Module 6: Information Provision Obligations Flashcards
What is a privacy notice?
Typically long and wordy due to the volume of information, they outline all purposes for processing and the types of data. Standardised icons and a layered notice have been suggested to make them more concise.
What should a privacy notice include when related to direct data collection?
The identity and contact details of controller and DPO
Purpose and legal basis for each type of processing
Recipients
Intention to transfer data
Legitimate interests
Storage period
Information on how data subjects can exercise their rights
Whether data collection is a statutory or contractual requirement
If the data will be subject to any automated decision making
What is the transparency principle?
Information provisions should be transparent (transparency principle), meaning…
It should be intelligible and easily accessible
It should be concise
It should have clear visualisation
It should be available free of charge
It should give information on data subject rights and data breach notifications
For indirect collection, data subjects should be notified unless…
There is a public facing privacy notice.
Additional information required for indirect collection includes…
Source of the data and categories of data concerned
The time frame for which it will be processed
The exemptions for indirect collection are…
The data subject already has this information
There is a public facing privacy notice
It’s impossible to notify them or requires disproportionate effort
It’s rendered impossible or seriously impairs the purpose of the data processing
It’s subject to national or EU laws.
What is a layered online privacy notice?
A response to length complex notices - this provides a short, top level description with highlights and links, with the complete notice at a lower level (i.e. a ‘just-in-time’ notice).
E.g. learn more, for those who wish to.
