At a glance

  • The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.
  • It emphasises the need for transparency over how you use personal data.

In brief

What information must be supplied?

The GDPR sets out the information that you should supply and when individuals should be informed.

The information you supply is determined by whether or not you obtained the personal data directly from individuals. See the table below for further information on this.

The information you supply about the processing of personal data must be: 

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

The table below summarises the information you should supply to individuals and at what stage.

What information must be supplied? Data obtained directly from data subject Data not obtained directly from data subject
Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer
Purpose of the processing and the lawful basis for the processing
The legitimate interests of the controller or third party, where applicable
Categories of personal data  
Any recipient or categories of recipients of the personal data
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period ✓ 
The existence of each of data subject’s rights ✓ 
The right to withdraw consent at any time, where relevant ✓  ✓ 
The right to lodge a complaint with a supervisory authority ✓ 
The source the personal data originates from and whether it came from publicly accessible sources   ✓ 
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data  
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences ✓ 
When should information be provided? At the time the data are obtained. Within a reasonable period of having obtained the data (within one month)
If the data are used to communicate with the individual, at the latest, when the first communication takes place; or
If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

 

In more detail - ICO guidance

Further guidance for organisations on how to comply with ‘the right to be informed’ is provided in the ICO privacy notices code of practice.

 

In more detail - Article 29 Working Party

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party will publish guidance on transparency in 2017, according to its workplan.