Chapter 8 - Information Provision Obligations Flashcards
What is the transparency principle under GDPR?
-GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner.
-Transparency = being open and honest about how personal data is used.
-Ensures that data subjects are aware of their rights, the risks, rules, and safeguards related to the processing of their personal data.
-Transparency is linked to fairness and is essential for valid consent and legitimate interests.
What are the primary obligations for providing information to data subjects under GDPR?
-Primary obligations are set out in Articles 13 and 14 of GDPR
-Article 13 covers cases where personal data is collected directly from the data subject
-Article 14 relates to instances where personal data is obtained from a source other than the data subject.
-Data subjects have the right to receive certain information from controllers, regardless of how their personal data was obtained.
What information must be provided to data subjects under Article 13(1)?
Under Article 13(1), controllers must provide:
(1) The identity and contact details of the controller and, if applicable, the controller’s representative.
(2) The contact details of the data protection officer (DPO), if appointed.
(3) The purposes and legal basis of the processing.
(4) The legitimate interests pursued by the controller or third party, if applicable - under Article 6(1)(f) GDPR
(5) The recipients or categories of recipients of the personal data, if any.
(6) Information about transfers to third countries / international organisations, including adequacy decisions and safeguards -> Appropriate safeguards under Article 46 / 47 GDPR / own assessment that suitable safeguards in place under 2nd sub para Article 49(1) GDPR
What information must be provided to data subjects under Article 13(2)?
Under Article 13(2), controllers must provide:
(1) The retention period for the personal data or criteria used to determine that period.
(2) Information about data subjects’ rights, including access, rectification, erasure, restriction, objection, and data portability.
(3) The right to withdraw consent at any time.
(4) The right to complain to a supervisory authority.
(5) Whether the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract
(6) the consequences of refusing.
Information about automated decision-making, including profiling.
What information must be provided to data subjects under Article 14?
Under Articles 14(1) and (2), controllers must provide the same information required in Articles 13(1) and (2), plus:
-The categories of personal data concerned.
-The source of the personal data and whether it came from publicly accessible sources.
When should information be provided to data subjects?
-For PD collected directly from the data subject, the information must be provided at the time the personal data is obtained.
-For PD obtained from someone other than the data subject, the information should be provided within a reasonable period after obtaining the PD
-At the latest within one month/ at the time of the first communication with the data subject / when the PD is first disclosed to another recipient.
How should information be provided to data subjects?
-Info must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
-Should be provided in writing or by other means, including electronic means.
-Info intended for children should be in language easy for children to understand
-Information may also be provided orally if requested by the data subject.
What are the exemptions to the obligation to provide information to data subjects?
Exemptions include:
- If the data subject already has the information.
- If obtaining or disclosing the PD is expressly laid down by EU/ MS law & provides appropriate measures to protect the data subject’s legitimate interests.
- If the PD must remain confidential subject to an obligation of professional secrecy regulated by EU/ MS law
- If the provision of the info proves impossible/would involve a disproportionate effort -> e.g., particularly for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
What are the requirements of the ePrivacy Directive in relation to cookies?
-ePrivacy Directive sets out additional information requirements relevant to the use of cookies and similar technologies.
-Article 5(3) states that storing info or gaining access to info already stored in the terminal equipment of a subscriber or user is allowed only if the user has given their consent, having been provided with clear and comprehensive information.
What are fair processing notices?
-Also known as privacy notices
-Convenient method for controllers to achieve compliance with the GDPR’s transparency requirements
-They can be provided in writing, including electronically, and should be concise, transparent, easily accessible, intelligible, and in clear and plain language.
What are practical considerations for fair processing notices?
Controllers should ensure fair processing notices are:
- Concise: Separate content into headed sections, use short sentences and paragraphs, and adopt a layered approach.
- Transparent: Be genuine, open, and honest, and not misleading.
- Easily accessible: Clear where the information is and how it can be accessed.
- Intelligible and in clear and plain language: Easy to understand for the audience, avoid legal jargon and terminology.
- Accurate and up to date: Regularly reviewed.
What are the benefits of effective fair processing information?
Effective fair processing information can:
- Build trust with data subjects, contributing to customer loyalty and retention.
- Encourage data subjects to provide more valuable personal data.
- Reduce the risk of complaints and disputes arising from the use of personal data.
What are some approaches to providing fair processing information?
Approaches include:
- Using layered fair processing notices
- Providing just-in-time notices
- Adopting privacy dashboards
- Using alternative formats and channels of communication
- Adapting to the requirements of diverse technologies, including the Internet of Things (IoT)
What are layered fair processing notices?
-Provide the most important information in a short initial notice, with further, more detailed information available if the data subject wishes to know more.
-They are particularly suited to online contexts, where click-through links can facilitate movement between layers of information.
What are just-in-time notices?
-Provide information about processing at specific points of data collection.
-This approach helps split fair processing information into manageable portions by providing the data subject with information at the point at which it is particularly relevant to them.
What are privacy dashboards?
