Chapter 8 (Information Provision Obligations)

Question 1

The primary obligations that govern the provision of info to data subjects are set out in what 2 Articles of the GDPR?

Answer 1

1. Article 13 (covering cases where personal data are collected from the data subject)
2. Article 14 (relating to instances where personal data are obtained from a source other than the data subject)

Question 2

According to Article 13(1) what 6 pieces of fair processing info must be provided when personal data is collected directly from the data subject?

Answer 2

1. Identity and contact details of the controller (or controller’s rep)
2. Contact of DPO (where one is appointed)
3. The purposes and legal basis of the processing
4. The controller’s or third party’s legit interest if that is the grounds for processing
5. Recipients or categories of personal data recipients (if any)
6. Whether the controller intends to transfer personal data to a third country or international org

Question 3

Under Article 13(1) of the GDPR what additional fair processing info must be provided to a data subject if the controller intends to transfer personal data to a third country or international org?

Answer 3

1. Whether an adequacy decision by the Commission exists in relation to the transfer
2. If the transfer is made on the basis of appropriate safeguards (SCC or BCRs) or controller’s legit interest and assessment that suitable safeguards are in place, references to the relied upon safeguards and means to obtain copies of them

Question 4

In addition to Article 13(1)’s fair processing info requirements, what 6 additional pieces of info does Article 13(2) of the GDPR require to ensure fair and transparent processing?

Answer 4

1. The retention period for the personal data, or if not possible, the criteria used to determine that period.
2. Info about data subject’s rights in relation to their personal data (access, restriction, objection, and portability)
3. When processing is based on consent [6(1)] or explicit consent [9(2)(a)], informing of right to withdraw consent
4. The right to complain to a supervisory authority
5. Whether providing personal data is a statutory or contractual requirement or necessary to enter into a contract, as well as whether the data subject is obliged to provide personal data and the possible consequences of refusing
6. The existence of automated decision-making, including profiling

Question 5

When a controller collects personal data from a source other than the data subject in addition to the information laid out in Articles 13(1) and (2) what 2 other pieces of fair processing info must the controller provide in the name of transparency?

Answer 5

1. The categories of personal data concerned
2. From which source the personal data originate and, if applicable, whether it came from publicly accessible sources

Question 6

Under Article 14 (i.e. when data isn’t collected directly from data source) what 2 pieces of fair processing information listed in Article 13 of the GDPR don’t need to be provided?

Answer 6

1. Whether the provision of personal data is a statutory or contractual requirement or a requirement to enter a contract
2. Explaining whether the data subject is obliged to provide the personal data and the possible consequences of not doing so

Question 7

What does Article 15 of the GDPR provide?

Answer 7

Creates a freestanding right for data subjects to request from controllers much of the info outlined in Articles 13 and 14

Question 8

Under the GDPR, data subjects have rights to object to processing where the processing is based on what?

Answer 8

1. Conducted on the basis of a controller’s legit interests
2. Necessary for the performance of a task carried out in the public interest
3. For the purposes of direct marketing, including profiling to the extent that it is related to direct marketing

Question 9

If a data subject’s personal data is being transferred to a third country or international org, he/she must be informed of what?

Answer 9

1. If transfer is based on controller’s compelling legit interest: must be informed of the transfer and the compelling legit interest pursued by the controller
2. Consent under Article 49(1)(a): must be informed of the possible risks of transfer due to a lack of an adequacy decision or other appropriate safeguards, like SCCs

Question 10

If a data subject’s personal data is transferred pursuant to BCRs what info must data subjects be provided with?

Answer 10

1. The general data protection principles contained in the BCRs
2. Data subject’s rights in relation to the processing and how to exercise them
3. Liability arrangements under the BCR

Question 11

In situations where 2 or more controllers jointly determine the purposes and means of processing, the GDPR requires those controllers to determine what?

Answer 11

Their respective responsibilities for complying with the GDPR, in particular the obligation to provide info to data subjects under Articles 13 and 14.

