Information Provision Obligations (6)

Question 1

What are the 3 transparency obligations under GDPR?

Answer 1

1. provide information about processing - provision of information to data subjects
2. communicate their rights - communication with data subjects in relation to their rights
3. provide means to exercise rights - facilitation of the exercise of data subject rights

Question 2

What are the required characteristics of controller communication with data subjects?

Answer 2

1. intelligible and easily accessible
2. clear and plain language
3. concise

Question 3

What is a privacy notice?

Answer 3

a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data

Question 4

What is a layered privacy notice?

Answer 4

multiple layers of increasingly detailed notices

Article 29 endorses up to 3 layers - top (key elements + links), second and third (condensed then full or full notice then FAQs)

Question 5

What is just-in-time notice?

Answer 5

bite sized delivered right before user accepts a service or product

(eg cookie web forms)

Question 6

When must controllers provide notice to data subjects?

Answer 6

Prior to collection or prior to further processing

Question 7

What information must be provided to data subjects in direct collection?

Answer 7

1 identity of controller and DPO
2. purpose and legal basis of processing
3. recipients of personal data
4. intention to transfer to 3rd country or IO
5. legal basis for international transfers
6. legitimate interest of controller when legitimate interest is legal basis

7. storage period
8. data subject rights
9. if there is a contractual requirement
10. use of automated decision-making

Question 8

What information must be included in indirect collection notices (that is not included in direct collection)?

Answer 8

categories of personal data used
source of the data

Question 9

What are the exceptions to notice for indirect collection?

Answer 9

data subject already has information
if impossible or requires disproportionate effort
if would render impossible or seriously impair purpose of processing
if national laws require secrecy

Question 10

Which principle was violated in Poland’s GDPR fine to Bisnode?

Answer 10

Notice (failure to provide notice)

DPA gave Bisnode 3 months to notify 6m people to meet Article 14 information notification requirements

Question 11

Can a controller charge an administrative fee to data subjects if they request information providing in oral format?

Answer 11

No

(Article 14 says information must be provided in oral format if requested by data subject)

Question 12

Is detail or conciseness more important in a privacy notice?

Answer 12

Conciseness is more important.

(intelligible and easily accessible, clear and plain language, concise)

Question 13

What additional information must be provided to data subjects when controller necessity is used as legal basis?

Answer 13

controller’s legitimate interest

Question 14

What information must be provided to data subjects when personal data is collected indirectly?

Answer 14

source of the data

Question 15

What information must be provided to data subjects when information will be shared outside organization?

Answer 15

recipients of the data

Question 16

What information must be provided to data subjects in all circumstances?

Answer 16

purpose of processing
data subjects rights
identity of controller

Question 17

What does the GDPR require the data subject to know in order to provide valid consent?

Answer 17

identity of the controller

purposes for which personal data are processed

Question 18

What information (7) must be provided to the data subject in all cases when data is collected directly from the data subject?

(article 13-1)

Answer 18

1. identity and contact of controller
2. DPO contact
3. purpose and basis of processing
4. legitimate interests (where applicable)
5. recipients or categories of recipients
6. intention to transfer
7. if transfer based on adequacy or safeguards

Question 19

What additional information must be provided to the data subject to ensure fair and transparent processing?

Answer 19

1. retention period
2. data subject rights
3. right to withdraw consent (if based on consent)
4. right to complain to SA
5. if data is required by contract or other obligation and consequences of refusal
6. existence of automated decision-making

Question 20

Why are information provision requirements spread across two different articles (13-1 and 13-2)?

Answer 20

following structure of the directive

article 13-1: mandatory set of information
article 13-2: information to ensure fair processing

Question 21

What additional information must be provided to data subjects when personal data is not obtained directly from data subject?

Answer 21

categories of personal data

source of personal data

Question 22

What information must be provided to data subjects when transferring to a 3rd country or IO on basis of legitimate interest?

Answer 22

the transfer
compelling legitimate interest of controller

Question 23

What information must be provided to data subjects when transferring to a 3rd country or IO on basis of consent?

Answer 23

possible risks of the transfer due to lack of adequacy or other appropriate safeguard

Question 24

What information must be provided to data subjects when transferring under BCRs?

Answer 24

data protection principles contained in the BCRs
data subject rights and how to exercise,
including right to compensation for BCR breach

Question 25

When should information be provided to the data subject if the data is not obtained directly from the data subject?

Answer 25

1. within reasonable period after obtaining the data but at the latest one month
2. if for communication, at the latest at the time of the first communication
3. at the latest when personal data are first disclosed

Question 26

How should information be provided to the data subject? (in what form)

Answer 26

concise, transparent, intelligible, and easily accessible, using clear and plain language

Question 27

In what format should information be provided to the data subject?

Answer 27

in writing or by other means, where appropriate by electronic means

Question 28

Why does the WP stress the word “provide” for information provision?

Answer 28

controllers must actively furnish information, shouldn’t have to search for fair processing information among other content

Question 29

What are possible approaches to providing fair processing information that comply with the requirement to be concise?

Answer 29

1. layered notices
2. just-in-time notices
3. privacy dashboards
4. alternative forms and channels
5. adapt to requirements of diverse technologies

Question 30

What should be provided in the first layer of a layered privacy notice (WP29)?

Answer 30

purpose of processing
controller identity
rights granted by GDPR
processing that could surprise or have an impact on data subject

Question 31

What does a “just-in-time” privacy notice mean?

Answer 31

providing information about processing at specific points of collection

Question 32

What does the WP29 recommend regarding full privacy notices?

Answer 32

That in addition to using alternative formats (layered, just in time) a full unlayered version of the notice should be made available