
When a data subject submits its personal data to a controller, the controller is obliged under Article 13 of the GDPR to provide all of the following information to the data subject once it is in receipt of the personal data:
- The identity and contact details of the controller and where applicable of the controller’s representative
- The contact details of the data protection officer
- The purpose of the processing and its legal basis
- The legitimate interests pursued by the controller or a third party if the processing is carried out under Article 6 (1) (f)
- The recipients of the personal data if any
- Whether the personal data shall be transferred to a third country or an international organisation or a transfer as per Articles 46, 47 and 49 and a reference to the safeguards that have been put in place.
Further, the data controller shall also provide the additional information to the data subject in order to comply with the principles of transparent processing such as the following:
- The period for which the data shall be stored
- The right to erasure and right to data portability
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Whether the data being collected is a statutory or contractual requirement
- The logic behind processing the data and the existence of automated decision making if that is being employed
In case if the data is being used for any purpose other than the original intended purpose, the data subject has a right to be aware of all the relevant information.
Exceptions:
The above requisites shall not be applicable when the data subject already has all the information or complying with the requisites shall prove to be at loggerheads with the interest of the society at large especially when the processing is done for archiving purposes in the public interest.
Analysis:
The above information must be provided to the data subject in the form of a privacy notice. However, there is still scope for clarity as Article 13 does not specify in which instances the information has to be provided to the data subject. Personal data is collected at various points and for many purposes. For example, customers share their personal data with organisations to get services, employees share email addresses while interacting with businesses in order to perform their duties etc. It can be quite cumbersome for a data controller to send out a privacy notice to each data subject for each and every personal detail received.
It is to be anticipated how GDPR is interpreted by the data controllers and what is the scope of default in Article 13.Â
Reference:
https://www.scl.org