What is the “right to be informed” under EU data protection law?
Key points:
Data subjects have the right to be informed about the collection and use of any personal data about them. This is a key transparency requirement under EU data protection law.
Controllers must provide individuals with information including: purposes for processing personal data, retention periods for that personal data, and who it will be shared with.
Controllers must provide information to individuals at the time of collection. This is typically accomplished by notices.
If a controller obtains personal data from sources other than the data subject himself, it must provide the information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when controllers need not provide data subjects with the information about their practices, such as if an individual already has the information or if it would involve a disproportionate effort to provide it.
The information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
It is often most effective to provide information to people using a combination of different techniques including layering, dashboards, and just-in-time…
