In our next iteration of the GDPR series, let’s take a look at articles 13, 14, and 15 and see how these will apply to each of us. These three pertain to the data collected from a data subject, data collected from a third party or other organization that isn’t the data subject, and the rights of data subjects over their personal data.

Article 13: Information to be Provided where Personal Data are Collected from the Data Subject

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time obtained, provide the data subject with:

1. The identity and contact details of the controller or controller’s representative
2. Contact details of the data protection officer, where applicable
3. The purpose for the processing and legal basis
4. On point (f) of Article 6, the legitimate interests pursued by the processor
5. Recipients, or categories of recipients, of the personal data, if any
6. If applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence, or absence of, an adequacy decision by the Commission.

In addition to the above information, the controller shall also provide the data subject, at the time of obtaining the data, provide the following information:

1. The period for which the personal data will be stored, or criteria used to determine that period
2. Existence of the right to request from the controller access to, and rectification or erasure of, personal data. This includes the option to object to the processing of the data subject’s data.
3. The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing or data portability
4. The right to lodge a complaint with a supervisory authority
5. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide.
6. The existence of automated decision-making, including profiling, the logic involved, and the consequences of such processing.

Where the controller intends to process the data for a purpose other than for which it was originally intended, the controller shall provide the data subject, prior to that further processing, with formal notice and the ability to opt-out of such processing.

The above paragraphs do not apply where the data subject already has the information the data controller is required to provide.

Article 14: Information to be Provided where Personal Data have not been obtained from the Data Subject

Where personal data have not been obtained from the data subject directly, they shall be provided the following from the controller:

1. The ID and contact details of the controller and their representative, if applicable
2. The contact details of the data protection officer, where applicable
3. The purpose of the processing for which the personal data are intended and the legal basis
4. The categories of personal data concerned
5. The recipients or categories of recipients of the personal data, if any
6. If applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence, or absence of, an adequacy decision by the Commission.

In addition to the above information, the controller shall also provide the following information:

1. The period for which the personal data will be stored
2. The legitimate interests pursued by the controller or the third party
3. The existence of the right of the data subject to request from the controller access to, rectification, erasure of, and objection to the processing of their personal data, as well as data portability.
4. The existence of the right to withdraw consent at any time without affecting the lawfulness of processing
5. The right to lodge a complaint with a supervisory authority
6. From which source the personal data originated and if it came from a publicly accessible source
7. The existence of automated decision-making, the logic used in that decision making, and the consequences of that process

The controller shall provide the above information:

1. Within a reasonable period after obtaining the personal data, but no later than one month since obtaining that data depending on the circumstance
2. If personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject
3. If a disclosure to another recipient is envisaged, at the latest when personal data are first disclosed

Where the controller intends to further process the personal data for a purpose that is not the originally intended purpose for which the data were obtained, the controller shall provide the data subject with the additional purpose prior to the additional processing.

The above criteria do not apply if:

1. The data subject already has the information
2. The provision of such information proves impossible or would involve a disproportionate effort subject to conditions and safeguards referred to in Article 89. In this scenario, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
3. Obtaining or disclosure is expressly laid down by the Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s interests
4. Where the personal data must remain confidential subject to an obligation or professional secrecy regulated by the Union or Member State law, including statutory obligation of secrecy.

Article 15: Rights of Access by the Data Subject

The data subject has the right to obtain, from the controller, confirmation as to whether or not their personal data are being processed, access to the personal data, and the following information:

1. The purpose of the processing
2. The categories of personal data
3. The recipients or categories of recipient to whom the personal data have been, or will be, disclosed. In particular, recipients in third countries or international organizations.
4. Where possible, the envisaged period for which the personal data will be stored, or criteria for determining this
5. The existence of the right to request from the controller rectification, erasure, or objection to data and the processing of that data
6. The right to lodge a complaint to a supervisory authority
7. The available source of the personal data not collected directly from the data subject
8. The existence of automated decision-making, the logic used in that decision making, and the consequences of that process

Where personal data are transferred to a third country or international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller shall be allowed to charge a reasonable fee based on administrative costs. Information shall be provided, if requested electronically, in a commonly used electronic format (such as excel).

The right to obtain a copy of data referred to above shall not adversely affect the rights and freedoms of others.

How does this apply to me and you?

This one might apply more to us than any previous articles we’ve looked at since they outline the rights that we, the data subjects, have over our information. We are allowed to obtain the information pertaining to the identity of the data controller, contact details of the data controller, the purpose of the collected data and reason for processing, the recipients of the data, and if the controller intends to send the information to other countries. The controller must also provide us with the information pertaining to the period the data is being processed in, the existence of our right to opt-in and the same for opting-out of that processing. All three articles contain the same rights we have the ability to exercise. In addition to the rights mentioned above, 14 tells us we’re also entitled to information around the source of the collected data (since it didn’t come from us) and if there is any sort of automated decision making going on that uses our data. Article 15 explains the same rights as the two prior, but includes information that the controller can charge a reasonable fee for requesting data if there are repeat requests from a data subject.

For the most part, each article contains similar information with some small differences. Article 13 pertains specifically to instances that involve data collected from a data subject. Article 14 pertains to data collected from a data subject, but that information wasn’t collected directly from the data subject, like in 13. Article 15 outlines the rights of data subjects in the regulation, which match closely to 13 and 14. If you read through 13, you’ll have a good idea of what 14 and 15 say.

HARVEY AND ROSS

When looking back at the example seen in our earlier articles, Harvey has plenty of rights to his data that Ross is required to provide. Article 13 specifically applies to this situation because Harvey’s information was collected directly from him. He has the right to request info about the data controller, the purpose of the processing, the period of time, the existence of the right to withdraw consent, and the others listed in 13 and 15 above. Luckily, Ross already included all of this information in the documents Harvey signed before they started the data collecting. Harvey gave consent and was informed of all his rights, so he knew what he could do. There wasn’t any fault on either side, in my opinion, since Ross communicated everything in 13 and 15 to Harvey before he consented. The situation the two are in doesn’t pertain to any lack of documentation, just an unfortunate instance where Ross forgot to disclose everything that was happening to Harvey’s data… Or did he…?

---

For more great content, check out the other Newsletters DPP has published and don’t forget to subscribe to get the latest article delivered directly to your inbox!