they might affect individuals. Tell people what information you use, why it is relevant and what the likely impact is going to be.

 

Further reading – European Data Protection Board  

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 published the following guidelines which have been endorsed by the EDPB:

Guidelines on Transparency

Guidelines on Data Protection Officers

Guidelines on Consent

Guidelines on automated individual decision-making and profiling