Information Provision Obligations Flashcards
Describe the transparency requirement (include article)
Article 12(1)
Requires controllers to communicate with data subjects using:
1) an intelligible and easily accessible form (either written or electronic or orally if the data subject requests)
2) clear and plain language (adapted to data subject)
3) concise communication
What is a privacy notice?
Statement made to data subject describing how an organization collects, uses, retains, and discloses personal data
What is a privacy notice also known as?
Privacy statement
Fair processing statement
Privacy policy
What are solutions for lengthy privacy notices?
Layered privacy notices: Contains increasingly detailed notices. Article 29 Working Party endorsed the use of up to three layers, so long as the sum total meets legal requirements. The top layer is just a short notice with links that provide the user with the option to read more details. Second and third layers may include a condensed notice followed by a full notice, or a full notice followed by FAQs and additional links.
Just in time notices: Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice. An organization may give “just-in-time” notices when previously collected data is to be used for a new purpose.
Standardized icons: Communicate required information. The challenge is to design icons that accurately reflect the meaning of abstract, complex messages. Decisions about the development of the standardized icons belong with the European Commission.
Direct vs. indirect collection (include article)
Article 13
Controllers are obligated to provide data subjects with information about processing of their data before collection, but it is not always possible.
If information is collected from public sources, such as the news media or public records, the provision of information may happen after collection, but prior to further processing.
Notice is not required if data subjects already have the information. If a controller later wants to process personal data for a different purpose, data subjects must be provided with all relevant information.
Direct collection requirements
Data subjects must be provided with:
Identity and details of controller and DPO
Purpose and legal basis of processing
Recipients of personal data
Intention to transfer data to a third country or international organization
Legal basis for international transfers, including whether there is an adequacy decision or other safeguards in place
Legitimate interests of controller if controller uses it as legal basis
Storage period or criteria used to determine length of storage
Data subjects’ rights to withdraw consent, request access, rectification, lodge a complaint, etc.
Whether provision of data from data subject is a statutory requirement
Information about automated decision making
Indirect collection requirements
When info is not collected directly from the data subject, the source of the data and categories of personal data concerned, in addition to all the information required for direct collection.
Should happen within a reasonable time period; upon first communication with the data subject when personal data is used to communicate or within one month.
When would information not have to be provided to data subjects for indirect collection?
If the data subject already has the information
If the information provision is impossible or would require disproportionate effort*
If it would ‘render impossible or seriously impair’ the purpose of data processing*
If national or EU laws require the personal data remain secret
If national or EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals’ interests
*subject to strict criteria
