The GDPR’s right to be informed is not just about providing information- it’s about the right information. Consider it as an opportunity for businesses to build trust with customers, comply with GDPR requirements and stand out as transparent leaders. In this guide, we’ll walk you through step-by-step compliance with GDPR’s transparency obligations, transforming a challenge into an opportunity.
What is the GDPR right to be informed?
The right to be informed puts Article 5 (1)(a), known as the transparency principle into action. The law requires businesses to provide information regarding personal data processing in plain and easy-to-understand language. Moreover, it must be concise and readily accessible. This is why you would find organisations hyperlinking their privacy policy on the footer or other conspicuous parts of their website.
It enables individuals to know about the data collection and processing, purpose of collection, retention periods, risks that they should be aware of, rights over their data, and more.
Here is a quick view of the rights of the data subjects under GDPR
- Right to be informed
- Right to access
- Right to be forgotten
- Right to restriction of processing
- Right to data portability
- Right to rectification
- Right to objection
- Rights related to automated decision-making and profiling
Legal basis for the right to be informed
Articles 12, 13 and 14 of the General Data Protection Regulation guarantee European citizens’ right to be informed. Here is a quick breakdown of what each of these sections comprises.
Article 12
It outlines the responsibilities of a data controller while providing privacy information to individuals. All businesses must facilitate the exercise of data subject rights granted to EU citizens.
All communications to the data subjects must be understandable, intelligible, concise, and without jargon. It also sets one month as the standard time to respond to data subject requests. However, one may extend it to two months if necessary after giving prompt notification to the data subject.
Additionally, the requests must be properly verified and fulfilled free of cost unless they are manifestly unfounded or excessive.
Article 13
It lists the information that businesses must communicate with their data subjects at the time of data collection from the data subject. Technically, your privacy policy must contain these details about the data processing.
The list among others contains the following:
- Name and contact information of the business
- Purposes and lawful basis of processing
- Legitimate interests (if applicable)
- The recipients of the collected data
- Details of cross-border transfers of personal data (if applicable)
Additionally, it also clarifies that when using the personal data of an individual for a different purpose than what was informed, it should be clearly communicated to them before processing.
Article 14
Article 14 of the European privacy legislation requires data controllers to provide specific information to data subjects when personal data have been collected from sources other than themselves. For example, when the personal data of an individual is obtained from business partners or external data providers.
The sources from which the data was obtained, along with whether it will be subject to automated decision-making, are among the critical details that must be disclosed to the data subject to ensure transparency and compliance with GDPR.
The information must be provided no later than one month after obtaining the data or at the time of first communication if it is used to contact the data subject. Moreover, if the personal data will be shared with other parties, the data subject must be informed as soon as the sharing occurs.
Key information businesses must provide under GDPR
Transparency and accountability are paramount to GDPR compliance. Below is a list of key information that businesses must provide to comply with GDPR obligations. We have also published a detailed blog on creating a GDPR privacy policy from scratch.
#1 Identity and contact information
Organisations must clearly mention the name and contact details of the controller and data protection officer (if applicable). This is to ensure that they can connect with the controller if needed such as to exercise their rights or any other cause. Non-EU companies must also provide details of their representative in the EU.
Live chats or contact forms alone do not constitute sufficient contact details under GDPR
#2 Categories and purpose of processing
Specify the categories of personal data collected, sources and the purposes of the processing including suitable legal bases. Also, mention the exact purpose if the legal basis is a legitimate interest. Here is an example.
#3 Data sharing
Mention details of who you share personal data (Recipients of the personal data) with including any chances for international transfers to third countries or international organisations, adequacy decisions and security measures taken.
#4 Data retention period
Inform data subjects about the duration for which the organisation keeps the data or the criteria used to determine the storage duration.
Personal data cannot be stored indefinitely. Businesses must ensure that the data is stored only for a reasonable period.
#5 GDPR rights
Include the existence of rights such as the right of access, correction, rectification, erasure, restriction, objection and data portability granted by GDPR. Also, you need to specify that they have the right to withdraw consent at any time and to file a complaint with the supervisory authority.
#6 Consequences of not providing information
If the processing of personal data is based on a contract or legal obligation, you must also inform the data subjects of the consequences of not providing personal information.
