Information to be provided when personal data have not been obtained from the data subject
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
the identity and contact details of the controller and, where appropriate, of the controller's representative;
where applicable, the contact details of the data protection officer;
The processing purposes for which the personal data are intended, and the legal basis for the processing;
the categories of personal data involved;
where applicable, the recipients or categories of recipients of the personal data;
where appropriate, that the controller intends to transfer the personal data to a recipient in a third country or to an international organization; whether or not there is an adequacy decision by the Commission; or, in the case of transfers referred to in Article 46, Article 47 or Article 49(1), second subparagraph, what the appropriate or suitable safeguards are, how to obtain a copy of them or where to consult them.
In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information in order to ensure proper and transparent processing in respect of the data subject:
The period for which personal data will be stored, or if that is not possible, the criteria for determining that period;
the legitimate interests of the controller or of a third party, if the processing is based on Article 6(1)(f);
that the data subject has the right to request from the controller access to and rectification or erasure of personal data or restriction of the processing concerning him, as well as the right to object to processing and the right to data portability;
where processing is based on Article 6(1)(a) or Article 9(2)(a), that the data subject has the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal;
That the data subject has the right to lodge a complaint with a supervisory authority;
the source from which the personal data originate, and, where appropriate, whether they come from public sources;
the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic, as well as the significance and expected consequences of such processing for the data subject.
The controller shall provide the information referred to in paragraphs 1 and 2:
within a reasonable time, but at the latest within one month of the acquisition of the personal data, depending on the concrete circumstances in which the personal data are processed;
if the personal data will be used for communication with the data subject, no later than the time of the first contact with the data subject; or
if provision of the data to another recipient is contemplated, no later than the time the personal data are first provided.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data have been obtained, the controller shall, prior to such further processing, provide the data subject with information on that other purpose and any relevant further information referred to in paragraph 2.
Paragraphs 1 through 4 do not apply if and to the extent that:
the data subject already has the information;
the provision of such information proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving in the public interest, scientific or historical research or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or to the extent that the obligation referred to in paragraph 1 of this Article is likely to make the achievement of the purposes of such processing impossible or would seriously jeopardize it. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including disclosure;
obtaining or providing the data is expressly required by Union or Member State law applicable to the controller and that law provides for appropriate measures to protect the data subject's legitimate interests; or
the personal data must remain confidential by virtue of professional secrecy under Union or Member State law, including a legal duty of confidentiality.