-Allow data subjects to control how their personal data is processed
-They are most useful when data subjects access a service through multiple devices and are most intuitive and engaging when incorporated into the architecture of the service itself.
What are alternative formats for providing fair processing information?
-Include animations to explain processing to children, using icons + with just-in-time or layered notices & providing a full, unlayered version of fair processing information for interested data subjects to search for and refer to
What are the challenges of providing fair processing information with diverse technologies?
-Challenges include providing information when PD is collected through CCTV, drones, wearable technologies, or mobile devices with constraints on display space.
-Practical steps include using signposts, information sheets, social media, newspapers, leaflets, posters, QR codes, embedded videos, SMS, or email messages.
What is the overview on transparency under the GDPR?
-The provision of information to data subjects is a key element of the GDPR.
-It impacts fairness, consent, and the ability to rely on legitimate interests.
-Complying with transparency obligations presents challenges, especially with mobile technologies and connected devices where opportunities to provide information are limited.
What does Article 6(1)(f) state in relation to the provision of info to data subjects?
-That it will have a significant impact on the ability of a controller to rely on ‘legitimate’ interests basis for processing under Article 6(1)(f) GDPR
What does Recital 47 GDPR state?
-When data subject given clear info about how their PD will be processed, controllers more likely to be able to support a legitimate interest claim.
-If no info is provided -> then claim will be difficult
What are the similarities of the DP Directive and GDPR in relation to transparency?
-Both state that transparency expresly linked to concept of fairness of processing -> GDPR states data subjects must be informed of existence of processing operation & its purposes
What are the differences between the DP Directive and the GDPR in relation to transparency?
-The Directive imposed a requirement that controllers notify their processing to the competent supervisory authority -> data subjects could then consult the notification to learn mroe about processing conducted by particular controller
-The GDPR removes this general notificatino requirement -> states it produced admin/financial burdens/ should be replaced with effective / not risk rights
What is the WP29’s stance on the information required under Articles 13 and 14?
-WP29 considers the information listed in Articles 13(1) and 13(2) to be equal, meaning both sets of information should be provided to the data subject in all circumstances to ensure fair and transparent processing.
-This stance was later endorsed by the European Data Protection Board (EDPB).
What is the WP29’s guidance on providing information under Article 14?
-States that the information listed in Article 14(2) must be provided to the data subject in all instances to ensure fair and transparent processing.
-WP29 does not distinguish between the information to be provided under Article 14(1) and 14(2), meaning both sets of information should be provided unless an exemption applies.
What does Recital 61 state about the source of personal data?
-States that where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided
-This ensures that data subjects are informed about the source of their personal data even when specific details cannot be given
What are the WP29’s recommendations for providing fair processing information in diverse technologies?
-WP29 recommends practical steps for providing fair processing information in diverse technologies, such as using signposts and information sheets for drones, social media, newspapers, leaflets, and posters for events, and ensuring the drone and operator are clearly visible.
-For IoT devices, the WP29 suggests using hard-copy privacy information, QR codes, embedded videos, SMS, or email messages.
What does Recital 62 state about disproportionate effort?
-Cites the number of data subjects, the age of the personal data, and any compensatory measures or appropriate safeguards adopted as factors to consider when assessing whether the effort required to provide fair processing information would be disproportionate.
What does Article 23(1) state about member state legislation?
-States that Union or Member State law may restrict the scope of the obligations and rights provided for in Articles 12 to 22, Article 34, and Article 5 when such a restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defense, public security, prevention of crime, public interest, judicial independence, and other important objectives.
What does Article 23(2) state about legislative measures?
-Article 23(2) states that any legislative measure implemented to restrict the obligation to provide fair processing information must contain specific provisions as to the right of data subjects to be informed about the restriction, unless doing so would prejudice the purpose of the restriction.
What does Article 89(1) require for processing sensitive data for archiving, scientific, historical, or statistical purposes?
-89(1) requires safeguards to ensure respect for the principle of data minimisation, including technical and organisational measures.
-These measures may include pseudonymisation to protect data subjects’ rights and freedoms while processing sensitive data for archiving, scientific, historical, or statistical purposes.
What is required when processing personal data for new purposes under GDPR?
-When a controller intends to process personal data for a purpose other than that for which it was originally collected or obtained, the controller must provide data subjects with information about the new purpose, along with any relevant further information as referred to in Article 13(2) or Article 14(2), as appropriate.
-WP29’s guidance states that all such information should be provided unless one or more categories of the information does not exist or is not applicable. Controllers should also consider including information on the compatibility analysis conducted pursuant to Article 6(4) of the GDPR.
What are the requirements for joint controllers under GDPR?
-When 2+ controllers jointly determine the purposes and means of processing, the GDPR requires those controllers to transparently determine their respective responsibilities for complying with the GDPR, particularly in relation to the obligation to provide information to data subjects under Articles 13 and 14.
-The essence of this arrangement should be made available to data subjects.
-This obligation to make information available is distinct from the active obligation to provide information under Articles 13 and 14.
