top of page


The  European regulation  provides that, according to  purpose of the processing , the owner must provide  interested , before  processing , the information required by the regulations (Article 12 of the GDPR). This is done through the information.

The information is a communication addressed to the interested party  which has the purpose of informing the citizen, even before he becomes interested (i.e. before the treatment begins), about the purposes and methods of the treatments carried out by the  data controller ,  It is a condition, not so much of the respect for the individual right to be informed, but of the duty of the data controller to ensure the  transparency and correctness of the treatments  right from the stage of  design  of the treatments themselves, and to be able to prove it at any time ( principle of accountability ). 

The information also has the purpose of allowing the interested party to make a valid  consent , if requested as  legal basis of the processing . In this case, the information is not only due on the basis of  principle of transparency and correctness , but it is also a condition of legitimacy of the treatment. 

It is necessary to distinguish between the cases in which the data are collected from the interested party and the one in which the data are acquired from third parties.  


When it is due

The information is required every time there is data processing. The obligation to inform data subjects must be fulfilled before or at the latest when starting the data collection. On the other hand, there is no obligation to provide the information if the processing concerns anonymous data (e.g. aggregates) or data of entities or legal persons (whose data are not subject to the protection provided for by  European regulation ). 

The natural person who carries out the  data processing for exclusively personal and domestic activities , is not required to provide the information. 

In the event that the data are not collected directly from the data subject (Article 14 of the Regulation), the information must be provided within a reasonable time, and in any case no later than one month from the collection of the data. Or it must be done at the time of  communication  of the data to third parties. It is not necessary to inform the data subject when:
- the interested party already has the information;
- communicating such information is impossible or would involve a disproportionate effort;
- obtaining or communicating is expressly provided for by the law of the Union or of the Member State to which the holder is subject;
- personal data must remain confidential due to the obligation of professional secrecy governed by the law of the Union or of the Member States. 

The Italian Privacy Guarantor reminded that in some cases the disclosure is not necessary, when: 
- the data are processed on the basis of an obligation established by law, by a regulation or by community legislation (see  legal basis of the processing ); 
- the processing is connected to the carrying out of "defensive investigations" in criminal matters (Article 38 implementing rules of the Criminal Code) or to the defense of a right in court (unless the processing continues for a period longer than strictly necessary to pursue these purposes or is carried out for other purposes). 

The Guarantor has also issued some provisions regarding exemption from disclosure: 
- Exemption from the obligation to provide information if manifestly disproportionate means are required -  November 26, 1998
- Exemption from the obligation to provide information for the processing of data used in carrying out the business activity -  February 19, 2015

Minimum content

The information must have the following minimum content (articles 13 and 14 of  European regulation ): 
- categories of data processed e  purpose  of the processing (not the methods of processing, but which data are processed divided by categories, for what purpose, for how long they are processed, if the data will be  transferred abroad  and, in this case, through which tools); 
- the  legal basis of the processing , so if it is a treatment based on  consent  or justified by laws,  legitimate interests  (in this case specifying what the legitimate interest is), etc ...;
- mandatory or optional nature of providing data and the consequences of such refusal (specifying that it is possible to refuse consent to individual treatments such as those for the purpose of  direct marketing ); 
- if the owner intends to use the data for a purpose other than that for which they were collected; 
- subjects  recipients  (also by categories) to which the data may be  communicated  and the scope of dissemination of the data (the indication of third parties cannot be generic); 
- if the holder intends to  transfer the data to non-EU countries , in which case whether or not there is an adequacy decision of the EU Commission (i.e. if the Commission has decided that the third country, a territory or one or more specific sectors within the third country, or the international organization in question ensure an adequate level of protection, for which the transfer does not require specific authorizations);
- the  data retention period  or an indication of the criteria for determining it; 
- i  rights of the interested party  (right to access personal data, to obtain the correction or cancellation of the same or the limitation of the processing that
concern, to oppose the treatment, to revoke the consent, right to  lodge a complaint  to the supervisory authority , if any  right to portability ); 
- identification data (name, denomination or company name, domicile or registered office) of the data controller and, if designated, the contact details of the  responsible for data protection (DPO ), therefore an address to which interested parties can contact to exercise their rights; 
- if the processing involves automated decision-making processes (such as  profiling ) must be specified also indicating the logic of these decision-making processes and the expected consequences for the data subject. 

The privacy information must also indicate i  cookies  that conveys the site, how to disable cookies (e.g. through browser options), and in the case of third-party cookies, the link to the privacy policy pages of third-party services. Please refer to  another article for more details on the regulation of cookies . Please note that the cookie policy is a section of the privacy policy, not a separate document, so it is generally accepted that it may be a page other than the one that contains the privacy policy, but the latter must absolutely recall it (via link). 

In the case of data collected from third parties, the information must present additional contents, namely:
- indication of the categories of personal data being processed; 
- the indication of the source from which the personal data originate (which can also be a source accessible to the public); 
- on the other hand, the information regarding the mandatory nature or not of the communication of personal data is omitted, because in this case the data is not collected from the interested party.


Method of disclosure

In compliance with the  principle of transparency  the information must have a concise form, it must be clear, easily accessible and intelligible for the interested party (Recital 39), and this in particular when it is addressed to  minors , possibly also using images or icons (the icons must be identical for the whole European Union and will be identified by a subsequent European Commission provision). The information must be made in writing or by other means (including electronic, such as, for example, e-mail). If requested by the interested party, the information can be given orally (provided that the identity of the interested party is proven by other means). However, it is preferable to provide it in a form that proves its existence and allows  supervisory authorities  to verify its completeness and correctness. 

It is possible to publish the information on a website, by inserting the link (link) to this web page on the main page (home) of the website, but also in communications and correspondence, including paper correspondence. In the case of postal communications, however, it is also necessary to provide alternative forms, such as sending faxes following a request by the interested parties, for those who do not have the possibility to read it online.  



A breach of information to users may result in an investigation by the supervisory authority , which may impose certain  sanctions  and also the blocking of all data collected and processed in violation of the rules. In addition, users can initiate a  action for damages  against the  holder of the treatment .


Practical cases (websites)

If a  website  does not allow any user registration, and does not process user data, the privacy information is not required, although it must be borne in mind that websites generally acquire information anyway (also  personal data ) through the servers on which they are hosted. Instead, the disclosure is always due whenever there is a collection e  treatment  of the data (e.g. IP addresses, e-mails) of users (e.g. filling in forms), so even if the site  you use cookies  through which it collects user data. It is also due even when the  consent  of the interested party  it is not required, or when the interested party is required by law to provide the data. 

If the site allows the registration of users, but the data is used only for the purposes of the site itself (eg.  mailing list ) and not for sending commercial proposals etc ..., only the privacy information is required (to be linked to the registration form to allow consultation), but the collection of the  consent

On the other hand, if the site allows user registration and also collects data for purposes  promotional and advertising , including the  transmission to third parties , the privacy information is required and the consent must be expressed with separate acceptance of the information. 

bottom of page