Right to be Informed
Plain English Translation
Data subjects have the right to request and receive confirmation of what personal data an organization holds about them, the sources of that data, the recipients with whom it has been shared, and how it has been processed. Organizations must respond to access requests within a reasonable timeframe and without charge for standard requests. This right ensures individuals can meaningfully monitor and verify how their personal data is being used.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Publish a clear, publicly accessible privacy policy on the main website and mobile applications.
- Add links to the privacy policy on all user registration and data intake forms.
Required Actions (scaleup)
- Implement version control for privacy policies to track which version a user saw when submitting their data.
- Introduce just-in-time privacy notices within application workflows when new types of data are requested.
Required Actions (enterprise)
- Build a centralized preference and notice center where users can view all automated processing disclosures.
- Automate the updating of privacy notices dynamically based on the underlying Record of Processing Activities (RoPA).
Under the DPA, the right to be informed ensures data subjects know whether their personal data shall be, are being, or have been processed, including any automated processing.
Organizations must describe the personal data to be entered, the purposes of processing, the scope and method, recipients, automated access methods, controller identity, storage period, and the data subject's rights.
A privacy notice must include the data description, processing purposes, recipients, automated processing methods, the controller's contact details, data retention period, and a list of data subject rights.
The data subject must be notified before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity.
Yes, the law requires notification to the data subject before the entry of their personal data into the processing system, especially when data is collected over a period of time.
Organizations must disclose the purpose in clear and simple language, specifying if the processing is for direct marketing, historical, statistical, scientific, or automated decision-making purposes.
It refers to providing a comprehensive description of what data is collected, why it is being used, how it will be processed (scope and method), and who will receive or have access to it.
Yes, if processing is partly or wholly automatic, organizations must inform the data subject about the methods utilized for automated access and the extent to which such access is authorized.
Companies comply by presenting a clear, simply written privacy notice at the point of data collection that outlines all legally required disclosures regarding data handling and subject rights.
Compliance evidence includes published privacy policies, consent forms with explicit privacy notices, just-in-time collection notices, and logs tracking user acknowledgment of the privacy policy.
Privacy notices often become inaccurate when new systems, vendors, or data uses are introduced without updating disclosures. Tools like WatchDog Security's Compliance Center can help teams track this control, collect supporting evidence, and identify gaps between documented privacy notices and actual compliance obligations.
Version history and acknowledgment records are important because regulators may ask what information was presented at the time of collection. Tools like WatchDog Security's Policy Management can support version control and acceptance tracking so teams can show which notice version was active and acknowledged.
"The data subject has a right to know whether personal data pertaining to him or her shall be, are being or have been processed, and whether the processing is partly or wholly automatic. The data subject shall be notified and furnished the information indicated hereunder before the entry of his or her personal data into the processing system..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |

