Chapter 2E: Information Provision Obligations

Question 1

With relation to transparency, what does the regulation aim to ensure?

Answer 1

That it is clear to data subjects that their personal data is collected and processed, and that they are aware of their rights, the risks, rules and safeguards in relation to that processing. Controllers should be open and honest.

Question 2

What is the information that should be given to data subjects, often referred to as?

Answer 2

Fair processing information.

Question 3

Controllers are more likely to be able to support a legitimate interest claim when…

Answer 3

a data subject is given clear information about how their personal data will be processed.

Question 4

How did the Directive ensure transparency?

Answer 4

Imposed a requirement that controllers notify their processing to a supervisory authority; data subjects could then consult that notification to learn more about the processing conducted by a particular controller.

The GDPR removed this as it did not in all cases contribute to improving the protection of personal data. Should be replaced by mechanisms and effective procedures which focus on processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.

Question 5

What is the combined effect of Article 13 (covering cases where data is collected from the DS) and Article 14 (re: instances where personal data is obtained from a third party source) of the regulation?

Answer 5

Data subjects have the right to receive certain information from controllers, regardless of whether they supplied the data directly or if it was by a third party.

Question 6

Article 13: the obligation to provide information to a data subject where personal data is collected from the data subject. What needs to be provided?

Answer 6

Identity and contact details of the controller and DPO
Purposes and legal basis for processing (if legitimate interest, outline this)
Recipients or categories of recipients of personal data
International transfers and whether this is adequate or based on another transfer mechanism and the means to obtain a copy of these

Further information for transparency:
Retention period
Data rights
Right to withdraw (when based on consent)
Right to complain
Whether statutory or contractual requirement
Existence of automated decision making

Question 7

Article 14: the obligation to provide information to a data subject where personal data is not obtained from the data subject

Answer 7

The controller must provide the data subject with the same information required in Article 13(1) and (2) but also…

The categories of personal data concerned
Source the personal data originated and whether it came from publicly accessible sources

If origin cannot be given due to a number of sources, general information should be given (Recital 61)

Question 8

Under article 14, as personal data is not obtained directly from the data subject, there is no requirement to…

Answer 8

Inform the data subject where the provision of personal data is statutory or contractual requirement or to explain whether the data subject is obliged to provide the personal data and the possible consequences of not doing so.

Question 9

Information has to be provided to the data subject in Article 14(2) and Article 13 to ensure…

Answer 9

Fair and transparent processing.

Question 10

What differences exist between Article 13 and 14 obligations practically?

Answer 10

Time at which the required information should be provided and circumstances in which a controller does not have to provide information about processing.

Question 11

Further information provision obligations are imposed on controllers in the context of rights granted to data subjects. What article creates a freestanding right to be informed?

Answer 11

Article 15.

Question 12

When a data subject requests a controller to restrict processing of personal data, what must a controller do before lifting the restriction?

Answer 12

Inform the data subject of the restriction being lifted.

Question 13

Data subjects can object to processing where that processing is…

Answer 13

Conducted based on the controller’s legitimate interest or carried out in public interest (including profiling based on these provisions)
or
For the purpose of direct marketing, including profiling in this arena

Question 14

Where data is transferred to a third country or international organisation on the basis of a controller’s legitimate interests and own assessment of the transfer, data subjects must be…

Answer 14

Informed of the transfer and compelling legitimate interests pursued by the controller.

Question 15

Where data is transferred to a third country or international organisation on the basis of consent under article 49(1)(a), data subjects must be…

Answer 15

Informed of the possible risks of the transfer due to the absence of either an adequacy decision from the commission or another appropriate safeguards, such as standard data protection clauses

Question 16

Where data is transferred to a third country or international organisation on the basis ofa BCR, data subjects must be…

Answer 16

Provided with information about the general data protection principles contained in the BCR, their rights re the processing and how to exercise them, including the right to obtain compensation for breaches of the BCR and the liability arrangements under the BCR.

Question 17

Where a controller intends to process personal data for a purpose other than the original purpose, the controller must provide data subjects with…

Answer 17

Information about the new purpose together with any relevant further information as referred to in Article 13 and 14 as appropriate.

