Data protection

Data Protection: § 1 Information on the Collection of Personal Data
A comprehensive guide to the information obligations under the GDPR
Basics
Why is information so important in data collection?
The General Data Protection Regulation (GDPR) protects the fundamental rights of natural persons and ensures that data subjects retain control over their personal data.
Transparency
Creates trust and legal certainty
Obligation
Legally required under Article 13 GDPR
Definition
What does “collection of personal data” mean?
Active collection
Collection means the targeted gathering of data directly from the data subject
Practical examples
Completing forms, giving personal details in conversation, or at the time of concluding a contract
No collection
In the case of incidental awareness or unwanted contact, there is no collection
Accountability
Who must inform? The controller
The controller
The company or organisation that collects and processes data bears the main responsibility for the duty to inform.
Timing of the information
The information must be provided exactly at the time of data collection – not later, and not incompletely.
Other parties
The data protection officer and, where applicable, a representative of the controller must also be clearly named.
Art. 13 GDPR
Mandatory information when providing notice
The GDPR defines exactly which information must be provided to data subjects:
01
Identity
Name and contact details of the controller and, where applicable, the data protection officer
02
Purpose and basis
Purpose of the data processing and the legal basis on which it is grounded
03
Recipients
Recipients or categories of recipients of the personal data
04
Third countries
Planned data transfers to third countries and the safeguards provided
Further important information for data subjects
Retention period
Data subjects must be informed about the planned retention period or the criteria used to determine this period.
Data subject rights
Right to access, rectification, erasure, restriction of processing, objection and data portability.
Right to withdraw consent
The right to withdraw consent given must be clearly communicated and can be exercised at any time.
Right to complain
Data subjects have the right to lodge a complaint with a data protection supervisory authority.
Special Notes
Additional Information Obligations when Collecting Data
Legal Requirement
Information on whether providing the data is required by law or contract, or is necessary for entering into a contract.
Consequences of Not Providing the Data
Clear explanation of the possible consequences if the data subject does not provide the data.
Automated Decisions
In the case of automated decision-making and profiling: explanation of the logic, as well as the significance and implications.
Practical example
Online shop: How transparent information works
1
Data entry
Customer enters name, address and payment details for the order
2
Transparent information
Shop clearly informs about purpose (order processing), storage period and all data subject rights
3
Contact details
Data protection officer is named with full contact details
4
Withdrawal notice
Explicit notice of the right to withdraw at any time when signing up for the newsletter
Consequences
What happens if it is not followed?
Massive fines
Up to 20 million euros or 4% of global annual turnover – whichever is higher.
Reputational damage
Significant loss of trust among customers and lasting damage to the company’s image.
Legal risks
Complaints to supervisory authorities, claims by affected individuals and further legal consequences.
Conclusion: Transparency is the key to data protection
Legal obligation
Providing information when collecting data is not optional – it is both a legal obligation and a basis for trust
Clear communication
Clear, transparent communication protects both individuals and organisations from risk
Competitive advantage
Use data protection as an opportunity – inform your customers thoroughly and win their trust!
Task: Create a complete, well-structured privacy policy page for the website “DARYA SAFAI”. The page must be GDPR-compliant, clearly understandable, professional, trustworthy, and written in a friendly tone. The page should be divided into 10 sections, based on the following categories:
Scope & overview – Explain for whom and when this privacy policy applies.
Data collection & use – Which personal data is collected, for what purpose, and on what legal basis.
Cookies & tracking – Essential cookies, statistics cookies, marketing cookies; purpose and use.
Users’ rights – Access, rectification, erasure, objection, data portability, including simple explanations.
Withdrawal & objection – How users can withdraw consent or object to processing.
Social media & plug-ins – Data transfer via Facebook, Instagram, X, LinkedIn or other embedded services.
Multimedia content – Embedding YouTube videos, Google Maps or other external media; how data is processed.
Additional functions & offers – Newsletter, contact forms, comments; which data is collected.
Security & responsibility – Technical and organisational measures, liability, copyright.
Accessibility & external links – How the privacy policy can be accessed at any time and notes on external links.
Tone & style:
Trustworthy, serious, professional
Transparent and easy to understand
Friendly and service-oriented, without legal overwhelm
Clear headings and subheadings
Result: A finished, easy-to-read text that can be published directly on the privacy policy page, including all important legal notices and user information.