More about your Right to Information
A data controller has to give you a wide range of information about what they will do with your personal data. In most situations this information must be made available to you before any personal data has been processed.
Three things to remember
- The organisation’s data protection information must be easy to find and easy to understand. It’s not your fault if you don’t understand it, it’s their job to explain it to you properly. If you don’t fully understand you can (and should) get in touch with them and ask them to explain it.
- There is a list of information which must be provided to you either 1) at the time your personal data is collected if it is collected directly from you or 2) as soon as possible afterwards if your personal data is not collected directly from you.
- The information obligations on controllers apply no matter what size the controller is. Controllers, large and small, can be sanctioned for failing to meet their obligations.
Information you must be given
Who the data controller is and how to contact them
Identifying the controller is important if you want to move on to making an access request, which will in turn unlock more of your data protection rights. For this reason you need to know who they are and how to contact them.
Contact details for the Data Protection Officer
Some, but not all data controllers must appoint a Data Protection Officer. If a controller does have a Data Protection Officer then this should be stated and contact details for the DPO provided as part of the data protection information given to you. If they do have a DPO then you have a right to contact them.
What personal data is being processed
This should be clearly stated.
The purpose and lawful basis of the processing
These should be clearly stated. Finding out which lawful basis the controller is using to process your data is frequently necessary so you can identify which additional rights you can exercise e.g. if the controller is using their legitimate interests as their lawful basis then you have the right to object to their processing of your data.
A description of the legitimate interests pursued by the data controller
If the controller’s legitimate interests are being relied upon as a lawful basis then what these legitimate interests are must be stated and described. The more specific the description the better. Ideally there should be evidence that the controller has carried out a Legitimate Interests Assessment which provides an explanation of why the controller feels their interests outweigh your rights.
The recipients or categories of recipients of your personal data
If the data controller is going to share your personal data with any third parties then these third parties should be listed. In some cases it is acceptable for the controller to list categories of recipients but, as above, the more detail you are given the better.
Whether your personal data will be transferred outside the European Economic Area
Transfers of your personal data outside the European Economic Area (this is the 27 European Union member states plus Iceland, Liechtenstein and Norway) are generally prohibited without appropriate safeguards. If data is being transferred outside the EEA then you must be told. The mechanism being used must be stated (this is usually one of either an adequacy agreement, standard contractual clauses or binding corporate rules). If your data isn’t being transferred outside the EEA then this should be stated.
How long your personal data will be kept for
The controller has to tell you how long they will keep your personal data, or at the very least what criteria are being used to calculate how long your personal data will be retained for.
This is important information for you to know so you can assess whether your data is being processed in accordance with the principle of storage limitation.
What rights you have as a data subject
The data protection information given to you must include a list of your data subject rights and how you can go about exercising them. Namely
- Your right of access
- Your right to rectification
- Your right to erasure
- Your right to restrict processing
- Your right to object
- Your right to data portability
- Your right to withdraw consent (where applicable)
- Your right to lodge a complaint with the DPC
Transparency is one of the principles of data protection and applies to three main areas
1) the information provided to you relating to fair processing
2) the information provided to you relating to your rights
3) the information provided to you about how to exercise your rights, and the information you are given when you are exercising those rights.
Not only must all data be processed in a manner that is transparent to you, the principle of accountability requires that the data controller must be able to demonstrate this i.e. they must show you how they are achieving this transparency.
Not giving you complete data protection information means the controller is not processing your data transparently.
If they don’t give you this information “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (GDPR, Article 12.1) then they are not processing your data transparently.
Enforcement in action: In April 2019 the Information Commissioner’s Office in the UK fined Bounty, “a pregnancy and parenting club” which “collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.” Commenting on the fine, Steve Eckersley, ICO’s Director of Investigations, said “Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.”
Read more elsewhere
Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)