Consenteo Logo
Back to Knowledge Hub

GDPR Right to be Informed: A Comprehensive Guide

Understand the GDPR's Right to be Informed and how businesses can leverage it for transparency and trust.

Doğancan Doğan
GDPR
GDPR Right to be Informed: A Comprehensive Guide

GDPR Right to be Informed: A Comprehensive Guide

The GDPR's Right to be Informed is more than just providing information; it's about delivering the right information. Businesses can view this as an opportunity to gain customer trust, meet GDPR requirements, and stand out as transparent leaders. This guide will walk you through the steps to comply with GDPR's transparency obligations, turning a potential challenge into an advantage.

What is the GDPR Right to be Informed?

The Right to be Informed puts into practice Article 5 (1)(a), the transparency principle. GDPR requires businesses to communicate information about personal data processing in simple, easy-to-understand language. This information must also be concise and easily accessible. This is why you often see organizations providing a hyperlink to their privacy policy in the footer or other prominent areas of their website. It empowers individuals to understand:

  • What data is being collected and processed
  • The reasons for data collection
  • How long data will be kept
  • Potential risks users should be aware of
  • Their rights regarding their data

Here's a quick overview of the rights data subjects have under GDPR:

  • Right to be informed
  • Right to access
  • Right to be forgotten
  • Right to restriction of processing
  • Right to data portability
  • Right to rectification
  • Right to objection
  • Rights related to automated decision-making and profiling

Articles 12, 13, and 14 of the General Data Protection Regulation form the legal foundation for European citizens' Right to be Informed. Here is a brief explanation of each article:

Article 12

This article outlines the data controller's responsibilities when providing privacy information to individuals. Businesses must facilitate EU citizens' exercise of their data subject rights. All communications to data subjects must be clear, understandable, brief, and free of jargon. It sets a standard one-month timeframe to respond to data subject requests, extendable by two months if necessary, provided the data subject is promptly notified. Requests must be properly verified and fulfilled free of charge unless they are clearly baseless or excessive.

Article 13

Article 13 enumerates the information businesses must provide to data subjects when collecting data directly from them. This information should typically be included in your privacy policy and covers details like:

  • Business name and contact information
  • Purposes and legal basis for processing
  • Legitimate interests (if applicable)
  • Recipients of the collected data
  • Details of international data transfers (if applicable)

It also clarifies that if an individual's personal data will be used for a different purpose than initially stated, this must be clearly communicated to them before processing begins.

Article 14

This article mandates that data controllers provide specific information to data subjects when personal data is obtained from sources other than the individual themselves (e.g., from business partners or external data providers). Essential details to disclose for transparency and GDPR compliance include the sources from which the data was obtained and whether it will be subject to automated decision-making. This information must be provided no later than one month after obtaining the data, or at the time of the first communication if used to contact the data subject. If the personal data will be shared with other parties, the data subject must be informed as soon as the sharing occurs.

Key Information Businesses Must Provide Under GDPR

Transparency and accountability are crucial for GDPR compliance. Here is a list of key information businesses must provide to meet their GDPR obligations. Consulteo also offers resources on creating a comprehensive GDPR privacy policy.

1. Identity and Contact Information

Organizations must clearly state the name and contact details of the data controller and, if applicable, the data protection officer. This allows individuals to contact the controller for exercising their rights or for other reasons. Non-EU companies must also provide details of their representative in the EU. Note that live chats or contact forms alone do not meet the GDPR's requirement for sufficient contact details.

2. Categories and Purpose of Processing

Specify the types of personal data collected, their sources, and the purposes for processing, including the appropriate legal bases. If the legal basis is legitimate interest, clearly state the exact purpose. See an example from a privacy policy below:

Example Purpose and legitimate interest section from a privacy policy

3. Data Sharing

Detail who you share personal data with (Recipients of the personal data), including potential international transfers to third countries or international organizations, adequacy decisions, and implemented security measures.

4. Data Retention Period

Inform data subjects about how long the organization will retain their data or the criteria used to determine storage duration. Personal data cannot be stored indefinitely; businesses must ensure data is stored only for a reasonable period.

5. GDPR Rights

Include information about the existence of rights granted by GDPR, such as the right to access, rectification, erasure, restriction, objection, and data portability. You must also clearly state that individuals have the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.

6. Consequences of Not Providing Information

If processing personal data is necessary for a contract or legal obligation, you must inform data subjects about the consequences of not providing the required personal information.

