Article 12 of the GDPR defines some key principles of transparency and presents some guidelines for how and when individuals should be informed about their rights and how their information will be processed. The right to be informed can be broadly split into two areas use cases depending on whether you collected the data yourself or if the data was obtained through other means.
How to present this information?
You can include this information at the bottom of forms, in the footers of emails, or you can use our landing page builder to point data subjects to it for all the relevant information on how their data will be used and how they can exercise their rights under GDPR. Here's an example of such a landing page: https://lp-eu.geckoform.com/demo/gdpr
When to show this information?
If you collected the data yourself:
The relevant article for this scenario is Article 13. If you capture someone's details yourself you need to inform them of the information above at the point when the data is obtained, typically through a privacy statement. There are a few different approaches you could take:
- Example 1: include a separate page on your form with all of the relevant information neatly presented, like in this example here.
- Example 2: include a privacy statement at the bottom of your form, like in this example here.
- Example 3: have a shorter privacy statement with a short URL to your full privacy info page, like in this example here.
Our personal recommendation is to be as transparent as possible and adopt an approach similar to example 1 above.
If an agent is collecting the data on your behalf
If an agent is collecting information on your behalf and it will be going directly into your system, you simply need to adjust the privacy statement to mention the identity of the agent and their right to act on your behalf.
If your agent will use their own processing tools before sharing the data with you, the privacy notice will need altering to reflect that.
If you did not collect the data yourself
If you acquired the data by other means than collecting it yourself, you would need to comply with Article 14. The main provisions are similar to the above although you would need to include additional information about the categories of data shared with you and the source of the information. You are not required to ask for consent at this stage if prior consent to share the data with you was obtained. You need to inform the data subjects about the fact that you have obtained their information at the point when you first contact them or within 30 days, whichever is sooner.
The easiest way to manage this would be by setting up a workflow that will message all data subjects at the point when the data is imported into your system.
Any questions? Feel free to start a live chat with a member of our support team or explore the rest of our academy at your leisure.