Information Provided at Data Collection

Information Provided at Data Collection

The information that must be made available to a Data Subject when data is collected has been strongly defined and includes;

  • the identity and the contact details of the controller and DPO
  • the purposes of the processing for which the personal data are intended
  • the legal basis of the processing.
  • where applicable the legitimate interests pursued by the controller or by a third party;
  • where applicable, the recipients or categories of recipients of the personal data;
  • where applicable, that the controller intends to transfer personal data internationally
  • the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
  • the existence of the right to access, rectify or erase the personal data;
  • the right to data portability;
  • the right to withdraw consent at any time;
  • and the right to lodge a complaint to a supervisory authority;

Importantly where the data has not been obtained directly from the data subject – perhaps using a 3rd party list – the list varies and includes:

  • From which source the personal data originate.
  • The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

There are some exceptions – notably where the effort would be disproportionate (although this is unlikely be a good justification in day to day circumstances) and, importantly, where the information has already been provided to the data subject.

This is likely to cause many headaches to marketers using multiple sources of third party data – and to those building such data products.