GDPR Articles 13 and 14 are Information is to be provided where personal data are collected from the data subject.
What it is
This is why companies update their Privacy Policy and/or Terms and Conditions to communicate all of the information a user needs to know about their data.
The data subject has the right to be informed about how their personal data is being used. The information should be provided upon collecting the data and includes (but is not limited to) the legal basis for the collection, the contact information for the controller, intent of transfer to other countries, recipients of the data, categories of data, and instructions for a data subject to invoke their rights. See the complete list.
Article 13 deals with the collection of data directly from the data subject. Article 14 is the indirect collection of data on the data subject (typically by a third party).
Why it is important for the Data Subject
This Right plays directly to the privacy principle of openness. The user has access to details to make informed decisions before handing over their data. The user can see why their data is collected, where it is being stored, and who is handling it.
Another key aspect is the ability to invoke a user’s rights. The information must include instructions on how a user can contact the DPO of an organization to access, rectify, or remove their data.
What it means to the organization
Before the data is collected, the organization must present all of these relevant details to the user. This is most commonly done with Terms and Conditions, or with a Privacy Policy. This could be achieved with a written contract or even an oral agreement as long as it is available to the user by request.
The organization will need to establish a process to contact their Data Protection Officer (DPO) and a method to contact the company to invoke their rights. This can be provided electronically, by phone, or my mail. Keep in mind that the response needs to be provided within 30 days which means a posting mail will slow that timeline down.
To automate and speed up this process, many companies create an email address along the lines of ‘privacy@CompanyName’ or a contact form on their policy page.
Note: The GDPR differentiates this right depending if the data was collected directly (Article 13) or indirectly (Article 14) from the data subject. If indirect, the processing organization does not need to stipulate if it is part of a contract because the organization may not have that information. The direct collector does need to make this known.
Real world example
When signing on to a new music streaming service, the user is presented with a set of Terms and Conditions. Included in these terms is the information described above as part of the Right.
The music service collects credit card data for payment. This payment data is listed in the terms as a requirement to sign up.
The music service also uses a 3rd party payment service to process credit cards. The payment service has its own terms and conditions including all the relevant contact information. The payment service does not need to mention that credit card numbers are a requirement because the payment service receives their information indirectly from the user.
Questions about GDPR and the Data Subject Rights? Check out our full article on GDPR or contact us.