Article 11*

Article 11 – Information to the data subject

Go down to proposed amendment

Commission Proposal

1. Where personal data relating to a data subject are collected, Member States shall ensure that the controller takes all appropriate measures to provide the data subject with at least the following information:

(a) the identity and the contact details of the controller and of the data protection officer;

(b) the purposes of the processing for which the personal data are intended;

(c) the period for which the personal data will be stored;

(d) the existence of the right to request from the controller access to and rectification, erasure or restriction of processing of the personal data concerning the data subject;

(e) the right to lodge a complaint to the supervisory authority referred to in Article 39 and its contact details;

(f) the recipients or categories of recipients of the personal data, including in third countries or international organisations;

(g) any further information in so far as such further information is necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are processed.

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

3. The controller shall provide the information referred to in paragraph 1:

(a) at the time when the personal data are obtained from the data subject, or

(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection having regard to the specific circumstances in which the data are processed.

4. Member States may adopt legislative measures delaying, restricting or omitting the provision of the information to the data subject to the extent that, and as long as, such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned:

(a) to avoid obstructing official or legal inquiries, investigations or procedures ;

(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;

(c) to protect public security;

(d) to protect national security;

(e) to protect the rights and freedoms of others.

5. Member States may determine categories of data processing which may wholly or partly fall under the exemptions of paragraph 4.

EDRI’s proposed amendment

1. Where personal data relating to a data subject are collected, Member States shall ensure that the controller takes all appropriate measures to shall provide the data subject with at least the following information:

(a) the identity and the contact details of the controller and of the data protection officer;

(b) the purposes of the processing for which the personal data are intended;

(c) the period for which the personal data will be stored;

(d) the existence of the right to request from the controller access to and rectification, erasure or restriction of processing of the personal data concerning the data subject;

(e) the right to lodge a complaint to the supervisory authority referred to in Article 39 and its contact details;

(f) the recipients or categories of recipients of the personal data, including in third countries or international organisations;

(fa) where the controller processes personal data as described in Article 9(1), information about the existence of processing for a measure of the kind referred to in Article 9(1) and the intended effects of such processing on the data subject;

(fb) information regarding specific security measures taken to protect personal data;

(g) any further information in so far as such further information is necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are processed.

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

2a. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the data originate.

3. The controller shall provide the information referred to in paragraph 1:

(a) at the time when the personal data are obtained from the data subject, or

(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection having regard to the specific circumstances in which the data are processed.

4. Member States may adopt legislative measures delaying or, restricting or omitting the provision of the information to the data subject to the extent that, and as long as, such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned, based on a concrete and individual examination of each specific case:

(a) to avoid obstructing official or legal inquiries, investigations or procedures ;

(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;

(c) to protect public security;

(d) to protect national security;

(e) to protect the rights and freedoms of others.

5. Member States may determine categories of data processing which may wholly or partly fall under the exemptions of paragraph 4.

Justification

The change to paragraph 1 aligns the wording with the corresponding provisions in Article 14 of the proposed General Data Protection Regulation. Similarly, the new paragraph 2a mirrors Article 14(3) of the General Data Protection Regulation. There may be many cases in which the exception in paragraph could apply to providing this information, but it should be included as the general rule.

While it may be justified to delay or restrict the information given to data subjects, there is no reason to completely omit it – it can always be provided later. Think for example of a wiretapping order – while obviously, the data subject shouldn’t be informed immediately, there is no reason why she/he should not be informed after the investigations have come to an (unfruitful) end. In order to prevent controllers from simply asserting that the exceptions in paragraph 4 apply, they should be obliged to carry out individual examinations each time one of the exceptions is invoked. As “national security” is outside the scope of the Directive in any case, the exemption in paragraph 4 has no added value.

Paragraph 5, as drafted by the Commission, would allow Member States to completely exclude certain categories of data. In EDRi’s view, this possibility should be removed, as legitimate restrictions are already covered under paragraph 4.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: