Art. 13 GDPR

GDPR – General Data Protection Regulation (EU/2016/679)

Article 13

Information to be provided if personal data is collected from the data subject

1. In the event of collection of data concerning him from the data subject, the data controller provides the data subject with the following information at the time the personal data are obtained:

a) the identity and contact details of the data controller and, where applicable, of his representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing;

d) if the treatment is based on article 6, paragraph 1, letter f), the legitimate interests pursued by the data controller or by third parties;

e) any recipients or any categories of recipients of the personal data;

f) where applicable, the intention of the data controller to transfer personal data to a third country or to an international organization and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the reference to the appropriate or suitable guarantees and the means of obtaining a copy of these guarantees or the place where they have been made available. (1)

2. In addition to the information referred to in paragraph 1, when the personal data are obtained, the data controller provides the data subject with the following additional information necessary to ensure correct and transparent processing:

a) the retention period of the personal data or, if this is not possible, the criteria used to determine this period;

b) the existence of the right of the interested party to ask the data controller for access to personal data and the rectification or cancellation of the same or the limitation of the processing of personal data concerning him or to oppose their treatment, in addition to the right to data portability; (1)

c) if the treatment is based on article 6, paragraph 1, letter a), or on article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the treatment based on the consent given before the revocation;

d) the right to lodge a complaint with a supervisory authority;

e) if the communication of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and if the interested party is obliged to provide personal data as well as the possible consequences of failure to communicate such data;

f) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and envisaged consequences of such processing for the interested party.

3. If the data controller intends to further process personal data for a purpose other than that for which they were collected, before such further processing, he shall provide the interested party with information regarding this different purpose and any further pertinent information referred to in paragraph 2.

4. Paragraphs 1, 2 and 3 do not apply if and to the extent that the data subject already has the information.

(1) Letter thus corrected by Corrigendum published in the OJEU 23 May 2018, n. 127 L-series

< | Index | Next article>>

__________

For insights on the subject, see:

Information to the interested party

Basic fulfillment for any owner, it necessarily benefits from a good ability to analyze (in particular) the flows of treatments. The disclosure required by the EU Regulation is richer in information than the current one and its preparation is by no means a trivial operation: for example, the owner must explain the retention period of personal data, or the criteria used to determine this period. Last but not least, the language of the disclosure must be simple and clear. We distinguish the two cases in which the communication of information is to be correlated to the collection of data from the interested party or from a different subject.

>>GDPR: the table of the obligations of the holder

With In Practice GDPR you are practically ready
With GDPR enforcement support tools, you can quickly and easily get guidance on how to carry out an activity or resolve a specific case.

Below we report the Considering connected:

(60) The principles of fair and transparent processing imply that the data subject is informed of the existence of the processing and its purposes. The controller should provide the data subject with any additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and of the consequences thereof. In the case of personal data collected directly from the data subject, he should also be informed of any obligation to provide the personal data and of the consequences he incurs if he refuses to provide them. This information can be provided in combination with standardized icons to give, in an easily visible, intelligible and clearly legible way, an overview of the intended treatment. If submitted electronically, icons should be machine readable.

(61) The data subject should receive information regarding the processing of personal data concerning him or her at the time of collection from the data subject or, if the data are obtained from other sources, within a reasonable time, depending on the circumstances of the case. If the personal data may lawfully be disclosed to another recipient, the data subject should be informed of this when the recipient receives the first disclosure of the personal data. If the data controller intends to process personal data for a purpose other than that for which they were collected, he should provide the data subject, prior to such further processing, information regarding this different purpose and other necessary information. If it is not possible to communicate the origin of the personal data to the data subject because various sources have been used, information of a general nature should be provided.

(62) Conversely, there is no need to impose an obligation to provide information if the data subject already has the information, if the recording or disclosure of personal data is required by law or if informing the data subject proves impossible or it would require a disproportionate effort. The latter possibility could occur, for example, in treatments carried out for archiving purposes in the public interest, for scientific or historical research or for statistical purposes. In such cases, the number of data subjects, the age of the data and any adequate guarantees in place may be taken into account.

Art. 13 GDPR – Personal data collected from the interested party: information to be provided