„Our employees are doing perfectly well; they do not need training."
Are you sure about that?
Article 14 GDPR
Information provided when personal data are obtained in a way other than by the data subject
1. If the personal data was not obtained from the data subject, the controller shall provide the data subject with the following information:
(a) their identity and contact details and, where applicable, the identity and contact details of their representative;
(c) the purposes for which the personal data are to be processed and the legal basis for the processing;
(d) categories of relevant personal data;
(e) information on recipients of personal data or categories of recipients, if any;
(f)
*
where applicable, information regarding the intended transfer of personal data to a recipient in a third country or to an international organization, and whether the Commission has determined that an adequate level of protection exists or not; or, in the case of a transfer referred to in Article 46, Article 47, or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards, and information on how to obtain a copy of those safeguards or where they are made available.2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure the fairness and transparency of the processing to the data subject:
(a) the period for which the personal data will be kept and, where this is not possible, the criteria for determining that period;
(b) if the processing is based on Article 6(1)(f) – the legitimate interests pursued by the controller or by a third party;
(c) information on the right of the controller to request access to, rectification, deletion or restriction of personal data relating to the data subject and the right to object to the processing, as well as the right to transfer data;
(e) information on the right to lodge a complaint with the supervisory authority;
(f) the source of the origin of the personal data and, where applicable, whether they come from publicly available sources;
(g) information regarding automated decision-making, including profiling, as referred to in Article 22(1) and (4), and—at least in those cases—meaningful information regarding the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The information referred to in paragraphs 1 and 2 is provided by the administrator:
(a) within a reasonable time after obtaining personal data at the latest within one month taking into account the specific circumstances of the processing of personal data;
(b) if the personal data are to be used for communication with the data subject at the latest on the first such communication with the data subject; or
(c) if the personal data are intended to be disclosed to another recipient at the latest on their first disclosure.
4. If the controller plans to further process personal data for a purpose other than the purpose for which the data were obtained, the controller shall, prior to such further processing, inform the data subject of that other purpose and provide him or her with any other relevant information referred to in paragraph 2.
5. Paragraphs 1- 4 shall not apply when, and to the extent that:
(a) the data subject already has that information;
(b) providing such information proves impossible or would involve a disproportionate effort; in particular, in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article would prevent or seriously impede the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available;
(c) the acquisition or disclosure is expressly governed by Union law or by the law of the Member State to which the administrator is subject, providing for appropriate measures to protect the legitimate interests of the data subject; or
(d) personal data must remain confidential in accordance with the obligation of professional secrecy provided for by Union or Member State law, including the statutory obligation of secrecy.