Question 18

In situations where two or more controllers jointly determine the purposes and means of processing, what does the regulation require of the controllers re: information provision?

Answer 18

Those controllers transparently determine their respective responsibilities for complying with the regulation, in particular in relation to the obligation to provide information to data subjects under Article 13 and 14, and also that the essence of the arrangement should be made available to the data subjects and that the data subject is clearly informed on which controller will field their data protection enquiries.

Question 19

Data subjects should be informed of personal data breaches - true or false?

Answer 19

True only in some circumstances, where breach may have caused detriment.

Question 20

When personal data is collected from the data subject, when should the fair processing information be provided?

Answer 20

At the point of data collection.

Question 21

When personal data is collected from a source other than the data subject, when should the fair processing information be provided?

Answer 21

Within a reasonable period of obtaining the personal data but at the latest within 1 month or if the personal data is to be used for communication with the subject at the latest at the time of first communication or, if a disclosure to another third party is envisaged, at the latest when the personal data is first disclosed.

Question 22

What does Article 21(4) or the regulation say about the timescale for giving information about the data subject’s right to object?

Answer 22

It must be provided to data subjects at latest at the time of first communication.

Similarly, Article 7(3) states that information about the right to withdraw consent must be provided before a data subject gives their consent.

Question 23

How should fair processing information be provided to data subjects?

Answer 23

In a concise, transparent, intelligible and easily accessible form using clear and plain language.
It should be provided in writing or by other means, including, where appropriate, by electronic means.

Question 24

Electronic means for fair processing information may be particularly relevant where…

Answer 24

There are a number of parties involved in the processing and technological complexity makes it difficult for data subjects to understand who is processing their personal data/for what purposes (e.g. online advertising)

Question 25

Fair processing information may be provided orally: true or false?

Answer 25

True when requested by the data subject.

Question 26

Can data subjects be charged for Information provided under article 13 and 14?

Answer 26

No - it must be free of charge.

Question 27

What does the regulation require when standardises icons are presented electronically?

Answer 27

They must be machine readable.

Question 28

What format requirements are imposed by the regulation for information provided to data subjects in the context of consent?

Answer 28

Request for consent must be presented in a clearly distinguishable manner from other matters and also in an intelligible and easily accessible form using plain and clear language

Question 29

What format requirements are imposed by the regulation for information provided to data subjects in the context of the right to object?

Answer 29

Information must be explicitly brought to the attention of the data subject and presented clearly and separately from other information.

Question 30

Member states may legislate to provide specific rules for the processing of personal data in certain areas (for example, the processing of employee data in an employment context) - what must additional rules introduced include?

Answer 30

Suitable and specific measures to safeguard data subject rights, in particular, in relation to the transparency of processing.

Question 31

When is the fair processing information required by Article 13(1) and 13(2) not required to be provided?

Answer 31

If the data subject already has the information.

Question 32

When is the fair processing information required by Article 14(1) and 14(2) not required to be provided?

Answer 32

If the data subject already has the information;

If obtaining or disclosing the personal data is expressly laid down by union or member state law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests;

Where personal data must remain confidential subject to an obligation of professional secrecy regulated by union or member state law

If the provision of information proves impossible or would involve a disproportionate effort, in each case in particular for processing for archiving purposes in the public interest, scientific or historic research purposes, or statistical purposes provided that conditions and safeguards are met OR the provision of fair processing information is likely to render impossible or seriously impair the achievement of the objectives of that processing (e.g. tipping off).

Question 33

How can an organisation assess the meaning and application of disproportionate effort?

Answer 33

Recital 40 of the directive, which is largely replicated in Recital 62 of the regulation - the number of data subjects, the age of the personal data, or any appropriate safeguards aopted should be considered in assessing whether the effort would be disproportionate.

Question 34

What does WP29 say about disproportionate effort?

Answer 34

Disproportionate effort exemption should not be routinely relied upon

Disproportionate effort must relate directly to collection of personal data from a source other than the data subject

Controllers must document the assessment undertaken to determine that this exemption is applicable

The WP29 states that something is either impossible or not; there is no degree of impossibility.

