Chapter 8 Information Provision Obligations Flashcards
Which GDPR Articles cover Information provision?
13 - when data are collected from DS
14 - when data are collected from a source other than DS
Which info must be provided under Art 13?
13 (1)
- identity & contact details of C and its representative
- DPO contact details
- purposes, legal basis
- legitimate interest
- recipients or categories of recipients
- 3rd county transfer:
- - adequacy decision
- - appropriate safeguards (SCC, BCR)
- - C’s compelling legitimate interests and own assessment of SUITABLE SAFEGUARDS to be put in place
(reference to the safeguards (in both cases) must be made; copy of them)
13 (2)
- retention period/criteria to determine
- DS’s rights (access request, rectification, erasure; object; restriction of processing; portability)
- consent or explicit consent - right to withdraw but the processing before that will still be legitimate
- right to complain to SA
- is provision of PD a statutory or contractual obligation or necessary to enter into contract; is DS obliged to provide PD and consequences if they refuse
- automated decision making & profiling: if P produces LEGAL EFFECTS, SIGNIFICANTLY AFFECTS DS, SPECIAL CATEGORIES OF DATA - EXPLAIN LOGIC INVOLVED, SIGNIFICANCE AND ENVISAGED CONSEQUENCES
Under 29WP and EDPB guidance both sets are mandatory
Which info must be provided under Art 14?
In addition to above:
- categories of PD
- source/is it from publically accessible source
More sources - general information
Don’t have to provide the info on:
- is provision of PD a statutory or contractual obligation or necessary to enter into contract; is DS obliged to provide PD and consequences if they refuse
Explain situations where additional information is required
DS rights:
- Art 15 Right to access - right for DS to request the information from the C
- right to restrict processing - C must inform the DS before it lifts the restriction
- right to object:
- - in case of legitimate interests or performance of a task carried out in public interest (including right to object to profiling)
- - direct marketing (including profiling)
These rights must be brought to C’s attention and present info clearly and separately from other info
International data transfers
If D is transferred on the basis of:
- compelling legitimate interests and own assessment of the circumstances - informed of the transfer and legitimate interests
- consent in the absence of adequacy decision or appropriate safeguards - possible risks
- BCR - general data protection principles contained in BCR, rights and how to exercise them, right to compensation for breaches of the BCR, liability arrangements under BCR
New purposes
- info about new purpose + info under Art 13 (2), 14 (2)
- compatibility analysis (except in case of consent or EU/MS law as a legal basis for new purpose)
Joint controllers
the essence of the arrangement should be made available to DS
PD breaches
- notification of DS in some cases
When information must be provided to DS?
Data collected from DS: at the time of collection
Data collected from other source:
- reasonable period after collection, lates 1 month
- at first communication
- at first disclosure to the recepient
Right to object - first communication
Right to withdraw consent - before DS gives consent
New purpose - before new processing begins, with enough notice for DS to be able to assess new processing
How information should be provided to DS
concise, transparent, intelligible and easily accessible for, using clear and plain language
language easy for children to understand
in writing or by other means, including electronic means (e.g. through website)
also orally
C must PROVIDE information - actively furnish or direct DS to information
use of standardised iconce
Obtaining consent - clearly distinguishable from other matters
right to object - separately from other info
Exemptions to obligation to provide information
Defined by GDPR
GDPR allows MS to define their own exemptions
PD collected from DS:
- Art 13 + new purpose - DS already has information
PD collected from other source:
- Art 14 + new purpose:
- - DS already has information
- - obtaining or disclosing of PD is expresslly laid down by EU or MS law that provides appropriate measures to protect DS’s legitimate interests - C is under legal obligation to process PD
- - PD must remain confidential due to professional secrecy or statutory secrecy obligations
- - impossible or would involve disproportionate effort (in particular, for processing for archiving purposes in public interest, historical or scientific research or statistical purposes + safeguards in place - T&O measures to guarantee data minimisation; other Cs should not routinely rely in this exemptions) - in this case the C must take appropriate measures, e.g. making information publicly available
- - is likely to render impossible or impair the achievement of objectives (e.g. would tip-off under anti-money laundering legilsation)
Cs must document assessment!
When can “disproportionate effort” be applied?
Data are very old, huge number of DS…
In which cases the MSs are allowed to define their own exemptions?
National and public security, defence, prevention of crime …
Purposes of journalism or academic artisitc or literally expression
What are the requirements of ePrivacy directive concerning the provision of information?
relevant to the use of cookies and similar technologies by the operators of websites, apps and connected devices
storing info or gaining info already stored in the terminal equipment is only allowed upon consent
the user must be given clear and comprehensive info
consent must be obtain prior to placing the cookie or similar technology on device
stand alone cookie policy
How must Fair processing notices be presented to DS_
active steps must be taken
DS must be furnished with information or directed to it
What are the requirements for fair processing notices?
Concise - headed sections; short sentences, paragraphs; layered approach
Transparent - C must be genuine, open and honest, not misleading; if DS are given choices, they must be honoured; DS should not be surprised about processing; any risks and important consequences must be spelled out
Easily accessible - it must be clear where it is and how it can be accesses
Intelligible, clear and plain language - certain and unambigious; purposes and legal basis should be clearly explained
Accurate and up to date: frequently reviewed
Ideas for making the provision of fair processing information effective
Layered notices:
- important info in available in a short initial notice, including purpose, legal basis, C identity, rights, aby processing that could surprise DS or have an important impact
- further information is in other layers
Just in time notice:
- provided at the point at which it is particularly relevant to DS; e.g. purposes of processing a specific item of PD at the point at which they provide the data using an online form
Dashboard
- allow DS to control how their PD are processed
What formats can be use for providing FPI
in writing, inc. electronic means
Use of visualisation
standardised icons
Always also full, unlayered version
FPI and diverse technologies
drones, CCTV, mobile devices with limited space, wearable technologies, vehicle use, IoT devices
Use of:
- signposts e.g. where drones are operated in a specific area
- leaflets, social media
- operator’s website
