What is the GDPR Right to be informed?

Under the General Data Protection Regulation (GDPR) which becomes law in every European Union member state at the end of this month, every individual has what is referred to as “the right to be informed”. This means that every EU citizen must be given access to the information that is held in their personal data file, how this information is being collected and what will be done with it.

When data is collected those whose data is requested must be informed and give their consent to what is being collected and how specifically it will be used.  If the way in which the data is used changes, they must be informed and a new consent signed if they agree to the change in data use.

Further, data subjects must receive this information in a manner that is understandable to them. That is to say that the information must be transparent, well organized, concise, accurate, and in a format and language they can understand.

What Information Should Data Subjects Receive?

Subjects have a right to know at the point when data is being collected:

  • The identity and contact information of the person(s) collecting the data
  • Information about their right to withdraw consent
  • Contact information about who oversees the data, processing, and storage.
  • Source of the data
  • Automated collection
  • Profiling
  • Decisions and decision makers regarding the data
  • Purpose for processing data
  • How data will be stored
  • How data will be used
  • How long data will be retained
  • How data will be shared and with whom

Personal data obtained from outside sources must be reported to the individual within a month of getting this data.

Information needs to be reviewed, modified and updated as needed.

Why Citizens Need the Right to Be Informed

Under the GDPR, every EU citizen has the right to control what parts of their personal information is shared, how, by whom and when.

What Does This Mean for Businesses?

Companies must be sure that what is being collected is clearly known to people and how this data is being used is legitimate. Privacy policies must clearly respect the right to be informed.