📕 The 12th, 13th and 14th articles of the GDPR are dealing with the right to inform the user from which data are collected. The data controller must put this into effect.
Article 12 enforces the transparency of information that the data controller must communicate to the user.
Article 13 states every piece of information that the data controller must communicate to users as soon as he is collecting their personal data:
- His identity and contact details.
- The Data Protection officer's (DPO) contact details.
- The purposes for processing personal data (the reason why data are collected) and the legal basis of data processing.
- Where applicable, the legitimate interests he or a third party is processing for.
- The data receivers.
- If he is intending to transfer data to a foreign country (outside of the European Union) or an international organism and the existence or not of an adequacy decision from the Committee or the reference to the appropriate guarantees (such as contract clauses or intra-firm agreement).
The data controller must inform users about:
- The retention period of personal data or, when not possible, the criterion used to determine this retention period.
- The user's right to access, rectify, erase, limit, object to processing and his right to data portability.
- The user's right to withdraw his consent when processing is based on consent.
- The user's right to appeal to the supervising authorities.
- Whether providing data is regulatory or contractual (if the execution of a contract relies on it).
- If the data processing includes automated decision-making, even for profiling and where applicable, he must have information about the underlying logic and the importance and consequences intended of the processing for the user affected.
Beforehand, the data controller must provide to the affected user information about the other purposes when he is willing to have another processing of the personal data than the one he collected the data for. And, if the processing was based on consent, collect it again.
All these information must be provided to the user during the collect, for instance a link to the Privacy Center and a relevant extract of the latter in the electronic collecting form.
According to the 14th article, when you are collecting personal data indirectly, since you are the data controller, you must provide all the information above to the user affected and the personal data source and the data collected categories.
This information must be provided from the first communication or one month after the data collecting at the latest, with a link to the Privacy center and a relevant extract of the latter in an email for instance.
There are some exceptions:
for instance, when the user affected has been informed beforehand, when it is impossible to give these information or when it requires disproportionate efforts (public interest archiving processing/for science/historical researches/statistics) or when the personal data must remain confidential according to a professional secrecy obligation.