Information Provision Obligations (6) Flashcards
What are the 3 transparency obligations under GDPR?
- provide information about processing - provision of information to data subjects
- communicate their rights - communication with data subjects in relation to their rights
- provide means to exercise rights - facilitation of the exercise of data subject rights
What are the required characteristics of controller communication with data subjects?
- intelligible and easily accessible
- clear and plain language
- concise
What is a privacy notice?
a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data
What is a layered privacy notice?
multiple layers of increasingly detailed notices
Article 29 endorses up to 3 layers - top (key elements + links), second and third (condensed then full or full notice then FAQs)
What is just-in-time notice?
bite sized delivered right before user accepts a service or product
(eg cookie web forms)
When must controllers provide notice to data subjects?
Prior to collection or prior to further processing
What information must be provided to data subjects in direct collection?
1 identity of controller and DPO
2. purpose and legal basis of processing
3. recipients of personal data
4. intention to transfer to 3rd country or IO
5. legal basis for international transfers
6. legitimate interest of controller when legitimate interest is legal basis
- storage period
- data subject rights
- if there is a contractual requirement
- use of automated decision-making
What information must be included in indirect collection notices (that is not included in direct collection)?
categories of personal data used
source of the data
What are the exceptions to notice for indirect collection?
data subject already has information
if impossible or requires disproportionate effort
if would render impossible or seriously impair purpose of processing
if national laws require secrecy
Which principle was violated in Poland’s GDPR fine to Bisnode?
Notice (failure to provide notice)
DPA gave Bisnode 3 months to notify 6m people to meet Article 14 information notification requirements
Can a controller charge an administrative fee to data subjects if they request information providing in oral format?
No
(Article 14 says information must be provided in oral format if requested by data subject)
Is detail or conciseness more important in a privacy notice?
Conciseness is more important.
(intelligible and easily accessible, clear and plain language, concise)
What additional information must be provided to data subjects when controller necessity is used as legal basis?
controller’s legitimate interest
What information must be provided to data subjects when personal data is collected indirectly?
source of the data
What information must be provided to data subjects when information will be shared outside organization?
recipients of the data
What information must be provided to data subjects in all circumstances?
purpose of processing
data subjects rights
identity of controller
What does the GDPR require the data subject to know in order to provide valid consent?
identity of the controller
purposes for which personal data are processed
What information (7) must be provided to the data subject in all cases when data is collected directly from the data subject?
(article 13-1)
- identity and contact of controller
- DPO contact
- purpose and basis of processing
- legitimate interests (where applicable)
- recipients or categories of recipients
- intention to transfer
- if transfer based on adequacy or safeguards
What additional information must be provided to the data subject to ensure fair and transparent processing?
- retention period
- data subject rights
- right to withdraw consent (if based on consent)
- right to complain to SA
- if data is required by contract or other obligation and consequences of refusal
- existence of automated decision-making
Why are information provision requirements spread across two different articles (13-1 and 13-2)?
following structure of the directive
article 13-1: mandatory set of information
article 13-2: information to ensure fair processing
What additional information must be provided to data subjects when personal data is not obtained directly from data subject?
categories of personal data
source of personal data
What information must be provided to data subjects when transferring to a 3rd country or IO on basis of legitimate interest?
the transfer
compelling legitimate interest of controller
What information must be provided to data subjects when transferring to a 3rd country or IO on basis of consent?
possible risks of the transfer due to lack of adequacy or other appropriate safeguard
What information must be provided to data subjects when transferring under BCRs?
data protection principles contained in the BCRs
data subject rights and how to exercise,
including right to compensation for BCR breach
When should information be provided to the data subject if the data is not obtained directly from the data subject?
- within reasonable period after obtaining the data but at the latest one month
- if for communication, at the latest at the time of the first communication
- at the latest when personal data are first disclosed
How should information be provided to the data subject? (in what form)
concise, transparent, intelligible, and easily accessible, using clear and plain language
In what format should information be provided to the data subject?
in writing or by other means, where appropriate by electronic means
Why does the WP stress the word “provide” for information provision?
controllers must actively furnish information, shouldn’t have to search for fair processing information among other content
What are possible approaches to providing fair processing information that comply with the requirement to be concise?
- layered notices
- just-in-time notices
- privacy dashboards
- alternative forms and channels
- adapt to requirements of diverse technologies
What should be provided in the first layer of a layered privacy notice (WP29)?
purpose of processing
controller identity
rights granted by GDPR
processing that could surprise or have an impact on data subject
What does a “just-in-time” privacy notice mean?
providing information about processing at specific points of collection
What does the WP29 recommend regarding full privacy notices?
That in addition to using alternative formats (layered, just in time) a full unlayered version of the notice should be made available