Without transparency, data subjects cannot properly exercise rights
Identify all forms of data collecting to provide information timely
Check if information covers all relevant aspects of GDPR art. 13 & 14
Why such information must be provided? Because without it, data subject would be unable to exercise rights and control his or her data. In case the data are collected from other sources, in many cases data subject would not know that your organization acquired it at all.
So GDPR standard is transparency that gives data subject broad scope of control. Information must be provided upon collection, and if data are obtained from other sources – upon first contact with data subject or first disclosure of data, but no later than within a month. It includes controller’s and if designated – its EU representative’s and data protection officer’s contact details, listing all purposes of processing, its legal basis as well as controller’s or third party’s legitimate interests pursued. Information should also cover data sharing: to what recipients data will be disclosed and in case of data transfers outside the European Economic Area – what are their legal basis and safeguards.
The data subject needs to know for how long the data will be stored and what are his or her rights. Data subject must be informed if providing data is required, what is the source of requirement and what would be the consequences of not providing data. Also, if data are used for automated decision-making of legal or other significant effects, its logic and possible consequences should be described. Finally, if data are collected from other sources, inform data subject about that source and data categories obtained.
Table of contents:
Self-implement GDPR in 16 steps: