The basis of fair handling of personal data is the data subject’s knowledge of what is happening with his or her data. Especially when the data processing depends on the consent of the data subject, it is essential that the data subject is informed. A free and autonomous decision can only be made if all information relevant to the decision-making process is available.
For the collection of personal data, Art. 13 f. GDPR therefore oblige the controller to provide certain information to the data subject. What you have to consider and what the information obligations include in detail can be found in the following overview.
Name and contact details of the controller
“Controller” is whoever determines the purposes and means of the processing of personal data. Any natural or legal person, public authority, agency or other body can be a controller.
Contact information should include at least the name, an address and a practical means of communication (e.g.: email address, PO box address).
In the case of scientific research, a distinction must be made as to whether the researcher him/herself (e.g.: students, professors, scientific staff) or a higher-level institution (e.g.: university, chair) decides on the purposes and means of the processing. This depends in particular on the existence of a specific right to issue instructions. If the researcher is bound by instructions due to his or her employment relationship, the person issuing the instructions has the final authority to decide on the data processing and is thus the controller.
Contact details of the data protection officer
If you belong to an institution that has appointed a data protection officer, their contact details (e.g.: email address, PO box) must be provided.
Data Protection Officer of the University of Mannheim
Phone: +49 621 181-1126
The data subject must be informed of the data being processed, the manner in which it is processed and the purpose of the processing. From this, the data subject must be able to sufficiently identify the scope and extent of the processing.
The data subject must be able to form a concrete picture of how the data concerning him or her will be used in a specific case on the basis of the information provided.
Identification of the data
The data subject must be given a clear, comprehensible and complete explanation of what personal data are being processed.
Address or contact data for data collection such as email address, IP address, name or telephone number, data on socio-demographic background such as occupation, age, origin, place of residence or substantive survey data such as preferences, interests, assessments, evaluations or behaviours.
Method of processing
The data subject must be able to assess from the information provided what actions will be taken with the data based on consent.
The description of the manner of processing can be guided by the forms of processing set out in the GDPR: Collection, recording, organising, organising, storing, adapting, modifying, retrieving, consulting, using, disclosing, transmitting, disseminating, making available, comparing, linking, restricting, erasing, destroying.
Purpose of the processing
On the basis of the information provided, the data subject must be able to identify the specific purpose of the data processing in order to be able to make his or her consent dependent on it.
For data processing for scientific research purposes, it is possible to grant the so-called “broad consent”. This means that the requirements for information regarding the purpose for scientific research purposes are already met if a sufficiently specific area of research is named.
Legal basis of data processing
The legal basis on which the data processing is based must be stated. The specific norm, eg. Art. 6 I lit. a) DSGVO, must at least be designated.
If you base the processing on legitimate interests within the meaning of Art. 6 I lit. f) DSGVO, you must also describe these legitimate interests of the controller or a third party in addition to the legal basis.
Necessity/obligation to provide data
You must refer to the voluntary nature of the provision of data by the data subject.
If there is an obligation to provide data or if the data subject will suffer disadvantages if the data is not provided, you must also point this out.
Data recipient (optional)
If the purpose of the processing requires the disclosure of the data to third parties, they must identify them. Recipients may be any natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not they are third parties.
The term is to be understood comprehensively and also includes commissioned data processors, employees and sub-organisations.
An abstract description of the categories of recipients is sufficient for the information obligation. As a result, the data subject must be able to assess who has access to the data concerning him or her.
Transfer to a third country (optional)
If you intend to transfer the data to a state outside the European Union or to an international organisation, you must inform the data subject about this. You should also seek the advice of the relevant data protection officer.
If the duration of the data storage is already known at the time the information is provided, this must be communicated. If this is not yet foreseeable, the criteria for deciding on the storage period must be communicated.
In the area of scientific research, the requirements of good scientific practice regularly demand the archiving of research data, which can result in an exceptionally long storage period. In this case, it is advisable to anonymize any personal data as soon as possible.
Rights of the data subject
The data subject must be informed of his or her rights under Articles 15-21 of the GDPR. In principle, they are entitled to the following rights:
- Right of access by the data subject according to Art. 15 GDPR
- Right to rectification according to Art. 16 GDPR
- Right to erase according to Art. 17 GDPR
- Right to restriction of processing according to Art. 18 GDPR
- Right to data portability under Art. 20 GDPR
- Right to object under Art. 21 GDPR
- Right to lodge a complaint with a supervisory authority under Art. 77 GDPR
A standardised legal notice is sufficient.
If you base the processing on the granting of consent, you must inform the data subject that consent given can be withdrawn at any time without affecting the lawfulness of the processing until the time of withdrawal.
In addition to the provision of the withdrawal information, the actual possibility of withdrawal must also be given. The withdrawal must be as simple as giving consent. Accordingly, a communication channel for the withdrawal must be provided which corresponds to that of the granting of consent.
If you wish to base further processing on another legal basis in the event of a withdrawal of consent, you should also inform the data subject of this, naming the specific legal basis.
Example wording: “We would like to inform you that in the event of a withdrawal, the further processing of your data may be legitimised by the legal basis of the [name specific legal basis], so that the data will continue to be processed on the basis of this legal basis despite your withdrawal.”
For further questions on the subject of data protection, please feel free to use our iVA and contact the responsible data protection officers for individual advice.