For the purposes of Article 16 of the Regulations, a Data Subject has the right to obtain, from a Data Controller, a statement that includes the following information:

(A) the lawful basis, as set out in Article 10 of the Regulations, and purposes of the Processing;
(B) the categories of Personal Data concerned;
(C) the Recipients, or categories of Recipient, to which the Personal Data have been or will be disclosed (in particular, Recipients outside the QFC);
(D) the period for which the Data Controller intends to retain the Personal Data, or the criteria used to determine that period;
(E) a statement of the Data Subject’s rights to request from the Data Controller:
(i) rectification of the data;
(ii) erasure of the data;
(iii) restriction of the Processing of the data;
(iv) objection to the Processing of the data; and
(v) data portability.
(F) a statement of the Data Subject’s right under Article 34 of the Regulations to lodge a complaint with the Data Protection Office if they consider that the Processing of Personal Data relating to them infringes the Regulations;
(G) if the Personal Data were collected otherwise than from the Data Subject, any available information about their source;
(H) whether automated decision-making will be used, and if so:
(i) meaningful information about the logic applied; and
(ii) the significance, and the likely consequences, of the decision-making for the Data Subject.

The Data Controller must communicate any action carried out in accordance with Article 17 or Article 18 of the Regulations to each Recipient to whom the Personal Data have been disclosed, unless doing so would be impossible or would involve disproportionate effort. The Data Controller must inform the Data Subject about those Recipients if the Data Subject requests it.