7. Automated Decision Making

If personal data will be used for automated decision-making, including profiling, provide essential information about the logic involved, its significance, and its potential impact on individuals.

How to Deliver GDPR-Compliant Privacy Notices

Consider the following crucial elements when providing a GDPR-compliant privacy notice:

  • The privacy notice must be provided free of charge.
  • It must be prominently displayed and easily accessible.
  • Avoid overly technical jargon.
  • Use clear, simple, and plain language.
  • Employ a layered approach for easy navigation.
  • Where possible, use standard icons in machine-readable formats.
  • Privacy policies must be in writing or by other suitable means.
  • If a request is made electronically, the information must be provided in the same format unless the data subject requests otherwise.
  • Offer multi-language options for wider comprehension.

Best Practices for GDPR Compliance

Implement Privacy by Design

Embed privacy by design in every aspect of your data processing operations. This includes technical and organizational security safeguards, role-based access, employee training, encryption, meeting transparency and consent requirements, and fulfilling data subject requests.

Provide a Privacy Policy

Publish a GDPR-compliant privacy policy that includes all relevant information according to GDPR guidelines. Many organizations struggle with drafting policies that are both comprehensive and easy to understand. SaaS solutions like privacy policy generators can simplify this process with pre-built templates. Consulteo provides a user-friendly, free privacy policy generator that quickly creates a GDPR-aligned privacy policy specifically tailored to your data handling practices and the Right to be Informed.

Managing consent can be one of the most challenging aspects of GDPR compliance. Without the right tools, deploying geo-specific consent banners, tracking consents, managing consent records, and updating preferences can become an administrative burden.

Customized cookie banner example

An efficient Consent Management Platform (CMP) like Consulteo can be a valuable asset for businesses on their GDPR journey. Our tool is designed to help businesses seamlessly collect, manage, and document user consent. It also improves user experience by respecting user choices and providing transparent control over their data.

Ready for Cookie Compliance? Join 1.5M+ websites trusting Consulteo CMP to streamline your cookie compliance.

  • Create my cookie banner
  • 14-day free trial
  • Beginner friendly
  • Cancel anytime

Honour Data Subject Rights

Establish convenient and user-friendly mechanisms for individuals to exercise their data subject rights. Ensure your team and systems are capable of managing and responding to typical request volumes, including access, rectification, and erasure. Respond to these requests within 30 days to demonstrate your commitment to transparency.

Exemptions to Provide Information Under GDPR

As a business, you are not always required to provide information under GDPR. Here are specific exemptions that may apply:

  • The data subject already possesses the information (Articles 13 & 14).
  • The collection or disclosure of personal data is legally required (Article 14).
  • It is impossible or requires disproportionate effort to inform the data subject (Article 14), particularly for processing carried out for:
    • Archiving purposes in the public interest
    • Scientific or historical research purposes
    • Statistical purposes

Examples and Case Studies

Real-world examples of non-compliance with GDPR's Right to be Informed illustrate common pitfalls and their consequences, emphasizing the importance of transparency with data subjects.

Example #1: Uber Technologies

In 2023, the Dutch DPA fined Uber 10 million Euros for non-compliance with information obligations. The penalty highlighted two major shortcomings:

  • While a facility existed for drivers to access their personal data, it was not easily accessible.
  • Responses to drivers' access requests were excessively challenging and difficult to understand.

Example #2: Black Tiger Belgium

In 2024, the Belgian DPA issued a fine of 174,640 Euros after finding that the company processed personal data without complying with information obligations under GDPR. The case stemmed from a data subject's complaint about the organization not complying with their access request.

Example #3: Hiper Store

The Spanish DPA imposed a 500 Euro fine on Hiper store for failing to inform data subjects about CCTV surveillance on their premises.

FAQ on GDPR Right to be Informed

What does the GDPR right to be informed entail?

The Right to be Informed under GDPR requires businesses to be transparent about how they collect, process, and store personal data. This information must be presented in a concise, clear, and understandable manner.

What is the difference between Articles 13 and 14 under GDPR?

Article 13 of GDPR covers the information required when collecting personal data directly from individuals. Article 14 applies when data is collected from indirect sources.

What happens if personal data is processed for purposes not disclosed initially?

GDPR mandates that businesses provide timely updates to users whenever the purpose of data processing changes. Failure to do so can lead to legal risks, non-compliance penalties, and a loss of customer trust.

Need Privacy Guidance?

Our experts can help you implement best practices and ensure compliance. Let's connect.

Schedule a ConsultationExplore Our Services