The GDPR stipulates that all individuals have a right of access to their own data. Consequently, anyone implementing a personal data file or processing personal data is obliged to provide individuals with several types of information.
The right to information in the GDPR includes 12 items of information to be communicated, 6 of which are of a general nature, namely
- The identity and contact details of the data controller or his representative;
- The contact details of the Data Protection Officer, if applicable,
- The purposes of the processing,
- Where processing is based on Article 6, the legitimate interests pursued by the controller or by a third party;
- Any recipients of the data and, where applicable, whether the controller intends to transfer the data to a third country or to an international organisation; and
- The existence or absence of an adequacy decision issued by the Commission or, in the case of transfers under Articles 46, 47 and 49, the reference to the appropriate or adequate safeguards and the means of obtaining a copy or the place where they have been made available.
and 6 special, cumulative items of information necessary to guarantee the transparency of the processing operation:
- The retention period ;
- The existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction on the processing relating to the data subject or the right to object to the processing and the right to data portability;
- Where processing is based on Article 6(1) or 9(2), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of processing based on consent given prior to withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Information as to whether the requirement to provide personal data is of a regulatory or contractual nature or whether it is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data as well as the possible consequences of failure to provide such data.
- The existence of automated decision-making, including profiling, as referred to in Article 22, at least in such cases, useful information concerning the underlying logic and the significance of the expected consequences of such processing for the data subject.