The GDPR states that businesses must provide data subjects with the following information:
- The controller’s identity (legal entity) and contact details and its representative, if any.
- The contact details of the data protection officer, where applicable.
- The intended purposes of the data and the legal basis for the processing.
- If the processing is based on Article 6(1)(f) of the GDPR then the legitimate interest pursued by the business or by a third party should be given.
- The recipients or categories of recipients of the personal data, if any.
- If the business intends to transfer the data outside of the EU or to an international organisation, then information about the appropriate or suitable safeguards given to secure the data and the means to obtain a copy should be given.
- The period that the personal data will be stored, or the criteria used to determine that period.
- The existence of the individual’s right of access, rectification, erasure, restriction of processing, object to processing and, data portability.
- If processing is based on the individual’s consent, the right to withdraw that consent at any time is pertinent.
- The right to lodge a complaint with the supervisory authority.
- If providing personal data is a statutory or contractual requirement then the individual must be informed of their obligation and the consequences if they fail to do so.
- The existence of automated decision making or profiling. Including, meaningful information about the logic involved and the significant/envisaged consequences of that for the individual.
The GDPR authorises member states limited rights to maintain, adapt or introduce more specific provisions regarding the compliance with a legal obligation and, the performance of a task carried out in the public interest or, in the exercise of official authority. In the UK this is done with the Data Protection Act 2018.