Question 12

When joint controllers determine their respective responsibilities for complying with the GDPR, does this agreement need to be made available to data subjects?

Answer 12

Yes, the essence of the arrangement should be made available to data subjects.

Question 13

When a controller collects personal data directly from the data subject when should the info in Article 13(1) and (2) be provided to the data subject?

Answer 13

At the time when the personal data is obtained (more accurately directly before info is collected).

Question 14

When personal data are obtained from someone other than the data subject when does the fair processing info outlined in Articles 14(1) and (2) need to be provided?

Answer 14

1. Within a reasonable period after obtaining the personal data (but at least within 1 month),
2. If used for communication with the data subject, at the time of the first communication (at the latest), or
3. If a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed

Question 15

The GDPR specifically addresses the principle of transparency by requiring controllers provide data subjects with certain info about the processing of their personal data. What is this info often referred to?

Answer 15

Fair processing information

Question 16

The GDPR specifically states that info provided to data subjects about the processing of their personal data must be what?

Answer 16

1. Given in a concise, transparent, intelligible, and easily accessible form
2. Using clear and plain language

Question 17

When requested by a data subject can fair processing info be provided orally?

Answer 17

Yes.

Question 18

Does the GDPR permit visualization to be used to help provide fair processing info to data subjects?

Answer 18

Yes, where appropriate and makes provisions for the use of standardized icons.

Question 19

The GDPR provides additional formatting requirements where fair processing info is provided to data subjects in what 2 contexts?

Answer 19

1. Obtaining their consent: when request presented with other matters, must be clearly distinguishable
2. The right to object: must be explicitly brought to the attention of the data subject and presented clearly and separately from other info.

Question 20

Under the GDPR, when personal data is collected directly from data subjects is the fair processing info listed in Articles 13(1) and (2) or info about a new purpose of processing required if the data subject already has this info?

Answer 20

In this circumstance, the controller doesn’t need to provide the fair processing info.

Question 21

If personal data are obtained from a source other than the data subject, the fair processing info required by Articles 14(1) and (2) or info about new purpose of processing don’t need to be provided in what 4 circumstances?

Answer 21

1. If the data subject already has this info;
2. If obtaining or disclosing the personal data are expressly laid down by union or member state law to which the controller is subject and provides appropriate measures to protect the data subject’s legit interest;
3. Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by union or member state law, including a statutory obligation of secrecy; or
4. If providing info proves impossible or would involve a disproportionate effort for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes and provides that conditions and safeguards referred to in Article 89(1) are met OR is likely to render impossible or seriously impair achievement of the processing objectives

Question 22

What 3 factors should be considered when assessing whether the effort required to provide fair processing info would be disproportionate?

Answer 22

1. Number of data subjects
2. The age of the personal data
3. Any compensatory measures applied (i.e. appropriate safeguards adopted)

Question 23

According to the WP29, because Recital 62 and Article 14(5)(b) stress processing for purposes of research and so forth, the disproportionate effort exemption shouldn’t what?

Answer 23

Be routinely relied upon by controllers processing personal data for purposes outside of research.

Question 24

According to the WP29, since there is no disproportionate effort exemption in Article 13 of the GDPR any disproportionate effort claimed must related directly to what?

Answer 24

The collection of the personal data from a source other than the data subject.

Question 25

According to the WP29, do controllers need to document the assessment they undertake to determine whether reliance on the disproportionate effort exemption is possible?

Answer 25

Yes.

Question 26

Is it true that in some circumstances a controller is required to respond to a data subject’s request for info about its processing (so long as an exemption doesn’t apply) but is not always required to proactively provide the extensive fair processing info required under Article 14 of the GDPR?

Answer 26

It is true.

Question 27

Article 23 of the GDPR sets out what circumstances with regards to processing personal data in a fair and transparent manner?

Answer 27

Sets out circumstances in which member states may legislate to restrict the GDPR’s requirements that personal data are processed in a fair and transparent manner and that fair processing info is provided to data subjects pursuant to Articles 13 & 14.

