GDPR information notices are among the mandatory mentions that are important to comply with. Indeed, they will demonstrate whether an organization is in compliance or not with the European regulation.
We will see the list of information to be provided before looking at a practical example.
I - The List of Information to Provide to be Compliant with the GDPR
The information to be provided to individuals whose personal data is being collected are as follows:
- The identity and contact details of the data controller and, where applicable, the data controller’s representative.
- Where applicable, the contact details of the data protection officer;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- Where the processing is based on Article 6(1)(f), the legitimate interests pursued by the data controller or by a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the data controller intends to transfer personal data to a third country or international organization, and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Article 46 or 47, or Article 49(1) second paragraph, the reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
Additionally, the following supplementary information:
- The duration for which the personal data will be stored, or if that is not possible, the criteria used to determine that duration;
- The existence of the right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing as well as the right to data portability;
- Where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Information as to whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Note that the data controller is not required to provide these information if a person has already been informed once.
II - A Practical Example of GDPR Notices
Here is a practical example of an information notice:
Registration allows you to download the guide and receive communications on GDPR compliance as well as our product and service offers; the legal basis is Article 6.1.a of the European regulation on the protection of personal data (consent); the recipients of data are the data controller, its internal services in charge of the mailing list management, the subcontractor operating the web server management (Dupond Durand), as well as any legally authorized person to access the data (judicial services, if applicable). The duration of data processing is limited to the time you are registered for our communication services, it being understood that you can withdraw your consent and unsubscribe at any time by clicking on the unsubscribe link at the bottom of each email. The server on which the mailing list is hosted is hosted by Durand Durand, which implies that your data may be transferred outside the EU under Article 46.2.d of the GDPR – Durand Durand having provided the adequate protection clauses on the model established and approved by the European Commission. You can find more information about these clauses here: https://durand.durand. You have the right to request the data controller access to personal data, rectification or erasure of such data, or a limitation of the processing concerning the data subject, or the right to object to the processing and the right to data portability. The data controller is SARL Dupont Dupont. You also have the right to lodge a complaint with a supervisory authority. Providing your email is necessary to receive the aforementioned communications and is entirely optional.
Témoignages
"Legiscope nous permet d'économiser plus de 500 heures de travail de conformité par an ! C'est plus de 3 mois temps plein !"
— Sylvain GraveronTutorial: how to get a valid GDPR consent
What is personal data ?
Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
Comprehensive GDPR Audit Guide for Ensuring Compliance
Role and missions of the Data Privacy Officer (GDPR)
GDPR and AML, what can go wrong ?
EU Representative GDPR Compliance Guide 2024
The Right to Data Portability Under GDPR: Legal Framework, Implementation, and Enforcement Challenges
Does the GDPR Apply to Non-EU Organizations?
The GDPR’s Storage Limitation Principle: Ensuring Responsible Data Retention
The Principle of Data Accuracy in the GDPR
Tasks of the data protection officer
What is the Principle of Purpose Limitation?
What is a Data Processor?
Implementing Privacy By Design (GDPR)