There are 2 types of data you must be aware of giving to individuals under the new GDPR legislation:
- Data that you've obtained directly from an individual themselves
- Information that hasn't been obtained directly from the individual
For this type of data, you must supply:
- The name and contact details of the controller (and the representative and DPO, if you have one)
- The reason for the data being processed
- Details of recipients (or types of recipients) of the data
- Details of transfers to third country and safeguards
- How long the data is kept for
- Details of the data subject's rights
- A statement that consent withdrawal is allowed at any time
- A statement that a complaint can be sent to a supervisory authority at any time
- Information on whether providing the data is mandatory and what the consequences of not providing the data are
All of the above (apart from advising if providing the data is mandatory) also needs to be included for data that hasn't been sourced from the individual directly, with the addition of categories of personal data and details of where the data was sourced from, and whether that source is publicly accessible.
This information needs to be presented in an easy-to-understand, accessible, and concise way. For data collected directly from the individual, the information must be supplied immediately. For data not collected directly from the individual, this should be supplied either within 1 month of obtaining the data, at the time it's used to communicate with the individual, or at the time that the data is disclosed to another recipient, whichever is sooner.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way