The right to be informed is a fundamental principle of transparency enshrined in GDPR. This right ensures that individuals are fully aware of how their personal data is collected, processed, stored, and shared. By meeting these requirements, organisations can foster trust, demonstrate accountability, and avoid regulatory pitfalls.
Below is a detailed exploration of the right to be informed and its practical implications.
What Is the Right to Be Informed?
The right to be informed grants individuals clarity about the use of their personal data. It is covered under Articles 13 and 14 of GDPR, which outline the minimum information that must be provided to individuals, also known as ‘privacy information.’
Providing clear and accessible privacy information is essential for compliance and is key to building trust with individuals. Organisations must proactively communicate this information to individuals at the time of data collection or within a reasonable period when data is obtained from third parties.
What Privacy Information Should Be Provided?
Organisations must provide individuals with the following details:
Organisational Information:
Name and contact details of the organisation
Contact details of a representative (if applicable)
Contact details of the data protection officer (if applicable)
Purpose and Lawfulness:
The purposes of processing the data
The lawful basis for the processing
Legitimate interests (if applicable)
Data Details:
Categories of personal data obtained (if not collected directly from the individual)
Recipients or categories of recipients of the data
Details of data transfers to third countries or international organisations
Retention periods for the data
Individual Rights:
Information about the rights available to individuals (e.g., access, rectification, erasure)
The right to withdraw consent (if applicable)
The right to lodge a complaint with a supervisory authority
Additional Information:
The source of the data (if obtained from a third party)
Details of statutory or contractual obligations related to providing the data
Information on automated decision-making, including profiling, if applicable
When Should Privacy Information Be Provided?
Direct Data Collection: When collecting personal data directly from individuals, privacy information must be provided at the time of collection.
Data Obtained from Other Sources: If data is obtained from a third party, privacy information must be provided:
Within one month of obtaining the data
At the first point of communication (if applicable)
Before disclosing the data to another party
How Should Privacy Information Be Delivered?
To meet GDPR standards, privacy information must be:
Concise: Avoid unnecessary complexity.
Transparent: Clearly explain all processing activities.
Intelligible: Use plain, simple language tailored to the audience.
Accessible: Ensure the information is easy to find and navigate.
Organisations should employ a mix of methods to provide privacy information effectively, such as:
Layered Approach: Present key details upfront with links to additional information.
Dashboards: Offer preference management tools to allow individuals to control their data.
Just-in-Time Notices: Display relevant information at the point of data collection.
Icons: Use visual cues to summarise key aspects of processing.
Smart Device Functionalities: Leverage pop-ups or voice prompts for mobile and smart device users.
Exceptions to Providing Privacy Information
In certain circumstances, organisations are exempt from providing privacy information, such as:
When the individual already has the information
When providing the information would involve disproportionate effort
When the data must remain confidential due to legal obligations or professional secrecy
Best Practices for Drafting and Maintaining Privacy Information
Information Audits: Conduct data mapping exercises to understand the personal data held and its uses.
Audience-Centric Design: Consider the needs and expectations of the intended audience, including children where applicable.
User Testing: Evaluate the clarity and effectiveness of your privacy information through user feedback.
Regular Reviews: Keep privacy information up to date and accurate, especially when processing activities change.
Proactive Updates: Notify individuals about any new uses of their personal data before commencing such processing.
Why Is the Right to Be Informed Important?
Getting the right to be informed correct helps organisations comply with other aspects of GDPR, enhances transparency, and builds trust with individuals. However, failing to provide adequate privacy information can result in fines and reputational damage. By prioritising this right, organisations can demonstrate accountability and strengthen their relationships with individuals.
Conclusion
The right to be informed is a vital component of GDPR compliance and a cornerstone of transparent data processing practices. By providing clear, accessible, and comprehensive privacy information, organisations not only fulfil their legal obligations but also foster trust and confidence among individuals. Implementing best practices and regularly reviewing privacy information ensures ongoing compliance and accountability.
Comments