GDPR Article 13

Information to be provided to the data subject


GDPR has the objective of protecting the rights and freedoms of data subjects with regard to the processing of their personal data. The principle of 'transparency' requires data subjects be told their personal data is being processed, who by and what for. They must be told their rights, and data controllers must do this in a clear, easily understood format, when the data is collected. If you get the personal data from another person, the data subject must be told the same information as soon as possible, at least within one month, or at the time of first contact if the data is used for direct marketing.

Data to be communicated

  1. the identity and contact details of the data controller
  2. contact details for the data protection officer if you have one
  3. the purposes of processing
  4. the legal basis for processing
    1. if the legal basis is 'legitimate interest' what those legitimate interests are
    2. if the legal basis is 'consent', that the data subject has the right to withdraw consent at any time
    3. if the legal basis is 'legal obligation' or 'contract', whether providing the data is mandatory and possible consequences for failing to do so
  5. the recipients or categories of recipient of the data, if appropriate
  6. the safeguards (or where to get a copy of them) used, if you intend to transfer the data to an international organisation, or a country outside the EU
  7. how long the data will be stored, or the criteria used to determine that period
  8. the data subject rights to request:
    1. access
    2. rectification (to fix inaccurate data or complete incomplete data)
    3. erasure
    4. restriction of processing (typically while a dispute is resolved)
  9. the data subject rights to:
    1. object to processing
    2. data portability
    3. lodge a complaint with the supervisory authority (ICO)
  10. that you intend to use automated decision making, and meaningful information about the logic involved, the significance and the envisaged consequences, if this applies to the processing

What you need to do

You should adjust your processes and procedures to ensure you tell data subjects all this information when you collect their data.

If you collect data from someone else, such as a colleague, you must tell the data subject where you got the data from, and all the listed items as soon as possible, and within one month. If the data is to be used for direct marketing, this information can be given in the first communcation.

You do not need to tell the data subject all this information if they already have it.

Burden of proof

As with all of GDPR, to avoid potential fines, you must be able to prove you have provided this information, or you did not need to do so. This may mean you need to make additional changes to keep call recordings, scan documents, or keep originals.

If you need advice about GDPR, contact us!

FREE initial consultation!

Call now on 0800 2800 679