Obligation to inform the data subject when obtaining personal data from the data subject. Where the controller obtains personal data from the data subject, it shall provide the data subject with the following information at the same time: the identity and contact details of the controller and of his representative, if any; the contact details of the Data Protection Officer, if any; the purposes of the processing for which the personal data are intended and the legal basis for the processing; the legitimate interests of the controller or of the third party where the processing is based on a legitimate interest; the recipients or categories of recipients of the personal data, if any; the intention of the controller to transfer the personal data to a third country or an international organisation, if any; and the existence or absence of a Commission adequacy decision or, in the cases of transfers referred to in Articles 46 or 47 or Article 10(1)(a), the existence or absence of a Commission adequacy decision. 49(1), second subparagraph, of Regulation (EU) 2016/679, a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data have been disclosed. In addition, the controller shall at the same time provide the data subject with such further information where necessary to ensure fair and transparent processing: the period of time for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period; the existence of the right to request from the controller access to, rectification or erasure of, or restriction of, the personal data and to object to the processing, as well as the right to data portability; where the processing is based on consent, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given prior to its withdrawal; the existence of a right to lodge a complaint with a supervisory authority; whether the provision of personal data is a legal or contractual requirement or a requirement to be included in a contract and whether the data subject is under an obligation to provide personal data, and the possible consequences of not providing such data; the fact that automated decision-making, including profiling, referred to in Art. 22(1) and (4) of Regulation 2016/679, and, at least in those cases, meaningful information regarding the process used as well as the significance and foreseeable consequences of such processing for the data subject. Where the controller intends to further process the personal data for a purpose other than that for which they were collected, it shall provide the data subject with prior information about that other purpose and the relevant additional information referred to above. The controller shall not provide information to the extent that the data subject is already aware of it.

Informing the data subject if the personal data have not been obtained from him or her. Where the controller has not obtained the personal data from the data subject, the controller shall subsequently provide the data subject with the following information: the identity and contact details of the controller and of his representative, if any; the contact details of the Data Protection Officer, if any; the purposes of the processing for which the personal data are intended and the legal basis for the processing; the categories of personal data; the recipients or categories of recipients of the personal data, if any; the intention of the controller to transfer the personal data to a third country or an international organisation, if any; and the existence or absence of a Commission adequacy decision or, in the cases of transfers referred to in Articles 46 or 47 or Article 10(1)(a), the existence or absence of a Commission adequacy decision. 49(1), second subparagraph, of Regulation (EU) 2016/679, a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data have been disclosed. In addition, the controller shall at the same time provide the data subject with such further information where necessary to ensure fair and transparent processing: the period of time for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period; the legitimate interests of the controller or of a third party where the processing is based on a legitimate interest; the existence of the right to request access to, rectification or erasure of the personal data from the controller or, where applicable, restriction of the processing and to object to the processing, as well as the right to data portability; where the processing is based on consent, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given prior to its withdrawal; the existence of the right to lodge a complaint with a supervisory authority; the source of the personal data and, where applicable, information on whether the data originate from publicly available sources; the fact that automated decision-making, including profiling, referred to in Article 4(1)(b) of Directive 95/46/EC, is involved. 22(1) and (4) of Regulation 2016/679 and, at least in those cases, meaningful information concerning the process used as well as the significance and foreseeable consequences of such processing for the data subject. Where the controller intends to further process the personal data for a purpose other than that for which they were collected, it shall provide the data subject with prior information about that other purpose and the relevant additional information referred to above. The information shall be provided at the latest within 1 month of its acquisition, at the first communication for which the data are used, before the first disclosure of the data to another recipient. The controller shall not provide information to the extent that the data subject is already aware of it. Information shall not be provided where it is not possible without undue effort or would substantially impede the achievement of the purpose of the processing, or where the processing and the measures for the protection of the data subject are required by law or are subject to an obligation of confidentiality.

The right to access your personal data. The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed. If so, he or she has the right to obtain access to that personal data and to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period; the existence of the right to request the controller to rectify or erase personal data concerning the data subject or to restrict or object to processing; the right to lodge a complaint with a supervisory authority; any available information on the source of the personal data, unless obtained from the data subject; the fact that automated decision-making, including profiling, as referred to in Article 2(1)(a) of Directive 95/46/EC, is taking place. 22(1) and (4) of Regulation (EU) 2016/679; and, at least in those cases, meaningful information concerning the procedure used as well as the significance and foreseeable consequences of such processing for the data subject. In case of transfer to a third country or an international organisation, the data subject shall have the right to be informed of appropriate safeguards.

Notification of rectification, erasure or restriction of the processing of personal data. The controller shall notify the individual recipients to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 of Regulation (EU) 2016/679, except where this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests.

Creation of a record of personal data processing activities by the data controller. The controller (its representative) shall keep a record of the personal data processing activities for which it is responsible and shall provide it to the supervisory authority (the Data Protection Authority) upon request. A controller with fewer than 250 employees shall not comply with this obligation if the processing is occasional, low-risk and does not involve sensitive (Articles 9 and 10 of Regulation 2016/679) data. The record for each processing activity shall include the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; the purposes of the processing; a description of the categories of data subjects and categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; information on any transfer of personal data to a third country or international organisation, including the identification of that third country or international organisation and, where applicable, the demonstration of appropriate safeguards; where possible, the envisaged time limits for erasure of each category of data; where possible, a general description of the technical and organisational security measures.