Artikkel 14
. Information to be provided where personal data have not been obtained from the data subject

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering

Det finnes ingen fortaletekst i forordningen relatert til art. 14.

Vis direktivets fortaletekst relatert til art. 14 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 14 keyboard_arrow_up

(39) Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can be legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data are recorded or at the latest when the data are first disclosed to a third party;

(40) Whereas, however, it is not necessary to impose this obligation of the data subject already has the information; whereas, moreover, there will be no such obligation if the recording or disclosure are expressly provided for by law or if the provision of information to the data subject proves impossible or would involve disproportionate efforts, which could be the case where processing is for historical, statistical or scientific purposes; whereas, in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration;

GDPR

In its Article 14, the Regulation reinforces the obligations to provide information when the data were not collected from the data subject, while extending the general exceptions.

The obligatory elements of information already presented in the Directive are diversified: the information given should serve to identify the possible delegate to the data protection and the legal basis and indicate the purpose of processing or the legitimate interests on which the controller is processing data. Other mandatory information includes the will to make a transfer of data to a recipient in a third country or an international organization, the lack of decision on adequacy of the level of protection or, if appropriate, the appropriate or adequate safeguards provided and the ways to obtain a copy. The obligation to notify the other elements of information is necessary to ensure "fair and transparent processing" which should change nothing in substance.

On the other hand, the elements of information are more numerous.

Now it also includes in particular the period of data storage, or at least the elements allowing for determining it, the identification of the legitimate interests in case of lawfulness based on a balance of interests, rights and freedoms (Art. 6 (1), f) of the Regulation), the existence of all the rights recognized to a person (including for example the right to data portability or withdrawal of consent), and the right to lodge a complaint with a supervisory authority. And finally, the sources that the data come from, including the sources that are publicly available are covered.

Where appropriate, the existence of any automated decision-making including profiling under Articles 22 (1) and (4) as well as significant information of the underlying logic and consequences of the processing for the data subject shall also be notified.

The Regulation also specifies that the controller must provide this information to the data subject EITHER within a reasonable time not exceeding one month after the collection OR, if it is envisaged to provide the information to another person or to use the data for communication to the data subject, when the information is communicated for the first time at the latest.

Where appropriate, the changes of the purposes for processing data against the initial purpose must also be notified which means, if appropriate, new information on all of the above elements.

Exceptions are provided for. The information must not be provided if the data subject already has the information, if proven to be impossible or would require disproportionate efforts. There are clarifications concerning processing for archiving purposes in the public interest as well as for scientific purposes, historical or statistical research.

Another exception is provided in the case of obtaining or communicating the information if subject to specific provisions in EU law or national law or if the data must remain confidential, subject to an obligation of professional secrecy in accordance with the EU law  or the law of a Member State.

Direktivet

Articles 10 and 11 of the Directive provided for an obligation to notify the data subject that was differently implemented depending on whether the data were collected directly from the data subject or from a third party.

Utfordringer

The difficulty results not so much from the large amount of information which should be taken into account, but from the uncertainty about their transmission to the data subject, as the great majority of these is conditioned by the need for "fair and transparent” processing. It is hard to say if, being in doubt, the controllers would opt for transparency or not. In particular if the content of some of the information could create difficulties (identification of legitimate interests, for example).

Forordning
1e 2e

Art. 14

1.   Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2.   In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.   The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4.   Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5.   Paragraphs 1 to 4 shall not apply where and insofar as:

(a) the data subject already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or

(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

1. forslag close

Art. 14

1.           Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:

(a)     the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;

(b)     the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(c)     the period for which the personal data will be stored;

(d)     the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;

(e)     the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

(f)      the recipients or categories of recipients of the personal data;

(g)     where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

(h)     any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

2.           Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

3.           Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.

4.           The controller shall provide the information referred to in paragraphs 1, 2 and 3:

(a)     at the time when the personal data are obtained from the data subject; or

(b)     where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.

5.           Paragraphs 1 to 4 shall not apply, where:

(a)     the data subject has already the information referred to in paragraphs 1, 2 and 3; or

(b)     the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or

(c)     the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or

(d)     the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.

6.           In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's legitimate interests.

7.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized-enterprises.

8.           The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2. forslag close

Art. 14a

1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information :

(a) the identity and the contact details of the controller and, if any, of the controller's representative; the controller shall also include the contact details of the data protection officer, if any;

(b) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information that is necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed (...):

(a) the categories of personal data concerned ;

(b) (...)

(c) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(d) the recipients or categories of recipients of the personal data;

(da) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation;

(e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data as well as the right to data portability (...);

(ea) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(f) the right to lodge a complaint to a supervisory authority (...);

(g) from which source the personal data originate, unless the data originate from publicly accessible sources;

(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining the data, but at the latest within one month, having regard to the specific circumstances in which the data are processed, or

(b) if a disclosure to another recipient is envisaged, at the latest when the data are first disclosed.

3a. Where the controller intends to further process the data (...) for a purpose other than the one for which the data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4. Paragraphs 1 to 3a shall not apply where and insofar as :

(a) the data subject already has the information; or

(b) the provision of such information (...) proves impossible or would involve a disproportionate effort ; in such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests; or

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests ; or

(d) (...);

(e) where the data must remain confidential in accordance with Union or Member State law (...).

5. (...)

6. (...)

