The New European General Data Protection Regulation II: Information Rights

Author: María Bardají & Sascha Villoro

In our new installment on the GDPR we review the new requirements of the information controllers have to offer to the data subject. 

The information must be offered prior to the data processing. 

The Spanish Data Protection Agency instructs that the information is given in two different layers: a first layer, which contains very basic, simplified information, and a second one, which offers the rest of the information, in all its detail. This double layer system could be instrumented, for example, through a pop-up banner containing the basic information and a link to access to the second layer.

Below we present the information and level of detail that must be offered by the controller in each case, including what needs to be included when the personal data have been collected directly from the data user or from a third party.  


1st layer: Controller’s Identity.

2nd layer: Identity and contact details of the controller, its representative and the data protection officer.


1st layer: Purpose and legal basis for the data processing.

2nd layer: Additional information regarding the purpose; Retention period or criteria used to determine the retention period; Existence of automated decision making, incl. profiling, how decisions are made, significance and consequences.


1st layer: Legal grounds for the data processing

2nd layer: Legitimate interests; If the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data (the last one is not necessary when not obtained directly from the data subject).


1st layer: Whether or not are transfers are planned; Planned transfer to third countries.

2nd layer: Any recipient or categories of recipients; Details of transfers to third country and safeguards.


1st layer: The existence of data subject’s rights

2nd layer: How to exercise rights; The right to withdraw consent at any time, where relevant; The right to lodge a complaint with a supervisory authority.


1st layer: Source of the data when they haven´t been received directly by the Data Subject.

2nd layer: Categories of personal data; The source the personal data originates from and whether it came from publicly accessible sources (both not necessary when obtained directly from the data subject).

Next week we will be addressing various questions surrounding a new figure: the Data Protection Officer.

You can check out our previous articles on the GDPR here.

 related articles:

The New European General Data Protection Regulation: Consent To Data Processing

Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)

The New European General Data Protection Regulation IV: The Privacy Impact Assessment