GDPRInformation Obligations

One requires transparency in gathering and using data in order to allow EU citizens to exercise their rights to personal data. Therefore, the General Data Protection Regulation sets forth a variety of information obligations.

The law differentiates between two cases: On the one hand, if personal data is directly obtained from the impacted party (Art. 13 of the GDPR) and, on the other hand, if this is not directly obtained from the impacted person (Art. 14 of the GDPR). For direct obtaining of information, the person must be immediately informed.

In terms of content, the obligation to inform of the responsible party include identity, contact data of the Data Protection Officer (if available), the processing purposes and the legal bases, any justified interest, about the receiver when transmitting the data, and also about any transfer to third countries. In addition, the information obligation also includes information about the duration of storage, the rights of the impacted parties, the ability to withdraw consents, the right to complain to the authorities, as well as the statutory or contractual obligation to provide personal data. In addition, they must be informed of any automated decision-taking or other profiling activities. This information requirement can be dispensed for direct collection only if the impacted person already has this information.

If the information gathering is not done with the impacted person, this person must be informed within a reasonable period of time, but at latest after a month, when using this information for communication, inform them through direct contact. As far as content is concerned, the responsible party is also subject to the same information obligations with this type of information gathering. The only exception is only information about the obligation to provide, as the responsible party cannot decide about this on his own. In addition, he has the obligation to inform from what sources the data originated, and whether it was publicly available. The information obligations must be provided in a precise, transparent, comprehensible and easily accessible form. This can be communicated to the impacted person in writing or electronic form. It is explicitly explained that also so-called ‘standardised image symbols’ can be used in order to convey a meaningful overview of the intended processing in an easily comprehended, understandable and clear form.

In the case that the personal data is not gathered from the impacted party, the information obligation need not be fulfilled in exceptional cases. This applies if this is either impossible or unreasonably expensive, the gathering and/or transmission is required by law, or if professional secrecy or other statutory secrecy obligation is in place.