Even before the GDPR, the Telecommunications Act required that website users be informed about the use of personal data in a privacy statement. The GDPR requires in Article 13 that data subjects must be informed about the use of personal data when it is collected. Article 14 requires that if the data is obtained from a third party, the data subject must be informed within 30 days.
Duty to inform
When personal data is collected, the data subject must be provided with the following information:
- The name and contact details of the person responsible and, if applicable, his representative
- The contact details of the data protection officer, if available
- The purpose of processing
- The legal ground (Article 6).
- If the legal ground is “legitimate interest”, these interests must be specified. It should also be documented why these interests are more weighty than the interest of the data subject who does not want the data to be processed.
- Recipients or categories of recipients, if applicable (e.g. suppliers, tax advisors, …)
- If applicable, whether the data will be transferred to a third country without equivalent data protection and how data protection is nevertheless ensured (see US-EU Privacy Shield).
- The duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- Information about the right of access to personal data and the right to erasure or restriction and opposition, as well as the right to data portability.
- If the processing is based on the data subject’s consent, he or she must be informed of the right to withdraw consent.
- Reference must be made to the right to complain to the supervisory authority.
- If the data is required for the performance of the contract, it must be stated what the possible consequences of not providing it are.
- If automated decisions are made or profiling is performed, meaningful information about the logic involved and the scope and intended effects must be provided. Article 22(1) and (4)
- If the data was not collected directly from the data subject, it must also be stated where the data originated and, if applicable, whether it was obtained from a publicly accessible source. further details and restrictions in Article 14 GDPR
If a data subject already has this information, it does not need to be provided again.
The obligation to inform about data received from third parties is often difficult to implement correctly. Data from third parties are, for example, orders that come via an intermediary or data that have been researched from the Internet. As mentioned, according to Article 14 GDPR , data subjects must be informed about the processing within 30 days.
A pragmatic approach to implementation is also to refer to the privacy statement in all documents (offer, invoice, letters, …) as well as in all e-mails. This automatically transmits the required information at the next customer contact.
Article 14 requires that the data subject must be informed at the latest after 30 days that his or her data will be processed if it is disclosed to third parties.
easyGDPR lite helps you to implement this task quickly and efficiently.