Information to be Provided Where Personal Data Are Collected from the Data Subject : iCompaas Support

Overview

This article requires organizations to provide clear and transparent information to data subjects at the time personal data is collected. Data subjects must be informed about who is processing their data, the purposes of processing, and their rights regarding their personal data.

Key Principles

Transparency: Clearly communicate the identity of the controller and purposes of processing.
Data Subject Rights: Inform individuals about their rights, including access, rectification, and objection.
Clarity: Information must be easily understandable and accessible.
Timeliness: Information must be provided at the point of data collection.

Organizational Applicability

This article applies to all organizations that collect personal data directly from data subjects within the EU:

Controllers collecting personal data from EU/EEA residents.
Public and private sector entities handling customer, employee, or user data.
Teams responsible for customer onboarding, forms, online registrations, or data collection points.

Implementation Requirements

Provide a privacy notice at the point of data collection.
Include information about the identity of the controller, purposes of processing, and data subject rights.
Ensure that information is clear, concise, and accessible.
Maintain records confirming that required information has been provided.

Implementation Guidance

Use standardized templates for consent forms, registration forms, and online collection mechanisms.
Train staff to communicate privacy information effectively to data subjects.
Review and update privacy notices regularly to reflect current processing practices.
Monitor compliance to ensure data subjects receive all required information at collection.

Periodic Review

Frequency: Annually or when new data collection processes are introduced.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Ensure data subjects are properly informed and privacy notices are up-to-date.

Non-Compliance Risks

Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Complaints, enforcement actions, or regulatory investigations.
Reputational Damage: Loss of trust from data subjects and stakeholders.
Operational Risk: Inefficient or non-compliant data collection practices.

GDPR Article 13: Information to be Provided Where Personal Data Are Collected from the Data Subject Print