Direktiv close

Art. 11

Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as

- the categories of data concerned,

- the recipients or categories of recipients,

- the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Art. 14

Informasjon som skal gis dersom personopplysninger ikke er blitt samlet inn fra den registrerte

1. Dersom personopplysninger ikke er blitt samlet inn fra den registrerte, skal den behandlingsansvarlige gi den registrerte følgende informasjon:

a) identiteten og kontaktopplysningene til den behandlingsansvarlige og eventuelt den behandlingsansvarliges representant,

b) kontaktopplysningene til personvernombudet, dersom dette er relevant,

c) formålene med den tiltenkte behandlingen av personopplysningene samt det rettslige grunnlaget for behandlingen,

d) de berørte kategoriene av personopplysninger,

e) eventuelle mottakere eller kategorier av mottakere av personopplysningene,

f) dersom det er relevant, at den behandlingsansvarlige har til hensikt å overføre personopplysninger til en mottaker i en tredjestat eller en internasjonal organisasjon og om hvorvidt Kommisjonen har truffet en beslutning om tilstrekkelig beskyttelsesnivå eller ikke, eller, når det gjelder overføringene nevnt i artikkel 46 eller 47 eller artikkel 49 nr. 1 annet ledd, en henvisning til nødvendige eller passende garantier, hvordan man får tak i et eksemplar av dem eller hvor de er gjort tilgjengelig.

2. I tillegg til informasjonen nevnt i nr. 1 skal den behandlingsansvarlige gi den registrerte følgende informasjon som er nødvendig for å sikre den registrerte en rettferdig og åpen behandling:

a) det tidsrom personopplysningene vil bli lagret, eller dersom dette ikke er mulig, kriteriene som brukes for å fastsette dette tidsrommet,

b) dersom behandlingen er basert på artikkel 6 nr. 1 bokstav f), de berettigede interessene som forfølges av den behandlingsansvarlige eller en tredjepart,

c) retten til å anmode den behandlingsansvarlige om innsyn i og retting eller sletting av personopplysninger eller begrensning av behandlingen som gjelder den registrerte, og til å protestere mot behandlingen samt retten til dataportabilitet,

d) dersom behandlingen er basert på artikkel 6 nr. 1 bokstav a) eller artikkel 9 nr. 2 bokstav a), retten til når som helst å trekke tilbake et samtykke uten at det påvirker lovligheten av en behandling basert på et samtykke før samtykket trekkes tilbake,

e) retten til å klage til en tilsynsmyndighet,

f) fra hvilken kilde personopplysningene stammer fra, og, dersom det er relevant, om de stammer fra offentlig tilgjengelige kilder,

g) forekomsten av automatiserte avgjørelser, herunder profilering, som nevnt i artikkel 22 nr. 1 og 4, og, i det minste i nevnte tilfeller, relevant informasjon om den underliggende logikken samt om betydningen og de forventede konsekvensene av en slik behandling for den registrerte.

3. Den behandlingsansvarlige skal gi informasjonen nevnt i nr. 1 og 2

a) innen en rimelig frist etter at personopplysningene er samlet inn, men senest innen én måned, idet det tas hensyn til de særlige forholdene som personopplysningene er behandlet under,

b) dersom personopplysningene skal brukes til å kommunisere med den registrerte, senest på tidspunktet for den første kommunikasjonen med vedkommende, eller

c) dersom det er planlagt at personopplysningene skal utleveres til en annen mottaker, senest når personopplysningene første gang utleveres.

4. Dersom den behandlingsansvarlige har til hensikt å viderebehandle personopplysningene for et annet formål enn det opplysningene ble samlet inn for, skal den behandlingsansvarlige før nevnte viderebehandling gi den registrerte informasjon om nevnte andre formål og annen relevant informasjon som nevnt i nr. 2.

5. Nr. 1–4 får ikke anvendelse dersom og i den grad

a) den registrerte allerede har informasjonen,

b) det viser seg umulig å gi nevnte informasjon eller det vil innebære en uforholdsmessig stor innsats, særlig i forbindelse med behandling for arkivformål i allmennhetens interesse, for formål knyttet til vitenskapelig eller historisk forskning eller for statistiske formål i henhold til vilkårene og garantiene nevnt i artikkel 89 nr. 1, eller i den grad forpliktelsen nevnt i nr. 1 i denne artikkel sannsynligvis vil gjøre det umulig eller i alvorlig grad vil hindre at målene med nevnte behandling nås. I slike tilfeller skal den behandlingsansvarlige treffe egnede tiltak for å verne den registrertes rettigheter og friheter og berettigede interesser, herunder gjøre informasjonen offentlig tilgjengelig,

c) innsamling eller utlevering er uttrykkelig fastsatt i unionsretten eller medlemsstatenes nasjonale rett som den behandlingsansvarlige er underlagt, og som inneholder egnede tiltak for å verne den registrertes berettigede interesser, eller

d) dersom personopplysningene må holdes konfidensielle som følge av taushetsplikt i henhold til unionsretten eller medlemsstatenes nasjonale rett, herunder en lovfestet taushetsplikt.

Gamle loven close

Pol. § 20 Informasjonsplikt når det samles inn opplysninger fra andre enn den registrerte

En behandlingsansvarlig som samler inn personopplysninger fra andre enn den registrerte selv, skal av eget tiltak informere den registrerte om hvilke opplysninger som samles inn og gi informasjon som nevnt i § 19 første ledd så snart opplysningene er innhentet. Dersom formålet med innsamling av opplysningene er å gi dem videre til andre, kan den behandlingsansvarlige vente med å varsle den registrerte til utleveringen skjer.

Den registrerte har ikke krav på varsel etter første ledd dersom

a) innsamlingen eller formidlingen av opplysningene er uttrykkelig fastsatt i lov,

b) varsling er umulig eller uforholdsmessig vanskelig, eller

c) det er på det rene at den registrerte allerede kjenner til informasjonen varslet skal inneholde.

Når varsling unnlates med hjemmel i bokstav b, skal informasjonen likevel gis senest når det gjøres en henvendelse til den registrerte på grunnlag av opplysningene.

close