- Data controllers must inform data subjects about data collection in a transparent, easily understandable and addressee-oriented manner (Art. 13 – 14, Art. 12 GDPR).
- Information obligations apply throughout the entire processing lifecycle; in the case of indirect collection, no later than one month after collection or upon first notification.
Background
The GDPR stipulates in Art. 13 and 14 that the controller must provide the data subjects with certain information in connection with a planned data processing at a certain point in time. Art. 13 GDPR concerns the collection directly from the data subject, Art. 14 concerns the collection from other sources. The following applies:
- Direct collection (Art. 13) means (i) communication by the data subject and (ii) collection from the data subject, e.g. by cameras and other sensors;
- Indirect collection (Art. 14) means communication by or collection from a third-party source.
Art. 12 then contains general provisions that also apply to the duty to provide information under Art. 13 f. GDPR apply. Art. 5 par. 1 GDPR finally establishes the general principle of transparency, and Art. 83 para. 5 lit. b GDPR provides for fines in the event of injury.
In December 2017, the Art. 29 Data Protection Working Party published the Draft working paper WP260 on transparency (“Guidelines on transparency under Regulation 2016/679”) published; comments can still be submitted until January 23, 2018.
Subject of the information
The WP260 contains in the appendix a tabular overview of the required information with further comments. Details can also be found
- regarding references to automated individual case decisions in the Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (3.10.2017);
- regarding contact details of the data protection officer in the Guidelines on Data Protection Officers (‘DPOs’) (13.12.2016
The WP29 also recommends that, over and above the legal minimum, details of
- to the Consequences of processingnot only about the most probable consequences, but above all about the most drastic ones;
- Depending on the circumstances, further information, e.g. publication of a Data protection impact assessment.
Transmission of information: presentation and manner
Comprehensible formulation and presentation
The mandatory information (Art. 13 and 14 GDPR) need easy to understand be. This requires (especially with children) addressee-oriented, concise, easy-to-understand formulations without complicated subordinate clauses, without “legalese” and without overly technical expressions. Indeterminate formulations such as “could”, “more often”, “possibly”, “some” or “certain” etc. should be avoided. This is especially true for the information on the purposes of processing.
Insufficient are according to WP29 approximately the following information:
- “We may use your personal data to develop new services”. (as it is unclear what the services are or how the data will help develop them);
- “We may use your personal data for research purposes”. (as it is unclear what kind of research this refers to); and
- “We may use your personal data to offer personalised services”. (as it is unclear what the personalization entails).
When presenting the information, it is important to ensure clear Structure to pay attention, e.g. by enumerations and Titeiel.
In addition, the mandatory disclosures of other information – outside of data protection law – are to be distinguish. They are also available in all Languages to be spoken by the notified affected persons.
Form
There are no formal requirements. Information is frequently provided in text form, but other forms are also permissible or, depending on the circumstances, required, e.g., text form.
- oral information among persons present or (also automatically) via telephone (even if the identity of the persons concerned is not [yet] known, despite Art. 12 para. 1 GDPR);
- Audio details for a device without a screen;
- Information on paper, e.g. through leaflets or flyers or in operating instructions enclosed with a product;
- Video details, e.g. for electronic instructions in an app;
- Messages through SMS or e‑mail;
- public information, e.g. in a newspaper advertisement (such as in the case of drone photographs, provided that personal data are processed in the process);
- Information on a poster, e.g. in the case of video surveillance of a store.
Most often, the information is provided in Electronic form transmitted. The decisive factor in each case is that the format chosen is suitable under the circumstances for effectively informing the data subjects and that the person responsible documents the information. Depending on the circumstances, combinations of different means are recommended.
Also Icons may be used, also in addition to other forms of information (Art. 12 para. 7 GDPR). The working paper contains further information on this, including on the interpretation of the term “machine-readable”, which is also used elsewhere in the GDPR is used (Art. 20 para. 1 regarding data portability).
Layered information
The WP29 recommends – as well as the FDPIC -, more complex information graded to be communicated. At a first level, the points that have the greatest impact on the data subjects must be mentioned so that the consequences of the processing can be understood without further information. More detailed information can be communicated at downstream levels.
Information on websites
The information must be presented in such a way that it is easy to find; the data subject should not have to search for it. Notices on a website may suffice, but probably only if the data subjects are directed to the website. Some sort of access principle is likely to apply to such notices. The WP29 states in this regard:
The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where this information can be accessedfor example by providing it directly to them, by linking them to itby clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface etc.).
References to a website can according to WP29 e.g. by a QR code on a device, e.g., for IoT applications (cf. the Opinion 8/2014 on Recent Developments on the Internet of Things dated 16.9.2014which remains valid). The link must lead directly to the privacy policy.
At Online transactions there should be a link to the privacy policy at the customer interface, unless the mandatory information is reproduced directly on the page in question.
The following are also recommended
- the use of a “Privacy Dashboards”, via which data subjects can manage data privacy settings centrally and independently of the device;
- “just in time” messages, which, for example, transmit relevant information at the relevant time during an online purchase.
