GUIDANCE: Information to be given

  • The right to information encompasses your obligation to provide ‘fair processing information’, typically through a data collection or privacy notice.
  • It emphasises the need for clarity and transparency over how you use personal data.

What information must be supplied?
The Law sets out the information that you should supply and when individuals should be informed.
The information you supply is determined by whether or not you obtained the personal data directly from individuals. If a processor obtains the personal data directly from the data subject on your behalf it is as if you have obtained it directly from the data subject.

See the table below for further information on this.

The information you supply about the processing of personal data must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

The table below summarises the information you should supply to individuals and at what stage.



When should we provide privacy information to individuals?

When you collect personal data from the data subject it relates to, you must provide them with privacy information at the time you obtain their data.

When you obtain personal data from a source other than the data subject it relates to, you need to provide the data subject with privacy information:

  • within a reasonable of period of obtaining the personal data and no later than one month;
  • if the data is used to communicate with the individual, at the latest, when the first communication takes place; or
  • if disclosure to someone else is envisaged, at the latest, when the data is disclosed.

You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.

When collecting personal data from individuals, you do not need to provide them with any information that they already have.

When obtaining personal data from other sources, you do not need to provide data subjects with privacy information if:

  • the data subject already has the information;
  • providing the information to the data subject would be impossible;
  • providing the information to the data subject would involve a disproportionate effort;
  • providing the information to the data subject would prejudice the purpose for which the personal data is being processed;
  • the information or personal data must be kept confidential or secret to perform or comply with a duty imposed by law on the controller; or
  • you are required by law to obtain or disclose the personal data.

If you are using any of the above as a reason for not providing privacy information to a data subject you must be able to justify use of or reliance upon that condition. This reasoning could be scrutinised by supervisory authorities if a complaint is made by a data subject.