Article 14
Information to be provided where personal data have not been obtained from the data subject
There is no recital in the Regulation related to article 14.
(39) Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can be legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data are recorded or at the latest when the data are first disclosed to a third party;
(40) Whereas, however, it is not necessary to impose this obligation of the data subject already has the information; whereas, moreover, there will be no such obligation if the recording or disclosure are expressly provided for by law or if the provision of information to the data subject proves impossible or would involve disproportionate efforts, which could be the case where processing is for historical, statistical or scientific purposes; whereas, in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration;
Regulation
Art. 14 1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. 4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 5. Paragraphs 1 to 4 shall not apply where and insofar as: (a) the data subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. |
Directive
Art. 11 Information where the data have not been obtained from the data subject 1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing; (c) any further information such as - the categories of data concerned, - the recipients or categories of recipients, - the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject. 2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards. |
Germany
Section 19a (1) If data are collected without the data subject's knowledge, he/she is to be informed of storage, of the controller's identity and of the purposes of collection, processing or use. The data subject is also to be notified of the recipients or categories of recipients of data, except where he/she must expect transfer to such recipients. When transfer is envisaged, notification is to be provided at the time of the first transfer at the latest. (2) Notification shall not be required if 1. the data subject has received knowledge by other means of the storage or transfer of the data, 2. notification of the data subject would require disproportionate effort or 3. the law expressly provides for storage or transfer of the personal data. The controller shall stipulate in writing under what conditions notification shall not be provided in accordance with Nos. 2 or 3 above. (3) Section 19 (2) to (4) shall apply mutatis mutandis.
Section 33 (1) If personal data are stored for the first time for one’s own purposes without the data subject's knowledge, the data subject shall be notified of such storage, the type of data, the purposes of collection, processing or use and the identity of the controller. If personal data are stored commercially without the data subject's knowledge for the purpose of transfer, the data subject shall be notified of their initial transfer and of the type of data transferred. In the cases covered by the first and second sentences above, the data subject shall also be notified of the categories of recipients, in so far as he/she cannot be expected to assume transfer to such recipients according to the circumstances of the individual case concerned. (2) Notification shall not be required if 1. the data subject has received knowledge by other means of the storage or transfer of the data, 2. the data are stored merely because they may not be erased due to legal statutory or contractual provisions on their preservation or exclusively serve purposes of data security or data protection control and notification would require disproportionate effort. 3. the data must be kept secret in accordance with a legal provision or by virtue of their nature, in particular on account of an overriding legal interest of a third party, 4. the law expressly provides for such storage or transfer, 5. storage or transfer is necessary for the purposes of scientific research and notification would require disproportionate effort, 6. the relevant public body has stated to the controller of the filing system that publication of the data would jeopardize public safety or order or would otherwise be detrimental to the Federation or a Land, 7. the data are stored for one’s own purposes and a) are taken from generally accessible sources and notification is unfeasible on account of the large number of cases concerned or b) notification would considerably impair the business purposes of the controller of the filing system, unless the interest in notification outweighs such impairment, or 8. the data are stored commercially for the purpose of transfer and a) are taken from generally accessible sources in so far as they relate to those persons who published these data or b) the data are compiled in lists or otherwise combined (Section 29 (2), No. 1 (b) of this Act) and notification is unfeasible on account of the large number of cases concerned, 9. data taken from generally accessible sources stored commercially for purposes of market or opinion research and notification would not be feasible due to the large number of cases con-cerned. The controller shall stipulate in writing under what conditions notification shall not be provided in accordance with sentence 1, Nos. 2 to 7. |