Right to information

This is the information that you have to receive

Does an organisation use your personal data? Then the organisation will have to let you know what the organisation is going to do with your personal data and why. In the privacy law, the General Data Protection Regulation (GDPR), you can find which information organisations have to provide in any case. Such as:

• how the organisation can be reached (contact details);
• which personal data the organisation processes;
• why the organisation does this (for which purpose exactly) and if this is allowed (on which legal basis from the GDPR);
• whether the organisation shares data with or sells data on to other organisations and if so, which organisations;
• how long the organisation retains the data.

For the complete list of information to be provided by organisations, see: For organisations: a good privacy statement.

Additional information

In some situations, the organisation has to give you additional information. How much additional information you are entitled to depends on:

• Your expectations: is the use of your personal data by an organisation different from what you may reasonably expect? This may be a reason why an organisation has to give you more information.
• How an organisation receives your data: does an organisation receive your personal data not directly from you, but through another organisation? Then you are entitled to more information.
• The consequences for you: how much information you are entitled to also depends on how great the consequences of the use of your personal data are for you.
• The nature of your data: the more sensitive the personal data that an organisation uses of you, the more reason to inform you in detail about this.

This is the way in which you have to receive the information

When and how an organisation has to inform you depends on how the organisation obtains your personal data. The organisation may obtain your data:

• from you yourself;
• from another organisation.

The organisation obtains your data from you yourself

Does the organisation obtain your personal data from you? Then the organisation has to inform you before you pass on your data to the organisation. For example: if you fill in a form, the organisation may include the information on the form. Do you enter your data on the website of the organisation? Then a clear reference to the online privacy statement of the organisation is enough.

The privacy statement should not be too long and should not be complicated. It must be easy for you to understand what the organisation does with your personal data. So that you can decide if you want to share your personal data with that organisation.

Are you unable to find the privacy statement? Is information missing? Or is the statement too long and complicated? Ask yourself then if you really want to share your personal data with that organisation. There may be other organisations that provide the same product or service and that are transparent.

Do you not have the option to choose a different organisation? Then contact the organisation and indicate that you are entitled to good information about the use of your data. When doing so, you can also refer to the information on this website.

The organisation receives your data from another organisation

Does the organisation receive your data from another organisation? Then the organisation will have to inform you at the time the organisation records your data. How the organisation has to do this depends on how large the group of people is whose data were passed on to the organisation.

• Does it concern a small group of people? Then the organisation will have to inform you and the others personally.
• Does it concern a large group of people? Then it will be enough if the organisation gives information through a paper or a magazine, for example. But in that case, the organisation has to reach all people in the group. As not everyone has a subscription to a national newspaper or receives a free local paper, an advertisement in these papers is not enough.

You are not always entitled to information

An organisation does not have to inform you about the use of your data in the following situations:

• you have already been informed;
• disproportionate effort;
• substantial interest.

You have already been informed

An organisation does not have to inform you if you are already aware of the information. It is not enough if the organisation only has the suspicion that you are aware already. The organisation has to be sure that you are. But the organisation may assume that you are aware if the organisation has sent or issued the information to you. In that case, the organisation does not have to check if you have actually read the information

Disproportionate effort

Does an organisation receive your data through another organisation? Then the organisation does not have to inform you about this in all cases. It may take the organisation a disproportionate effort to reach you. For example, if it would take the organisation a lot of time to find out your address.

In that case, the organisation has to record the origin of your data. It could also be that the other organisation has already informed you about the transfer of your data. Then you already know that the organisation may use your data.

Substantial interest

An organisation does not have to inform you if it has a substantial interest in not doing so. For example, if it is necessary not to inform you and in this way prevent, detect or prosecute criminal offences. Or protect the rights and freedoms of others.

For organisations: obligation to provide information under the GDPR

Under the General Data Protection Regulation (GDPR), you have an obligation to provide information. This means that you are obliged to inform people clearly about what you do with their personal data and why.

The GDPR says that you, in principle, have to provide the information about your processing operations in writing. The best way to be sure that most people can easily find you information is publishing an online privacy statement. In addition, you may deploy other means to make the contents of your privacy policy accessible. Such as displaying pop-ups with an explanation with every request for consent. Or using icons or a video.

Tip: The EDPB’s Data Protection Guide for SMEs provides a handy checklist with tips on how to handle privacy requests. 

For organisations: a good privacy statement

The GDPR sets a number of specific requirements to a privacy statement. These requirements pertain to the contents, the accessibility, and the clarity of the information. You must always provide the following information in your privacy statement:

• The identity and contact details of your organisation. And also of your representative in the European Union (EU), if you have one.
• The contact details of the Data Protection Officer (DPO), if your organisation has one.
• The purposes of processing and the legal basis under the GDPR. Do you rely on a legitimate interest? Also state on which interest you rely.
• The (categories of) recipients of the personal data.
• Whether you intend to transfer the personal data outside the EEA or to an international organisation. And if so, on which legal basis you do this.
• The retention period of the data.
• The privacy rights of the data subjects, such as the right of access, the right to rectification, and the right to removal of data.
• The right of the data subjects to withdraw the consent given for a specific processing at any time.
• That the data subjects can submit a complaint to the data protection authority. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA).
• Whether the data subjects are obliged to provide the personal data. And if so, why. Also state what the consequences are if they do not provide the data.
• Whether you use automated decision-making, including profiling. And if so, how you take decisions.
• If you have received the data from another organisation: the source from which the personal data originate. And whether the data originate from public sources.

Form of the privacy statement

Tip: to make the information in your privacy statement as accessible as possible, you can draw up the statement in multiple layers.

For example:

• In the first layer, you indicate in brief who the responsible organisation is, how it can be reached, and which personal data have the greatest impact on the persons concerned.
• In the second and third layers of the privacy statement, you can indicate in more detail which personal data you process for which purpose and how people can exercise their rights.

Clear language

The information about the data processing must be concise, transparent and understandable. That is why you have to use clear and simple language. This means, among other things: be brief and to the point, avoid jargon, and place yourself in the reader's shoes.

Do you address children under the age of 16? Or do you know that children use your services a lot? Then you have to adjust the choice of words, tone and style of the information. To ensure that the children know that this information is intended for them and that they can understand the information.

Duty of accountability

The GDPR provides for a duty of accountability. This means that you have to be able to demonstrate to the Dutch DPA that you meet the requirements of the GDPR. You must be able to show, among other things, that you have informed people properly about the processing of their personal data. You can use your privacy statement for this purpose.