Article 14(1)

1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information, after the particulars pursuant to Article 13a have been provided:

• (a) the identity and the contact details of the controller and, if any, of the controller's representative, of the data protection officer;
• (b) the purposes of the processing for which the personal data are intended, as well as information regarding the security of the processing of personal data, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and where applicable, information on how they implement and meet the requirements of point f of Article 6(1);
• (c) the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
• (d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject to object to the processing of such personal data, or to obtain data;
• (e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
• (f) the recipients or categories of recipients of the personal data;
• (g) where applicable, that the controller intends to transfer the data to a third country or international organisation and on the existence or absence of an adequacy decision by the Commission, or in case of transfers referred to in Article 42, Article 43, or point (h) of Article 44(1), reference to the appropriate safeguards and the means to obtain a copy of them;
• (ga) where applicable, information about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the data subject;
• (gb) meaningful information about the logic involved in any automated processing;
• (h) any further information which is necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected or processed, in particular the existence of certain processing activities and operations for which a personal data impact assessment has indicated that there may be a high risk;
• (ha) where applicable, information whether personal data was provided to public authorities during the last consecutive 12-month period.

Article 14(2)

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is mandatory or optional, as well as the possible consequences of failure to provide such data.

Article 14(2a)

2a. In deciding on further information which is necessary to make the processing fair under 1(h), controllers shall have regard to any relevant guidance under Article 38.

Article 14(3)

3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the specific personal data originate. If personal data originates from publicly available sources, a general indication may be given.

Article 14(4)

4. The controller shall provide the information referred to in paragraphs 1, 2 and 3:

• (a) at the time when the personal data are obtained from the data subject or without undue delay where the above is not feasible; or
• (aa) on request by a body, organization or association referred to in Article 73;
• (b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a transfer to another recipient is envisaged, and at the latest at the time of the first transfer, or, if the data are to be used for communication with the data subject concerned, at the latest at the time of the first communication to that data subject; or
• (bb) only on request where the data are processed by a small or micro enterprise which processes personal data only as an ancillary activity.

Article 14(5)

5. Paragraphs 1 to 4 shall not apply, where:

• (a) the data subject has already the information referred to in paragraphs 1, 2 and 3; or
• (b) the data are processed for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Articles 81 and 83, are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and the controller has published the information for anyone to retrieve; or
• (c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests, considering the risks represented by the processing and the nature of the personal data; or
• (d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of other natural persons, as defined in Union law or Member State law in accordance with Article 21.
• (da) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by Union or Member State law or to a statutory obligation of secrecy, unless the data is collected directly from the data subject.

Article 14(6)

6. In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's rights or legitimate interests.

Article 14(7)

7. (deleted)

Article 14(8)

8. (deleted)

[Source: October 2013]

Article 14(1) [Amended: October 2013]

1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:

• (a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
• (b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
• (c) the period for which the personal data will be stored;
• (d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;
• (e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
• (f) the recipients or categories of recipients of the personal data;
• (g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
• (h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

Article 14(2) [Amended: October 2013]

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

Article 14(3) [Amended: October 2013]

3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.

Article 14(4) [Amended: October 2013]

4. The controller shall provide the information referred to in paragraphs 1, 2 and 3:

• (a) at the time when the personal data are obtained from the data subject; or
• (b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.

Article 14(5) [Amended: October 2013]

5. Paragraphs 1 to 4 shall not apply, where:

• (a) the data subject has already the information referred to in paragraphs 1, 2 and 3; or
• (b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or
• (c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
• (d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.

Article 14(6) [Amended: October 2013]

6. In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's legitimate interests.

Article 14(7) [Deleted: October 2013]

7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized-enterprises.

Article 14(8) [Deleted: October 2013]

8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]

Chapter II General rules on the lawfulness of the processing of personal data

Section IV Information to be given to the data subject

Article 10 Information in cases of collection of data from the data subject

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

• (a) the identity of the controller and of his representative, if any;
• (b) the purposes of the processing for which the data are intended;
• (c) any further information such as
  • - the recipients or categories of recipients of the data,
  • - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
  • - the existence of the right of access to and the right to rectify the data concerning him
  in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

Chapter II General rules on the lawfulness of the processing of personal data

Section IV Information to be given to the data subject

Article 11 Information where the data have not been obtained from the data subject

Article 11(1)

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

• (a) the identity of the controller and of his representative, if any;
• (b) the purposes of the processing;
• (c) any further information such as
  • - the categories of data concerned,
  • - the recipients or categories of recipients,
  • - the existence of the right of access to and the right to rectify the data concerning him
  in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

Article 11(2)

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.