GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Articles 12, 13 & 14 of the GDPR

The Right to be Informed of Personal Data Processing

The right to be informed of personal data processing means that data subjects have right to obtain information about the collection and use of their personal data. Articles 12, 13 and 14 of the EU General Data Protection Regulation (GDPR) govern this right. The right to be informed of personal data processing is one of the eight (8) fundamental rights that data subjects have under the GDPR. 

The Right to be Informed of Personal Data Processing - GDPR

If the company has received the personal data directly from the data subject, Article 13 of the GDPR applies. If the company has received the personal data from someone else, Article 14 of the GDPR applies. These articles regulate the minimum information which the company has to provide.

Time of informing the data subjects of the processing

Article 13 GDPR: The right to be informed of personal data processing is regulated in article 13. This article applies if the company has received the personal data directly from the data subject. Then, the company shall inform about the processing when the company receives the personal data.

Article 14 GDPR: The right to be informed of personal data processing is also regulated by article 14 of the GDPR. This article applies if the company collects the personal data from a third party. In such cases, the company shall provide the information:

  • Within a reasonable time from receipt, but no later that one (1) month. When assessing a reasonable period of time, the company shall take into account the specific circumstances of the processing of the personal data. A specific assessment is therefore required in each individual case;
  • If the company is to process the personal data in order to communicate with the data subject, the information about the processing shall be provided at the latest when the first communication takes place; or
  • If the company intends to disclose the personal data to another recipient, the information about the processing shall be provided at the latest in connection with the first time the personal data is disclosed. 

If the data subjects are children 

In some cases, a company can process personal data belonging to children without guardian consent. However, the rules are stricter when it comes to such processing. For example, the company must ensure that the processing information is easy to understand for the children. The children are the data subjects. In addition, the privacy notice must be drafted in the same language as the national one. An international company was in breach of the GDPR in the Netherlands. This specific company runs a mobile application with many children as users. The information about the company’s personal data processing was in English. This was not allowed and therefore the company had to pay a fine.

Fulfill the data subjects right to be informed of personal data processing through a privacy notice

It is important to ensure that the company provides the information that requires GDPR. The information should be set out in writing in a so-called “privacy notice”. It is common for companies to publish their privacy notice on their official website. This type of notice is often published in the footer of a website, to ensure that it is always easy to find.

Please note that the company should have its privacy notice separate from other notices and terms. In other words, a privacy notice should not be included in the general terms, a cookie notice or similar. 

The content of a privacy notice

For example, a privacy notice should provide the following information to data subjects about the company’s processing of personal data: 

theme_placeholder

Controller and processor

Who is the data controller and contact details. In addition, it must be stated whether the company engages any personal data processors. 

theme_placeholder

Legal basis

The legal basis on which the company bases the processing. For example, consent, performance of a contract with data subjects or legitimate interest. 

theme_placeholder

Purpose

What the purpose of the processing is. The purpose must be specific and clear to the data subjects. 

theme_placeholder

Storage duration

How long the company will process and save the personal data. It is important to keep in mind that companies should delete personal data when it is no longer necessary for the purpose for which it was collected. This is in accordance with the principle of storage limitation.

theme_placeholder

Third country

If the company transfers personal data to a third country. In other words, a country outside the EU-EEA area. When a company transfers personal data to a third country, the rules are stricter. 

theme_placeholder

Rights

The rights of data subjects. For example, the right of access to personal data and the right to erase personal data. Also, the data subjects right to lodge a complaint to a supervisory authority.

theme_placeholder

Source

Companies that receive personal data in a way other than directly from the data subject shall inform the data subjects of how they collected the personal data. This is regulated in article 14 of the GDPR.

A company does not always have to provide information to data subjects under the right to be informed of personal data processing

Here are examples of some situations where a company does not need to provide information about the processing to the data subjects: 

  • If the data subject already has access to the information. For example, if the information is presented every time a person logs into their account on a payment service; 
  • If the company collects personal data from another source, and it would be disproportionate or impossible to provide access to the information. This applies in particular when the processing of personal data is carried out for scientific research purposes, historical research purposes or archiving purposes that are in the public interest;
  • Where the disclosure or receipt of personal data is expressly based on a law to which the data subject is subject, provided that that law lays down appropriate measures to protect the data subject’s legitimate interests;  or
  • In the event that a company is required to keep the personal data in question confidential due to a law to which the company is subject. That is to say, that the company is bound by a legal obligation to respect the confidentiality of the processed personal data in question. 

Other data subjects' rights under the GDPR

Right of access 

An individual has the right to request access to their personal data that a company processes. Upon such request, the company shall provide such access. The company shall inform which categories of personal data they processes. Also, the purpose of the processing. Including the retention period and how the collection has taken place. In addition, the company shall provide a copy of the processed personal data.

Want to learn more?

Read more
Scroll to Top