Chapter 8 - Information Provision Obligations Flashcards
What is the transparency principle under GDPR?
-GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner.
-Transparency = being open and honest about how personal data is used.
-Ensures that data subjects are aware of their rights, the risks, rules, and safeguards related to the processing of their personal data.
-Transparency is linked to fairness and is essential for valid consent and legitimate interests.
What are the primary obligations for providing information to data subjects under GDPR?
-Primary obligations are set out in Articles 13 and 14 of GDPR
-Article 13 covers cases where personal data is collected directly from the data subject
-Article 14 relates to instances where personal data is obtained from a source other than the data subject.
-Data subjects have the right to receive certain information from controllers, regardless of how their personal data was obtained.
What information must be provided to data subjects under Article 13(1)?
Under Article 13(1), controllers must provide:
(1) The identity and contact details of the controller and, if applicable, the controller’s representative.
(2) The contact details of the data protection officer (DPO), if appointed.
(3) The purposes and legal basis of the processing.
(4) The legitimate interests pursued by the controller or third party, if applicable - under Article 6(1)(f) GDPR
(5) The recipients or categories of recipients of the personal data, if any.
(6) Information about transfers to third countries / international organisations, including adequacy decisions and safeguards -> Appropriate safeguards under Article 46 / 47 GDPR / own assessment that suitable safeguards in place under 2nd sub para Article 49(1) GDPR
What information must be provided to data subjects under Article 13(2)?
Under Article 13(2), controllers must provide:
(1) The retention period for the personal data or criteria used to determine that period.
(2) Information about data subjects’ rights, including access, rectification, erasure, restriction, objection, and data portability.
(3) The right to withdraw consent at any time.
(4) The right to complain to a supervisory authority.
(5) Whether the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract
(6) the consequences of refusing.
Information about automated decision-making, including profiling.
What information must be provided to data subjects under Article 14?
Under Articles 14(1) and (2), controllers must provide the same information required in Articles 13(1) and (2), plus:
-The categories of personal data concerned.
-The source of the personal data and whether it came from publicly accessible sources.
When should information be provided to data subjects?
-For PD collected directly from the data subject, the information must be provided at the time the personal data is obtained.
-For PD obtained from someone other than the data subject, the information should be provided within a reasonable period after obtaining the PD
-At the latest within one month/ at the time of the first communication with the data subject / when the PD is first disclosed to another recipient.
How should information be provided to data subjects?
-Info must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
-Should be provided in writing or by other means, including electronic means.
-Info intended for children should be in language easy for children to understand
-Information may also be provided orally if requested by the data subject.
What are the exemptions to the obligation to provide information to data subjects?
Exemptions include:
- If the data subject already has the information.
- If obtaining or disclosing the PD is expressly laid down by EU/ MS law & provides appropriate measures to protect the data subject’s legitimate interests.
- If the PD must remain confidential subject to an obligation of professional secrecy regulated by EU/ MS law
- If the provision of the info proves impossible/would involve a disproportionate effort -> e.g., particularly for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
What are the requirements of the ePrivacy Directive in relation to cookies?
-ePrivacy Directive sets out additional information requirements relevant to the use of cookies and similar technologies.
-Article 5(3) states that storing info or gaining access to info already stored in the terminal equipment of a subscriber or user is allowed only if the user has given their consent, having been provided with clear and comprehensive information.
What are fair processing notices?
-Also known as privacy notices
-Convenient method for controllers to achieve compliance with the GDPR’s transparency requirements
-They can be provided in writing, including electronically, and should be concise, transparent, easily accessible, intelligible, and in clear and plain language.
What are practical considerations for fair processing notices?
Controllers should ensure fair processing notices are:
- Concise: Separate content into headed sections, use short sentences and paragraphs, and adopt a layered approach.
- Transparent: Be genuine, open, and honest, and not misleading.
- Easily accessible: Clear where the information is and how it can be accessed.
- Intelligible and in clear and plain language: Easy to understand for the audience, avoid legal jargon and terminology.
- Accurate and up to date: Regularly reviewed.
What are the benefits of effective fair processing information?
Effective fair processing information can:
- Build trust with data subjects, contributing to customer loyalty and retention.
- Encourage data subjects to provide more valuable personal data.
- Reduce the risk of complaints and disputes arising from the use of personal data.
What are some approaches to providing fair processing information?
Approaches include:
- Using layered fair processing notices
- Providing just-in-time notices
- Adopting privacy dashboards
- Using alternative formats and channels of communication
- Adapting to the requirements of diverse technologies, including the Internet of Things (IoT)
What are layered fair processing notices?
-Provide the most important information in a short initial notice, with further, more detailed information available if the data subject wishes to know more.
-They are particularly suited to online contexts, where click-through links can facilitate movement between layers of information.
What are just-in-time notices?
-Provide information about processing at specific points of data collection.
-This approach helps split fair processing information into manageable portions by providing the data subject with information at the point at which it is particularly relevant to them.
What are privacy dashboards?
-Allow data subjects to control how their personal data is processed
-They are most useful when data subjects access a service through multiple devices and are most intuitive and engaging when incorporated into the architecture of the service itself.
What are alternative formats for providing fair processing information?
-Include animations to explain processing to children, using icons + with just-in-time or layered notices & providing a full, unlayered version of fair processing information for interested data subjects to search for and refer to
What are the challenges of providing fair processing information with diverse technologies?
-Challenges include providing information when PD is collected through CCTV, drones, wearable technologies, or mobile devices with constraints on display space.
-Practical steps include using signposts, information sheets, social media, newspapers, leaflets, posters, QR codes, embedded videos, SMS, or email messages.
What is the overview on transparency under the GDPR?
-The provision of information to data subjects is a key element of the GDPR.
-It impacts fairness, consent, and the ability to rely on legitimate interests.
-Complying with transparency obligations presents challenges, especially with mobile technologies and connected devices where opportunities to provide information are limited.
What does Article 6(1)(f) state in relation to the provision of info to data subjects?
-That it will have a significant impact on the ability of a controller to rely on ‘legitimate’ interests basis for processing under Article 6(1)(f) GDPR
What does Recital 47 GDPR state?
-When data subject given clear info about how their PD will be processed, controllers more likely to be able to support a legitimate interest claim.
-If no info is provided -> then claim will be difficult
What are the similarities of the DP Directive and GDPR in relation to transparency?
-Both state that transparency expresly linked to concept of fairness of processing -> GDPR states data subjects must be informed of existence of processing operation & its purposes
What are the differences between the DP Directive and the GDPR in relation to transparency?
-The Directive imposed a requirement that controllers notify their processing to the competent supervisory authority -> data subjects could then consult the notification to learn mroe about processing conducted by particular controller
-The GDPR removes this general notificatino requirement -> states it produced admin/financial burdens/ should be replaced with effective / not risk rights
What is the WP29’s stance on the information required under Articles 13 and 14?
-WP29 considers the information listed in Articles 13(1) and 13(2) to be equal, meaning both sets of information should be provided to the data subject in all circumstances to ensure fair and transparent processing.
-This stance was later endorsed by the European Data Protection Board (EDPB).