29. Providing information where Personal Data has been obtained from the Data Subject
(1) A Controller shall provide a Data Subject from whom it collects Personal Data with at least the following information, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, at the time of collecting the Personal Data to enable the Data Subject to assess the implications of providing his Personal Data:
(a) the identity and contact details of the Controller; (b) the contact details of the DPO, if applicable;
(c) the purposes of the Processing, as well as its lawful basis under this Law;
(d) if the Controller's lawful basis for the Processing is legitimate interests or compliance with any Applicable Law to which the Controller is subject, the Controller shall state clearly what those legitimate interests or compliance obligations are;
(e) the categories of Personal Data relating to the Data Subject that are being processed;
(f) the recipients or categories of recipients of the Personal Data;
(g) where applicable, the fact that the Controller intends to transfer Personal Data to a Third Country or International Organisation, or in the case of transfers referred to in Articles 27(1)(a), 27(2)(b) or 27(3)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available; and
(h) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Data is collected, to ensure fair and transparent Processing in respect of the Data Subject, including:(i) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(ii) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of Processing concerning the Data Subject or to object to Processing as well as the right to data portability;
(iii) where the Processing is based on the Data Subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;
(iv) the right to lodge a complaint with the Commissioner;
(v) whether the Personal Data is obtained pursuant to a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such data;
(vi) if applicable, the existence of automated decision-making, including Profiling, and meaningful information about the logic involved, as well as the significance and the possible outcomes of such Processing for the Data Subject;
(vii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
(viii) whether the Personal Data will be used for direct marketing purposes; and(ix) if the Controller intends to Process Personal Data in a manner that will restrict or prevent the Data Subject from exercising his rights to request rectification or erasure of Personal Data in accordance with Article 33, or to object to the Processing of the Personal Data in accordance with Article 34. In such cases, the Controller shall:
(1) include a clear and explicit explanation of the expected impact on such rights; and
(2) satisfy itself that the Data Subject understands and acknowledges the extent of any such restrictions.
(2) Article 29(1) shall not require a Controller to provide information the Data Subject already has.30. Providing Information where Personal Data has not been obtained from the Data Subject
(1) Where Personal Data has not been obtained from the Data Subject, a Controller shall provide the Data Subject with at least the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language:
(a) the identity and contact details of the Controller; (b) the contact details of the DPO, if applicable;
(c) the purposes of the Processing, as well as its lawful basis under this Law;
(d) the categories of Personal Data relating to the Data Subject that are being processed; (e) the recipients or categories of recipients of the Personal Data;
(f) where applicable, the fact that the Controller intends to transfer Personal Data to a Third Country or International Organisation, or in the case of transfers referred to in Articles 27(1)(a), 27(2)(b) or 27(3)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available; and
(g) any necessary information regarding the specific circumstances in which the Personal Data is Processed, to ensure fair and transparent Processing in respect of the Data Subject, including:
(i) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(ii) if the Controller's lawful basis for the Processing is legitimate interests or compliance with any Applicable Law to which the Controller is subject, the Controller shall state clearly what those legitimate interests or compliance obligations are;
(iii) notice of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of Processing concerning the Data Subject or to object to Processing as well as the right to data portability;
(iv) where the Processing is based on the Data Subject's consent, notice of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;
(v) the right to lodge a complaint with the Commissioner;
(vi) the source from which the Personal Data was obtained; and
(vii) if applicable, the existence of automated decision-making, including Profiling, and meaningful information about the logic involved, as well as the significance and the possible outcomes of such Processing for the Data Subject.
(2) The Controller must provide the information referred to in Article 30(1):
(a) no longer than one (1) month from obtaining the Personal Data; or
(b) if the Personal Data is used for communicating with the Data Subject, no later than the first communication; or
(c) if a disclosure (including the making available for Processing) to a Processor or a Third Party is envisaged, no later than the time when the Personal Data is first disclosed. (3) Article 30(1) shall not apply:(a) to require the Controller to provide information the Data Subject already has;
(b) to require the provision of such information if it proves impossible or would involve a disproportionate effort.
(c) where disclosure is expressly required by a Requesting Authority or an Applicable Law and which provides appropriate measures to protect the Data Subject’s legitimate interests; or
(d) where the Personal Data must remain confidential subject to an obligation of professional secrecy in accordance with Applicable Law to which the Controller is subject, including a statutory obligation of secrecy.31. Nature of Processing information
(1) Subject to Article 31(2), the information to be provided under Articles 29 and 30 shall be provided in writing, including, where appropriate, by electronic means.
(2) The information to be provided under Articles 29 and 30 may be provided orally upon a Data Subject’s request, including where the Personal Data is being collected by means of a telephone conversation between the Controller and the Data Subject, on the condition that the identity of the Data Subject has been verified at the time of the request.
(3) A Controller may comply with the requirements under Articles 29 and 30, to the extent that the required information is contained within publicly available policies maintained by the Controller, by clearly directing the Data Subject to such policies. Such policies must be written in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Controller may include within such policies links directing the Data Subject to additional information about the Processing.