#7 Automated decision making
If personal data will be used for automated decision-making, including profiling, key information about the underlying logic, its significance, and potential impact on individuals must be provided.
How to deliver GDPR-compliant privacy notices?
The following are some crucial elements to take into account when providing a GDPR-compliant privacy notice.
- A privacy notice must be given free of charge
- It must be displayed conspicuously and made readily accessible
- Avoid using too much technical jargon
- Use clear, easy and plain language
- Try to use a layered approach so that it is easy to navigate through
- Use standard icons in machine-readable formats wherever possible
- Privacy policies must be in writing, or by other suitable means
- If a request is made electronically, the information must be provided in the same format unless the data subject requests otherwise
- Offer multi-language options to ensure wider comprehension
Best practices for GDPR compliance
Implement privacy by design
Embed privacy by design to every aspect of your data processing operations. This includes security safeguards at technical and organisational levels, role-based access, employee training, encryption, meeting transparency and consent requirements, fulfilling data subject requests, and more.
Provide a privacy policy
Publish a GDPR-compliant privacy policy with all the relevant information in accordance with the GDPR guidelines. Many organisations struggle to draft policies that are comprehensive and easy to understand. Saas solutions like privacy policy generators can simplify the process with their pre-built templates. CookieYes provides a user-friendly, free privacy policy generator that quickly creates a privacy policy aligned with the GDPR’s right to be informed, tailored specifically to your data handling practices.
Implement a Consent Management Platform
Managing consent can be one of the trickiest parts of GDPR compliance. Without the right tools, deploying geo-specific consent banners, tracking consents, managing consent records, and updating preferences can become an administrative nightmare.
An efficient Consent Management Platform like CookieYes can be a valuable asset for businesses in their GDPR journey. Our tool is designed to enable businesses to collect, manage, and document user consent seamlessly. Moreover, it also enhances user experience by respecting user choices and providing them with transparent control over their data.
Ready for cookie compliance?
Join 1M+ websites trusting CookieYes CMP to streamline your cookie compliance
14-day free trialBeginner friendlyCancel anytime
Honour data subject rights
Provide convenient and user-friendly mechanisms to exercise data subject rights. Ensure your team and systems can manage and respond to the typical volume of requests including access, correction and deletion. Respond to such requests within 30 days, demonstrating your commitment to transparency.
Exemptions to provide information under GDPR
As a business, you’re not always required to provide information under GDPR. Below, we’ve outlined the specific exemptions that may apply to your organisation.
- The data subject already has the information (Articles 13 & 14)
- The collection or disclosure of personal data is required by law (Article 14)
- If it is impossible or takes disproportionate efforts to inform the data subject (Article 14):
- Processing carried out for archiving purposes in the public interest
- Scientific or historical research purposes
- Statistical purposes
Examples and case studies
Real-world examples of non-compliance with GDPR’s right to be informed highlight common pitfalls and their consequences, emphasising the importance of transparency with data subjects.
Example #1: Uber Technologies
The Dutch DPA in 2023 fined 10 million Euros on Uber for its non-compliance with the information obligations. The penalty highlighted two major short-comings in Uber’s practices:
- While the company provided a facility for drivers to access their personal data, it was not easily accessible.
- The responses to the right to access of drivers were overly challenging and difficult to understand.
Example #2: Black Tiger Belgium
In 2024, The Belgium DPA issued a fine of 174,640 Euros after finding out that the company had been processing personal data without complying with the information obligations under GDPR. The lawsuit arose from a data subject’s complaint against the organisation for not complying with their access request.
Example #3: Hiper Store
The Spanish DPA imposed a fine of 500 Euros on Hiper store for not informing data subjects about the CCTV surveillance on their premises.
FAQ on GDPR right to be informed
The right to be informed under GDPR mandates that businesses must be open about how they collect, process, and store personal data for individuals. This information should be given in a brief, clear, and comprehensible manner.
Article 13 of GDPR covers the information to be provided when collecting personal data directly from individuals, whereas Article 14 applies when data is collected from indirect sources.
The GDPR mandates businesses to give timely updates to users whenever there is a change in the purpose of data processing. Lack of doing so can result in legal risks, non-compliance penalties, and loss of customer trust.