Chapter 2E: Information Provision Obligations Flashcards
With relation to transparency, what does the regulation aim to ensure?
That it is clear to data subjects that their personal data is collected and processed, and that they are aware of their rights, the risks, rules and safeguards in relation to that processing. Controllers should be open and honest.
What is the information that should be given to data subjects often referred to as?
Fair processing information.
Controllers are more likely to be able to support a legitimate interest claim when…
a data subject is given clear information about how their personal data will be processed.
How did the Directive ensure transparency?
Imposed a requirement that controllers notify their processing to a supervisory authority; data subjects could then consult that notification to learn more about the processing conducted by a particular controller.
The GDPR removed this as it did not in all cases contribute to improving the protection of personal data. Should be replaced by mechanisms and effective procedures which focus on processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.
What is the combined effect of Article 13 (covering cases where data is collected from the DS) and Article 14 (re: instances where personal data is obtained from a third party source) of the regulation?
Data subjects have the right to receive certain information from controllers, regardless of whether they supplied the data directly or if it was by a third party.
Article 13: the obligation to provide information to a data subject where personal data is collected from the data subject. What needs to be provided?
Identity and contact details of the controller and DPO
Purposes and legal basis for processing (if legitimate interest, outline this)
Recipients or categories of recipients of personal data
International transfers and whether this is adequate or based on another transfer mechanism and the means to obtain a copy of these
Further information for transparency:
Retention period
Data rights
Right to withdraw (when based on consent)
Right to complain
Whether statutory or contractual requirement
Existence of automated decision making
Article 14: the obligation to provide information to a data subject where personal data is not obtained from the data subject
The controller must provide the data subject with the same information required in Article 13(1) and (2) but also…
The categories of personal data concerned
From which source the personal data originated and whether it came from publicly accessible sources
If origin cannot be given due to a number of sources, general information should be given (Recital 61)
Under article 14, as personal data is not obtained directly from the data subject, there is no requirement to…
Inform the data subject where the provision of personal data is statutory or contractual requirement or to explain whether the data subject is obliged to provide the personal data and the possible consequences of not doing so.
Information has to be provided to the data subject in Article 14(2) and Article 13 to ensure…
Fair and transparent processing.
What differences exist between Article 13 and 14 obligations practically?
Time at which the required information should be provided and circumstances in which a controller does not have to provide information about processing.
Further information provision obligations are imposed on controllers in the context of rights granted to data subjects. What article creates a freestanding right to be informed?
Article 15.
When a data subject requests a controller to restrict processing of personal data, what must a controller do before lifting the restriction?
Inform the data subject of the restriction being lifted.
Data subjects can object to processing where that processing is…
Conducted based on the controller’s legitimate interest or carried out in public interest (including profiling based on these provisions)
or
For the purpose of direct marketing, including profiling in this arena
Where data is transferred to a third country or international organisation on the basis of a controller’s legitimate interests and own assessment of the transfer, data subjects must be…
Informed of the transfer and compelling legitimate interests pursued by the controller.
Where data is transferred to a third country or international organisation on the basis of consent under article 49(1)(a), data subjects must be…
Informed of the possible risks of the transfer due to the absence of either an adequacy decision from the commission or another appropriate safeguards, such as standard data protection clauses
Where data is transferred to a third country or international organisation on the basis ofa BCR, data subjects must be…
Provided with information about the general data protection principles contained in the BCR, their rights re the processing and how to exercise them, including the right to obtain compensation for breaches of the BCR and the liability arrangements under the BCR.
Where a controller intends to process personal data for a purpose other than the original purpose, the controller must provide data subjects with…
Information about the new purpose together with any relevant further information as referred to in Article 13 and 14 as appropriate.
In situations where two or more controllers jointly determine the purposes and means of processing, what does the regulation require of the controllers re: information provision?
Those controllers transparently determine their respective responsibilities for complying with the regulation, in particular in relation to the obligation to provide information to data subjects under Article 13 and 14, and also that the essence of the arrangement should be made available to the data subjects and that the data subject is clearly informed on which controller will field their data protection enquiries.
Data subjects should be informed of personal data breaches - true or false?
True only in some circumstances, where breach may have caused detriment.