Situations requiring additional information
Beyond Articles 13/14, the GDPR triggers extra information duties in specific situations, whether or not the data came from the subject: data subject rights (especially the right to object, which must be presented clearly and separately), certain international transfers, processing for a new purpose, joint-controller arrangements (the essence of which must be made available), and personal data breaches. A recurring distinction is between actively providing information and merely making it available.
- Data subject rights: the right to object (legitimate interests / public-interest tasks, or direct marketing) must be explicitly brought to attention and presented clearly and separately from other information.
- International transfers: extra detail is owed where transfers rely on compelling legitimate interests (Art 49(1) second subpara), on consent (Art 49(1)(a) - including the risks of no adequacy/safeguards), or on binding corporate rules.
- New purpose: inform the subject of the new purpose plus relevant further information before further processing begins.
- Joint controllers: make the essence of the arrangement available; it must be obvious which controller fields enquiries.
- Personal data breaches: in some cases data subjects must be notified (covered in Chapter 10).
The duty to make available the essence of a joint-controller arrangement is weaker than the active duty to provide information under Articles 13/14. The right to object, by contrast, demands more - it must be explicitly brought to the attention of the data subject.