Lexicon > Right to information

IT Glossary

Right to information

The right to information about the processing of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

In contrast to the other rights set out above, the right to information is a passive right that does not require an express exercise by the data subject with the controller.

Indeed, under the right to information, the data controller must provide the data subject with a certain amount of information at the time of the collection of his/her data or, when they are not collected directly from him/her:

  • Within a reasonable period of time of less than one month after obtaining the data ;
  • If the data are to be used for the purpose of communicating with the data subject, no later than the time of the first communication to the data subject;
  • If it is intended to disclose the information to another recipient, at the latest when the data is disclosed for the first time.

In particular, the controller must provide the data subject with the following categories of information:

  • His identity and contact information and, if applicable, his representative;
  • If applicable, the contact details of the data protection officer;
  • The purposes of the processing for which the data are intended and the legal basis;
  • If applicable, the legitimate interests pursued;
  • Data Recipients;
  • If applicable, the fact that he/she intends to perform a transfer of personal data to a third country or to an international organization, and the existence or absence of an adequacy decision, the reference to appropriate or adequate safeguards and the means of obtaining a copy or where they have been made available;
  • The length of time the data will be retained or, where this is not possible, the criteria used to determine this length of time;
  • The existence of the right to request access to personal data, rectification or erasure of the same, or a limitation of the processing relating to the data subject, or the right to object to the processing and the right to data portability;
  • Where processing is based on consent, the existence of the right to withdraw consent at any time;
  • The right to lodge a complaint with a supervisory authority;
  • Information on whether the requirement to provide the data is statutory or contractual or whether it is a condition for the conclusion of a contract and whether the data subject is obliged to provide the data, as well as on the possible consequences of not providing the data;
  • The existence of automated decision-making, including profiling, and, relevant information about the underlying logic and the significance and intended consequences of such processing for the data subject.

Finally, where the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with prior information about that other purpose.


The principle of transparency requires that any information provided to the public or the person concerned be concise, easily accessible and easily understood, and formulated in clear and simple terms and, where appropriate, illustrated with visual elements. This information could be provided in electronic form, for example via a website when it is addressed to the public. This is particularly true in situations where the multiplication of actors and the complexity of the technologies used make it difficult for the data subject to know and understand whether personal data about him or her is being collected, by whom and for what purpose, as in the case of online advertising. Because children deserve special protection, all information and communication, where treatment concerns them, should be in clear and simple terms that the child can easily understand.

Recital 58 of the GDPR

Point of jurisprudence

The CNIL reminds us that ” Information on retention periods is among the information that must be provided in this case, as it ensures fair and transparent processing of the personal data concerned. For example, information on retention periods allows data subjects to know how long the data are kept by the controller and, consequently, how long they can exercise their right of access “.

CNIL, June 14, 2021, N° SAN-2021-008

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.