EDRi's comments on the Data Protection Reform

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to including all recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
(i) in the case of measures based on profiles, meaningful information about the logic about the logic used in the profiling;
(j) where applicable, in what manner and for what specific purposes the data will be processed for statistical purposes and how will be ensured that data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information.

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing, including profiles generated through automatic means or when this is not possible, the categories in which these profiles have been placed. Where the data subject makes the request in electronic form, the information shall be provided in electronic form unless otherwise requested by the data subject.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).