Related to transparency and information to the affected party, and it requires the controller to provide certain information to data subjects when collecting their personal data.
Definition
Excerpt
When personal data is obtained from the data subject, the data controller may comply with the duty of information established in Article 13 of Regulation (EU) 2016/679, providing the data subject with the basic information referred to in the following section and indicating an electronic address or other means that allow easy and immediate access to the remaining information.
The basic information referred to in the previous section must contain, at least: a) The identity of the data controller and his representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679. If the data obtained from the data subject were to be processed for profiling, the basic information will also include this circumstance. In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on them or significantly affect them in a similar way, when this right occurs in accordance with the provisions of article 22 of the Regulations. (EU) 2016/679.
When the personal data has not been obtained from the data subject, the data controller may comply with the duty of information established in article 14 of Regulation (EU) 2016/679 by providing the data controller with the basic information indicated in the previous section, indicating an address electronic or other means that allow easy and immediate access to the remaining information. In these cases, the basic information will also include: a) The categories of data subject to treatment. b) The sources from which the data came.
Related cases
Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.
Predase Servicios Integrales SL was fined by the Spanish Data Protection Agency (AEPD) for breaching Article 13 of the GDPR. The company was found to be non-compliant as it did not have a privacy policy and failed to provide any information on data processing in the contact section of its website, which required users to provide their personal data.