Data Protection Academy » Data Protection Wiki » Information obligations of the GDPR

A person looks on a tablet for the information requirement of the GDPR

Information obligations of the GDPR

What is the difference between the information requirements for direct collection and indirect collection?

You should start the new year with good intentions. For the area of data protection, it would be a good idea to bring the information obligation of the GDPR up to speed. After all, the right to information is probably the most important data subject right in the GDPR. It distinguishes between the collection personal data with the data subject (direct collection) and collection from third parties or public sources (indirect collection). The first case is covered by Article 13 GDPR, the second case is governed by Article 14 GDPR. The persons concerned must always be informed about the circumstances of the data collection.

The transparency of the collection of personal data is GDPR very important. Therefore, companies must be able to explain to the data subjects why and what kind of data they collect and process. In a quasi-mirror image of the information obligations, the right to information of the data subjects under Article 15 GDPR ensures that the person responsible for collecting personal data provides the data subjects with information about this process.

When is the correct time for the information obligation?

The timing of the information obligation of the GDPR differs in the case of direct and indirect collection. In the first case, the information obligations apply to the time of data collection, in the second case, the Recital 61 the GDPR a reasonable period of time, which depends on the specific individual case. It may last up to one month. However, if the data is used to communicate with the data subject or if the data is disclosed to another recipient, the data subject must be informed at the latest at the time of the first communication or disclosure.

ISMS audit and ISO 27001 audit

Regular audits of your information security system contribute to the optimisation of your information security. By means of an ISMS audit, the current status of your information security management is analysed and documented by our TÜV / DEKRA certified consultants in your company. Open measures are recorded, prioritised and recorded in a concrete action plan. Find out about the benefits, process and costs with Robin Data.

What information must the information obligations contain?

The information requirements depend on the type of data collected. The data subject must receive the following information, although this list is not exhaustive. Article 13 and the 14 GDPR regulate the catalogue of duties in detail.

  1. Name and contact details of the person in charge. This includes at least the postal address and the e-mail address.
  2. If applicable, the contact details of the Data Protection Officer
  3. Processing purposes and their legal basis. The information must be sufficiently detailed to enable the data subject to identify the processing operations that are likely to be carried out.
  4. Receiver of the data. This also includes internal departments, contract processors and third parties.
  5. Categories of data
  6. Duration of the storage. The information must be so meaningful that the person concerned can at least work out when their data will be deleted.
  7. If applicable, the intention of the controller to transfer the data to a country outside the EU. As data protection is generally weaker there, the person concerned can use this information to object to the transfer in advance. In order to be able to assess the level of data protection, the data subject must be informed whether an adequacy decision by the EU Commission has been issued or whether other guarantees such as the privacy shield or standard contractual clauses exist.
  8. Informing data subjects of their rights of access, rectification, erasure, restriction of processing, transferability of data, opposition and complaint to a supervisory authority
  9. In the case of indirect collection, the source from which the data are taken and whether they are publicly available

According to Article 12 paragraph 1 of the GDPR, the information must be provided in a precise, transparent, comprehensible and easily accessible form, using clear and plain language. The information provided in the Data protection The central principle of purpose limitation also applies to information requirements. If a controller intends to further process the data for a purpose not originally specified, he must, in accordance with Article 13 paragraph 3 and Article 14 Paragraph 4 GDPR, inform the persons concerned in advance.

What are the possible consequences of breaches of information obligations?

A breach of the obligation to provide information under the GDPR constitutes a breach of duty which may result in a fine. Furthermore, it is quite possible that the breach also affects the lawfulness of the data processing. If the data subject was obliged to tolerate or cooperate in the data collection, the omitted notification can be made up for. In that case, the data collection remains lawful. However, if the data collection depended on the will of the data subject and if the data subject was unable to consent to the collection and processing due to a lack of timely information, a double illegality exists. Both the data collection and the processing are unlawful. The unlawfully collected and processed data must be deleted.

The company must be able to demonstrate that it has fulfilled its obligations to provide information to data subjects. Companies are therefore required to document their information obligations in writing.

Ulrich Hottelet

This might interest you too:

Erasure concept according to the GDPR

Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.

Record of processing activities

List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.

Technical organisational measures (TOMs)

All information on the technical organisational measures according to the GDPR. What do responsible parties have to observe during implementation and documentation?