Specifications in apps
In apps, privacy notices should be available before the download. In installed apps, notices should never be more than two clicks or taps away, e.g., via a “Privacy” link in a menu.
Exercise of data subject rights
Art. 12 par. 2 GDPR and Recital 59 require that data subjects be facilitated in exercising their rights. The WP29 states that, depending on the circumstances, different means should be made available for exercising the rights of the data subject. In the case of websites, for example, the use of a form for requests for information is recommended; merely referring to customer service is bad practice.
Transmission of the information: Time
The transparency obligation is not limited to a specific point in time. Rather, it applies during the entire lifecycle of processing, i.e., before the processing starts, during the processing, e.g., when communicating with data subjects about their rights, and in the event of certain events, e.g., a data breach. In particular, the requirements of Art. 12 apply to all communications.
Time for direct survey
The mandatory information according to Art. 13 GDPR must “zum Zeitpunkt der Erhebung of these data” (Art. 13 para. 1).
Time for indirect survey
In the case of indirect collection, the mandatory data must be as quickly as possible take place, at the latest but (depending on which is earlier):
- one month after survey;
- at the time of the first communication to the data subject;
- upon the first communication to another person (another controller, a joint co-controller or a processor, but not an employee).
These maximum periods should, according to WP29 but should not be exhausted, and the person in charge should make his or her relevant considerations document.
Refreshing the information
The WP29 recommends that the mandatory information for continuous services be submitted again after a longer period of time, even without changes (but without specifying certain intervals).
Notification of changes
Time
At Changes of the circumstances underlying the information, the same requirements apply to the notification of changes as to the original notification. In particular, the changes should be made in a separate communication, i.e. not as part of a general newsletter:
[…] the controller should take all measures necessary to ensure that these changes are communicated in such a way that ensures that most recipients will actually notice them. This means for example that a notification of changes should always be communicated by way of an appropriate modality (e.g. email/ hard copy letter etc.) specifically devoted to those changes (e.g. not together with direct marketing content), with such a communication meeting the Article 12 requirements of being concise, intelligible, easily accessible and using clear and plain language.
The GDPR does not make any statements on the Timeto which changes are to be communicated. The WP29 recommends notification as early as possible for important changes, especially for changes that affect the core of the processing, e.g., notification to additional categories of recipients or disclosure to third countries). Again, controllers should consider their considerations at the time of the notification document.
Information in case of change of purpose
In the case of (compatible!) changes of purpose, Art. 13 para. 3 and Art. 14 para. GDPR to provide the “relevant information” in each case in accordance with paragraph 2 of the provision. According to WP29 are, however, in principle in each case all specifications in accordance with paragraph 2. In addition, the persons concerned must also be informed about the Compatibility analysis (Art. 6 para. 4 GDPR) to the extent that the new purpose is not covered by consent or is based on a basis in the EU- or member state law, as the case may be.
This information must be provided prior to the start of processing for the new purpose, and the data subjects should be provided with enough time to form an opinion and, if necessary, to exercise their rights (e.g. the right to object).
Exceptions to the obligation to provide information
Information already available
Both for Direct survey as well as with indirect survey the obligation to provide information does not apply if and to the extent that the data subject already has the relevant information. This exception should only apply if the data controller can document its requirements. The WP29 also recommends that all information be provided to the data subjects in each case, including that which it already has.
Additional exceptions for indirect collection
Only in the case of indirect collection does the obligation to provide information not apply, insofar as their fulfillment impossible would be (Art. 14 para. 5 lit. b GDPR). The WP29 understands this exception narrowly; it allows impossibility to apply only if the information is effectively impossible, which is very rarely the case. Above all, systems and processes must be designed in such a way that the information can be provided; otherwise, a violation of the Privacy-by-Design principle are available. This also applies, for example, when data from different sources are merged; in this case, the responsible party must ensure that it remains possible to specify the respective source.
Furthermore, the duty to provide information does not apply if its fulfillment is disproportionate effort would cause (Art. 14 para. 5 lit. b GDPR). This exception should only apply if this effort results precisely from the fact that the data are not collected from the data subject; this excludes the WP29 from the fact that Art. 13 GDPR does not provide for a corresponding exception. In addition, the responsible party is obliged to weigh the effort against the interest in information. document.
In addition, the obligation to provide information does not apply in the case of indirect collection if the information does not affect the make it impossible or seriously impair the fulfillment of the purpose of processing would. In this case, however, the data subject must be informed at least in general terms about the corresponding data collection.
In the case of indirect collection, the obligation to provide information also does not apply if this is based on the Right of the EU or of a Member State is based on Art. 14 Para. 5 lit. c GDPR). However, the data subject must be informed here about the data processing in accordance with this legal basis.
Finally, the duty to inform does not apply if you have a legal secrecy which, in turn, results from the right of the EU or of a Member State (Art. 14 (5) (d) GDPR).