GDPR Information notices, a few things you need to know

Here is the list of GDPR information notices that you must mandatorily provide before collecting personal data

GDPR information notices are among the mandatory mentions that are important to comply with. Indeed, they will demonstrate whether an organization is in compliance or not with the European regulation.

We will see the list of information to be provided before looking at a practical example.

I - The List of Information to Provide to be Compliant with the GDPR

The information to be provided to individuals whose personal data is being collected are as follows:

  • The identity and contact details of the data controller and, where applicable, the data controller’s representative.
  • Where applicable, the contact details of the data protection officer;
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • Where the processing is based on Article 6(1)(f), the legitimate interests pursued by the data controller or by a third party;
  • The recipients or categories of recipients of the personal data, if any;
  • Where applicable, the fact that the data controller intends to transfer personal data to a third country or international organization, and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Article 46 or 47, or Article 49(1) second paragraph, the reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

Additionally, the following supplementary information:

  • The duration for which the personal data will be stored, or if that is not possible, the criteria used to determine that duration;
  • The existence of the right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing as well as the right to data portability;
  • Where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • The right to lodge a complaint with a supervisory authority;
  • Information as to whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data;
  • The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Note that the data controller is not required to provide these information if a person has already been informed once.

II - A Practical Example of GDPR Notices

Here is a practical example of an information notice:

Registration allows you to download the guide and receive communications on GDPR compliance as well as our product and service offers; the legal basis is Article 6.1.a of the European regulation on the protection of personal data (consent); the recipients of data are the data controller, its internal services in charge of the mailing list management, the subcontractor operating the web server management (Dupond Durand), as well as any legally authorized person to access the data (judicial services, if applicable). The duration of data processing is limited to the time you are registered for our communication services, it being understood that you can withdraw your consent and unsubscribe at any time by clicking on the unsubscribe link at the bottom of each email. The server on which the mailing list is hosted is hosted by Durand Durand, which implies that your data may be transferred outside the EU under Article 46.2.d of the GDPR – Durand Durand having provided the adequate protection clauses on the model established and approved by the European Commission. You can find more information about these clauses here: https://durand.durand. You have the right to request the data controller access to personal data, rectification or erasure of such data, or a limitation of the processing concerning the data subject, or the right to object to the processing and the right to data portability. The data controller is SARL Dupont Dupont. You also have the right to lodge a complaint with a supervisory authority. Providing your email is necessary to receive the aforementioned communications and is entirely optional.