Menu
Wave top
righttobeinformed-cover

Right to be Informed | GDPR

Data Subjects have the right to be informed about your processing of the personal data.

Wave Bottom

What is the Right to Be Informed?

Your company has an obligation under the GDPR to inform individuals about the processing of their personal data. This means you must provide clear information to those whose data you handle.

This obligation must be fulfilled before you begin processing personal data and applies to all processing activities your organization undertakes. Therefore, complying with the right to be informed is a significant requirement under GDPR that your organization must ensure it meets.

Why Does the Right to Be Informed Exist?

A central principle of privacy is to inform users about which personal data you will process, the methods you will use, and the purposes behind it. Providing this information allows users to make an informed decision about whether they accept this processing.

The right to be informed is outlined in GDPR Articles 13 and 14.

Article 13 describes the requirements where personal data are collected from the data subject, for example, by sending information to draft a contract or by signing up for a newsletter.

Article 14 outlines the requirements where personal data have not been obtained from the data subject, but instead collected via other sources, such as a publicly available database.

The primary difference between direct and indirect collection lies in where the data comes from and when the information must be provided to the data subject to comply with the right to be informed.

Direct Collection of Personal Data (Article 13)

Article 13 covers situations where personal data is collected directly from the individual. This typically happens when someone voluntarily provides their information, for example, by filling out a contact form on a website, signing up for a newsletter, or purchasing a product.

  • In these cases, your organization must provide the individual with certain information at the time of collection, including:
  • The purpose of the data processing
  • Contact details of the data controller
  • Recipients of the personal data
  • Retention periods
  • Information about the individual's rights, such as the right to access, correct, and delete data

Indirect Collection of Personal Data (Article 14)

Article 14 applies when personal data is collected from a source other than the individual themselves. This could occur when your organization obtains personal data through a third party—for example, from a public register of defaulters or health data for a scientific study.

In such situations, you must inform the individual within a reasonable timeframe, but no later than one month after receiving the data. The information provided should include the same elements as in direct collection but must also disclose the source of the personal data.

Right to Be informed of Changes to the Processing of Personal Data

The right to be informed isn't limited to the initial collection of personal data. If you later wish to process the data for other purposes, you must also inform the individuals involved.

For example, if the processing of health data for a scientific study changes because you identify a business opportunity you wish to pursue, the nature of the data processing changes. You must treat the pursuit of this business opportunity as a new data processing activity, and the obligation to inform must be fulfilled anew.

This ensures continued transparency and gives individuals the opportunity to understand how their personal information is being used.

Checklist: The Right to Be Informed

While you can find all the requirements of the right to be informed in GDPR Articles 13 and 14, here's a checklist and an overview of how article 13, 14 and 30 relates to each other.

Note: There are significant overlaps between the obligations in Articles 13 and 14, but some differences depend on whether you collect personal data directly from the user or from other sources.

Punkt

Beskrivelse

Oplysningspligt

RoPA Reference

Identity and Contact Details of Controller

Provide the name, address, and contact details of the data controller.

Article 13(1)(a); Article 14(1)(a)

Article 30(1)(a)

Contact Details of Data Protection Officer (DPO)

If a DPO has been appointed, their contact information must be provided.

Article 13(1)(b); Article 14(1)(b)

Article 30(1)(a)

Purpose and Legal Basis for Processing

Describe why personal data is being processed and the legal basis for it.

Article 13(1)(c); Article 14(1)(c)

Article 30(1)(b)

Legitimate Interests Pursued

Explain the legitimate interests if processing is based on them.

Article 13(1)(d); Article 14(2)(b)

Article 30(1)(b)

Categories of Personal Data

Specify the types of personal data being processed.

Article 14(1)(d)

Article 30(1)(c)

Recipients or Categories of Recipients

Inform who will receive the personal data if it is disclosed.

Article 13(1)(e); Article 14(1)(e)

Article 30(1)(d)

Transfers to Third Countries or Organizations

State if personal data is transferred outside the EU/EEA and the safeguards in place.

Article 13(1)(f); Article 14(1)(f)

Article 30(1)(e)

Retention Period or Criteria

Indicate how long personal data will be stored or the criteria used to determine this period.

Article 13(2)(a); Article 14(2)(a)

Article 30(1)(f)

Individual's Rights

Inform about the right to access, correct, delete, restrict processing, object, and data portability.

Article 13(2)(b); Article 14(2)(c)

Not applicable

Right to Withdraw Consent

Inform about the ability to withdraw consent at any time.

Article 13(2)(c); Article 14(2)(d)

Not applicable

Right to Complain to a Supervisory Authority

Inform about the right to lodge a complaint with a data protection authority.

Article 13(2)(d); Article 14(2)(e)

Not applicable

Obligation to Provide Data & Consequences

Explain if the individual is obliged to provide personal data and the consequences of not doing so.

Article 13(2)(e)

Not applicable

Source of Personal Data

Indicate where the personal data originates and if it came from publicly accessible sources.

Article 14(2)(f)

Not applicable

Automated Decision-Making & Profiling

Inform if automated decisions are made, their significance, and expected consequences.

Article 13(2)(f); Article 14(2)(g)

Ej relevant

Purpose of Further Processing

If data will be processed for a new purpose, this must be communicated.

Article 13(3); Article 14(4)

Article 30(1)(b) (new purpose)

Records of Processing Activities (RoPA)

Your Records of Processing Activities (RoPA) contain the information needed to fulfill the right to be informed.