Question 35

What does WP29 say about instances where origin of personal data cannot be provided?

Answer 35

As a result of the regulations requirement for privacy by design, organisations should be able to identify the source of the personal data they process (so should not need to lean into Recital 61 of giving ‘general information’ for various sources in practicality).

Question 36

The regulation allows member states to provide exemptions and derogations where processing is carried out for the purposes of…

Answer 36

Journalism, academic artistic or literary expression and those exemptions or derogations are necessary to reconcile the right to the protection of personal data with freedom of expression and information.

Question 37

What information requirements exist relevant to the use of cookies and similar technologies by the operators of websites, apps and other connected devices under the ePrivacy directive?

Answer 37

Storing or accessing information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the user has given their consent and has been provided with clear and comprehensive information.

The requirement to provide full and transparent disclosure of the use of cookies applies irrespective of the mechanism chosen to obtain consent, and operators must adopt a stand-alone cookie use policy to meet this obligation.

Question 38

What are the commercial benefits of effective fair processing information?

Answer 38

Increased data subject trust, contributing to loyalty and retention.
Data subjects will be likely to provide more valuable personal data to organisations they can trust.
The risk of complaints and disputes arising from the use of personal data will be reduced when the processing is explained.

Question 39

What approaches could a controller take to the provision of fair information?

Answer 39

Using layered fair processing notices
Providing just in time notices
Adopting privacy dashboards
Using alternative formats and channels of communication
Taking steps to adapt to the requirements of diverse technologies, in particular, the Internet of Things (IoT)

Question 40

What is a layered fair processing notice?

Answer 40

Most important information is provided in a short initial notice, and more detailed information is available should a data subject wish to know more.

WP29 - first layer should include purpose, controller’s identity, and rights granted by the regulation, along with processing which could surprise or have an impact on the data subject.
It should also make it clear what information is available and how to find more detail.

WP29 also considers it should be available to data subjects in one single place or document.

Question 41

What are the benefits of a layered fair processing notice?

Answer 41

Assist in addressing conflict between volume of information and requirement that it be provided in concise, easily accessible and intelligible manner

Shorter - easier to understand and remember

Layered notices can be used to account for space or time limitations

Longer notices tend to attract complicated legal terms and industry jargon that impair readability

Question 42

What care should controllers take with layered fair processing notices?

Answer 42

All content and timing of the information provided addresses all requirements

There is consistency in information provided in all layers

Information which must be explicitly brought to the attention of data subjects is not buried in secondary layers

Question 43

What is a just in time notice?

Answer 43

A notice which provides the data subject with information at the point at which it is relevant to them (e.g. information about purpose of processing a specific item of personal data at the point at which they provide that data in an online form)

Question 44

What is a privacy dashboard?

Answer 44

A privacy dashboard is a one-stop shop that can link fair processing notices and allows data subjects to control how their personal data is processed. Controllers can engage with data subjects regarding processing of their data.

WP29 - this is most useful when data subjects access a service through multiple devices.

Question 45

Can alternative formats be considered by controllers for fair processing notices?

Answer 45

Yes - for example, animations for children

But a full unlayered version should always be available so that data subjects can search for and refer to it without the need to click through web pages or easily read in a different medium (such as a hard copy) if required.

Question 46

Some technologies present a challenge for fair processing information - e.g. usage of CCTV or drones. The WP29 recommends…

Answer 46

Using sign-posts and information sheets in the specific area of operation

Using social media, newspapers, leaflets and posters to inform when used at specific events

Making fair processing information available on the operator’s website

Taking time to ensure that the surveillance itself is visible

Ensuring that the operator is clearly visible with signage identifying them as the individual responsible

Question 47

IoT devices present a challenge for fair processing information - The WP29 recommends…

Answer 47

Hard copy privacy information with the device, providing a QR code, embedding videos in set up information, or sending short message services or email messages to enable data subjects access to this information.

Question 48

What is the Internet of Things (IoT)?

Answer 48

The Internet of Things (IoT) refers to a system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention. E.g. Alexa.