Question 28

Under Article 23 of the GDPR the EU or member states can restrict the GDPR’s requirements to process personal data in a fair and transparent manner in order to safeguard what 10 things?

Answer 28

1. National security
2. Defense
3. Public security
4. The prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguards against and the prevention of threats to public security
5. Other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest
6. The protection of judicial independence and judicial proceedings
7. The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions
8. A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points 1-5 and 7
9. The protection of the data subject or the rights and freedoms of others
10. The enforcement of civil law claims

Question 29

The ePrivacy directive sets out additional fair processing info requirements relevant to the use of what?

Answer 29

1. Cookies
2. Similar technologies by the operators of websites, applications, and increasingly, other connected devices

Question 30

Article 5(3) of the ePrivacy Directive states, subject to limited exceptions, storing info or gaining access to info already stored in the terminal equipment of a subscriber or user is allowed when?

Answer 30

Only on the condition that the user concerned has given their consent, having been provided with clear and comprehensive info in accordance with the GDPR.

Question 31

In the view of the WP29, Article 5(3) imposes an obligation on the entity placing a cookie or similar technology on a user’s device to obtain prior informed consent of that user. Practically, this means what 2 things:

Answer 31

1. Info about sending and purposes of the cookie or similar technology must be given to the user.
2. The user, having been provided with such info, must consent before the cookie or similar technology is placed on their device or the info stored in the device is retrieved.

Question 32

Can fair processing info be provided by electronic means?

Answer 32

Yes.

Question 33

It is good practice to provide fair processing info using what means?

Answer 33

The same means used to collect the personal data.

Question 34

Whatever the means used to provide fair processing info, controllers should ensure what 5 things about how the info is provided?

Answer 34

That then fair processing info is:
1. Concise
2. Transparent
3. Easily accessible
4. Intelligible and in clear plain language
5. Accurate and up-to-date

Question 35

What are 3 commercial benefits to providing effective fair processing info?

Answer 35

1. Data subjects are more likely to place trust in orgs that are transparent about the use of personal data.
2. Data subjects will be likely to provide more and more valuable personal data to orgs that will use it properly
3. The risk of complaints and disputes arising from the use of personal data will be reduced when the processing undertaken by an org is explained to a data subject.

Question 36

What are 5 approaches controllers should consider for providing fair processing info?

Answer 36

1. Using layered fair processing notices
2. Providing just-in-time notices
3. Adopting privacy dashboards
4. Using alternative formats and channels of communication for info
5. Taking steps to adapt to the requirements of diverse technologies including, in particular, the Internet of Things (IoT)

Question 37

According to the WP29 a layered fair processing notice shroud contain what 4 things in the shorter first layer?

Answer 37

1. The purpose of processing
2. The controller’s identity
3. The rights granted by the GDPR
4. Info about processing which could surprise or have an impact on the data subject

Question 38

What are 4 benefits to layered notices?

Answer 38

1. They assist in addressing the conflict b/w the volume of info that must be provided and the requirement that info be provided in a concise, easily accessible, and intelligible manner.
2. Shorter privacy notices are easier to understand and remember.
3. Layered notices can be used to account for space or time limitations in a number of situations in which personal data are collected.
4. Longer notices tend to attract the complicated legal terms and industry jargon that impair readability.

Question 39

The WP29 suggests that linking a fair processing notice to a privacy dashboard is most useful when?

Answer 39

When data subjects access a service through multiple devices

Question 40

What are 5 recommendations the WP29 made re providing fair processing info where drones are used in public spaces?

Answer 40

1. Using sign posts and info sheets where drones are operated in a specific area.
2. Using social media, newspapers, leaflets, and posters to inform data subjects where drones are used at events.
3. Always making fair processing info available on the operator’s website to inform data subjects about upcoming and past uses of drones.
4. Taking steps to ensure the drone itself is visible, such as using bright colors, flashing lights, or buzzers.
5. Ensuring the operator is also clearly visible with signage identifying them as the individual responsible for the drone.