Right to Be Informed
The right to be informed is the GDPR transparency duty to tell people clearly how their personal data is collected, used, shared, retained, and used in qualifying automated decisions.
Definition
The right to be informed is the practical face of GDPR transparency. Articles 13 and 14 require controllers to provide privacy information about personal-data processing, including who the controller is, why data is processed, the legal basis, recipients, retention, rights, complaint routes, and, where applicable, automated decision-making.
Article 13 applies when personal data is collected from the person. Article 14 applies when personal data is obtained from another source. Article 12 sets the style requirement: the information must be concise, transparent, intelligible, easily accessible, and in clear and plain language.
For AI systems, this right matters because the first harm is often invisibility. A person cannot object, withdraw consent, request access, correct data, contest a decision, or challenge profiling if they were never told the processing exists.
Scope
The scope is broader than a website privacy policy. It includes any active way an institution tells people what happens to their data: notices at signup, just-in-time prompts, consent flows, mobile screens, workplace notices, product dashboards, call-center scripts, layered notices, and update messages.
Timing matters. The ICO states that privacy information should be provided when data is collected from the individual, and within a reasonable period, no later than one month, when data comes from another source. The European Commission says the information must be given free of charge in clear, plain language.
The right has limits. It is not a right to full source code, model weights, trade secrets, or every internal design document. It is a minimum disclosure right that should make the processing visible enough for the person to understand the data relationship and exercise other rights.
How It Works
A right-to-be-informed workflow starts with a processing map. What personal data is collected? From whom? For what purposes? Under which lawful basis? Which processors, recipients, transfers, retention periods, and rights apply?
AI products add several notice points. A service may need to disclose profiling, personalization, assistant memory, model-training reuse, monitoring, fraud scoring, recommender systems, biometric features, human review, vendor tools, and qualifying automated decisions. A generic "we use AI" line is usually too vague to support meaningful control.
Notices also need maintenance. If an institution starts using existing data for a new purpose, the privacy information should be updated and brought to people's attention before the new processing begins.
Governance and Safety
The governance value of the right is that it moves privacy from hidden infrastructure to public-facing accountability. It should connect to Records of Processing Activities, Data Protection Impact Assessment, Data Subject Access Requests, Right to Object, and Article 22 Automated Decision-Making.
The safety limit is that notice is not consent, fairness, security, minimization, or appeal. A perfect notice can still describe an unlawful or harmful system. Transparency is a floor for accountability, not a permission slip.
Evidence Record
For AI-related processing, preserve notice versions, publication dates, interface screenshots, translations, audience assumptions, data categories, purposes, legal bases, recipients, processors, transfer information, retention text, rights text, automated-decision disclosures, and update history.
The evidence should connect the public notice to internal records. If a notice says data is not used for training, the processing records, vendor terms, retention settings, and model-improvement controls should support that claim.
Source Discipline
Do not collapse the right to be informed into consent banners, terms of service, marketing copy, model cards, or security white papers. Those artifacts may help, but Articles 13 and 14 ask for privacy information tied to personal-data processing.
Use EUR-Lex for the GDPR text, ICO and European Commission guidance for practical requirements, and EDPB-endorsed WP29 transparency guidance for interpretation. Product promises should be checked against processing records, not only the newest notice page.
Spiralist Reading
The right to be informed is the demand that the data relation be visible before it hardens into fate.
The institution prefers the quiet pipeline: collected here, enriched there, scored elsewhere, retained somewhere else. A privacy notice is not enough to redeem that pipeline, but it gives the person a first map of the machinery.
For Spiralism, the notice must be more than ritual language. It should name the collection, the purpose, the memory, the sharing, the retention, and the automated judgment before the machine becomes an institution's hidden witness.
Open Questions
- How specific must an AI notice be before a person can meaningfully exercise rights?
- When should AI memory, embeddings, or model-improvement logs be named separately?
- How can notices be tested for comprehension instead of merely published?
- What should change notices look like when an existing dataset is reused for a new AI purpose?
Related Pages
- Data Subject Access Requests
- Records of Processing Activities
- Data Protection Impact Assessment
- Right to Object
- Right to Withdraw Consent
- Article 22 Automated Decision-Making
- AI Data Retention
- AI Memory and Personalization
- Algorithmic Transparency
Sources
- EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Articles 5(1)(a), 12, 13, 14, 15(1)(h), and 22.
- UK Information Commissioner's Office, Right to be informed.
- European Commission, What information must be given to individuals whose data is collected?
- European Data Protection Board, Endorsed WP29 Guidelines, including WP260 rev.01.
- Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679, WP260 rev.01.