The RoPA details all personal data processing activities your organization undertakes, and the purpose of processing, deletion criteria, etc. You can use this information to make sure that you comply with the right to be informed for each processing activity and create a privacy policy.

When you make changes to your RoPA, ensure that the right to be informed is still fulfilled and accurate, so your data subjects are informed correctly. Regularly updating your RoPA then becomes a tool to help you stay updated on your other obligations.

Communication Requirements

The GDPR also has requirements on how you fulfill the right to be informed (Article 12):

  • Information must be provided in a concise, transparent, intelligible, and easily accessible form.
  • Communication should be in clear and plain language, tailored to the audience, which is especially important when addressing children.
  • The information should be provided in writing, preferably electronically. If requested by the data subject, you can also provide it verbally.

In short, your communication should be clear and not unnecessarily legalistic - it should be made accessible to your target audience.

Benefits of Effective Communication

Complying with the right to be informed is not just about compliance, but also offers clear advantages for both your company and the individuals whose data you process. By transparently informing users, customers, and employees about how you handle their data, you make it easier for them to understand and accept your data processing activities.

This openness builds trust and strengthens the relationship between your company and its stakeholders. Additionally, the right to be informed helps your company keep track of its data processing methods, leading to better internal processes and making your data handling more efficient and secure.

The Right to Be Informed in Practice

With your RoPA in hand, you have much of the information needed to fulfill the right to be informed for each processing activity. For each activity, identify how you will communicate this information in practice; what method will you use to inform the individuals involved?

Ensure you have documentation proving you have met the obligation to inform. You can add a note about this to each processing activity in your records.

Typically, the right to be informed is fulfilled by creating a privacy policy that meets the requirements outlined in GDPR Articles 12, 13, and 14.

Privacy Policy

A Single Privacy Policy

For smaller organizations, it might be practical to consolidate all communication into a single privacy policy published on the website. By doing so, you can easily refer to it in email signatures, web forms, and other communications, making information about your data processing readily accessible.

Having one privacy policy means you only need to update a single document over time, simplifying the management of the right to be informed.

Multiple Privacy Policies

For medium to large organizations with numerous processing activities, consider creating multiple privacy policies to provide targeted information to different groups. For example, Bech Bruun uses three different privacy policies on their website for various purposes.

This approach benefits individuals by providing information that is more concise, transparent, and easily understood. It also makes it easier to manage the obligation to inform in complex organizations, as each policy has a clear purpose, simplifying maintenance.

Privacy Policy Templates

There are many privacy policy templates available online, and you can also look at other companies' privacy policies for inspiration, including our own privacy policy

Ongoing Compliance

Organizations evolve over time, leading to changes in business processes and data processing activities. This means you must continuously reconsider and adjust how you comply with the right to be informed.

In larger organizations, changes in data processing are often identified when updating records, typically managed by employees responsible for specific business tasks (process owners). When these changes occur, it's an ideal time to review and update your communications related to the obligation to inform.

An Example: The Right to Be Informed

Let's conclude with an example:

A distribution company with 50 employees across two locations in Denmark needs a practical solution to comply with the obligation to inform under GDPR.

Due to limited resources, the company assigns GDPR compliance tasks to an HR employee, adding to their existing responsibilities.

The HR employee maps out all personal data processing activities, including data on employees, customers, and suppliers, and compiles a record of processing activities as required by GDPR Article 30.

Using information from the records and the checklist provided earlier, the HR employee drafts a privacy policy to meet the right to be informed.

Once completed, the privacy policy is published on the company's website at www.example.com/privacy-policy. Printed copies are also made available to drivers who register when delivering or collecting goods.

The HR employee decides to inform all staff about the obligation to inform at the next team meeting. During the meeting, the privacy policy is briefly presented, and employees are informed about the company's responsibility to notify individuals, such as drivers, about how their personal data is processed. Employees are instructed to refer customers and partners to the privacy policy if they have questions about data processing.

All employees now know to direct inquiries to the privacy policy on the website and can contact the HR employee for further questions. This awareness provides confidence among staff about handling such situations.

By integrating the right to be informed into existing processes and communicating clearly both internally and externally, the distribution company successfully complies with GDPR requirements

Summary

This article has provided an understanding of the right to be informed under GDPR and the requirements for compliance. You now have a practical checklist of the necessary information to include in a privacy policy and learned how a privacy policy can effectively meet these obligations in practice.

Processing activities

.legal compliance platform Start your compliance journey today

Curious to try it yourself? Experience our free compliance platform and kickstart your compliance journey today.
  • No credit card needed
  • Unlimited time on Free plan
  • No commitment
Get started
Book a Demo
+290 large and small companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
GJ
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Boligkontoret danmark
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Energi Viborg
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
arp-hansen-hotel-group-logo-1
Axel logo
qUINT Logo
KAUFMANN (1)
Footer topswirl

Info

.legal A/S

hello@dotlegal.com
+45 7027 0127

VAT-no: DK40888888

Support

support@dotlegal.com
+45 7027 0127
Need help?

status page badge

Platform status

Offices

Aarhus

Store Torv 14, 2.
8000 Aarhus C

Copenhagen

Vesterbrogade 26
1620 København V

Products

Let me help you get started

mads-i-blob
Reach out to me on phone
+45 7027 0127 and I'll get you started
arrow-right-white Get a demo

.legal is not a law firm and is therefore not under the supervision of the Bar Council.

Footer bottomswirl