For the purposes of Articles 14 and 15 of the Regulations, a Data Controller must provide a Data Subject with the following information:

(A) the identity and contact details of the Data Controller;
(B) the purposes of the intended Processing and the lawful basis for that Processing, as set out in Article 10 of the Regulations;
(C) whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failing to do so;
(D) the categories of Personal Data concerned;
(E) if the data are to be, or may be, disclosed to one or more other individuals or entities, their names or a description of their categories;
(F) if the Data Controller intends to transfer the data to another jurisdiction, a statement of that fact, setting out a description of the applicable safeguards and, if applicable, how and where to obtain a copy of the safeguards;
(G) if the Processing is based on the legitimate interests of the Data Controller or another Person to whom the data are disclosed or to comply with an obligation imposed on the Data Controller by law, a clear statement of those interests or obligations;
(H) the period for which the data will be retained, or how to determine that period;
(I) a statement of the Data Subject's right to request from the Data Controller:
(i) access to the data;
(ii) rectification of the data;
(iii) erasure of the data;
(iv) restriction of the Processing of the data;
(v) objection to the Processing of the data; and
(vi) data portability.
(J) whether automated decision-making will be used, and if so:
(i) meaningful information about the logic applied; and
(ii) the significance, and the likely consequences, of the decision-making for the Data Subject.
(K) if the Processing is based on consent, that the Data Subject has the right to withdraw that consent at any time, but that withdrawing the consent does not affect the lawfulness of Processing based on consent before the withdrawal; and
(L) that under Article 34 of the Regulations, the Data Subject has the right to lodge a complaint with the Data Protection Office if the Data Subject considers that the Processing of Personal Data relating to them infringes the Regulations.