In the wake of the General Data Protection Regulation (GDPR), there has been a significant strengthening of individuals’ rights over their own data. An important part of the GDPR is Article 13, which outlines the obligation to inform data subjects about who is collecting their data, why it’s being collected, and how it will be used.
Article 13 ensures that the data subjects are informed from the start about how their information is handled, which supports transparency and enables individuals to maintain control over their own data.
What does Article 13 entail?
Article 13 of the GDPR addresses the situation where you, as a data controller, collect personal data directly from the data subject. The right to be informed requires that you must, on your own initiative, provide the data subject with the following information in a clear and understandable form:
- The identity and contact information of the data controller. If you have appointed a Data Protection Officer (DPO), their contact information must also be provided.
- The purposes of processing for which the personal data is intended, as well as the legal basis for the processing.
- If the processing is based on Article 6(1)(f) of the GDPR, which concerns legitimate interests as the basis for data collection, the data subject must be informed about these legitimate interests.
- If you know at the time of data collection that the personal data will be disclosed to a third party, you must inform the data subject accordingly.
- If personal data is transferred to a third country, this must be disclosed, along with information on whether the third country is considered safe or unsafe, and why the transfer is taking place.
To ensure fair and transparent data processing, you, as a data controller, must also provide the data subject with information about:
- The duration for which the personal data will be stored, or the criteria used to determine the storage period if a specific timeframe is not known.
- The individual’s rights to request access to, correction of, or deletion of personal data, as well as the right to restrict or object to its processing.
- The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent given prior to the withdrawal.
- The right to submit a complaint with a supervisory authority.
- Whether the data subject is obliged to provide the information due to law, contract, or similar obligations, and the possible consequences of failing to do so.
- Information about the use of automated decision-making processes, including profiling, along with an explanation of how these processes work and their significance and possible consequences for the data subject.
To comply with the right to be informed, it is important that you, as a data controller, provide the information to the data subject. It is not sufficient to simply store the information on a website for the data subject to find - you must actively provide this information. For example, if you collect personal information via the organization's website, the required information may be provided using text in a pop-up message. The primary information can be displayed here, with a link to more detailed information if needed.
Information regarding new purposes
As a data controller, it is important to understand that if you wish to use collected personal data for purposes other than the originally stated one, you must first inform the data subject of the new purpose. This must be done before you begin the new processing.
Furthermore, it is necessary to provide all relevant information about the new purpose to ensure transparency.
That being said, as a data controller, you should also know that the above obligations are waived if the data subject has already been informed of the specific details regarding data collection, the purpose of processing, and other relevant information. For example, if a user has already been fully informed about how their data will be used when signing up for a service, you do not need to inform them again about the same details in future processing.
READ ALSO: General Data Protection Regulation: Obligations and rights
