- The information obligation pursuant to Art. 17 E‑DSG can be fulfilled by a publicly accessible privacy policy on the website, especially in the case of direct collection.
- Information should be provided in a clear, linguistically understandable way and at different levels (multi-level access) so that different user needs are covered.
- As a minimum standard, the FDPIC requires direct links to relevant passages and options, as exemplified by the Microsoft solution.
In a column in the NZZ (Wednesday, 27.9.2017, p. 9), the FDPIC commented on the fulfillment of the duty to inform. Firstly, it considers information via a website to be sufficient, and secondly, it recommends staged information:
While updating terms of use and providing consent via paper still involved a great deal of effort, customers’ demand for transparency can now be easily implemented thanks to digital technology. By means of Activation of appropriate information providers can always keep their customers fairly and comprehensively informed online. Information is fair when it is firstly linguistically easy to understand is and secondly the customers through a user-friendly programming directly to those passages of the terms and conditions of use that are relevant to the informed exercise of specific rights of choice and consent.
Comprehensive information is provided when those responsible for processing their online texts accessible in several depths of explanation makeThe new website is designed to meet the varying needs of visitors, from online shoppers to specialized groups such as investigative journalists and data protection authorities.
These statements must be read in the context of the dispatch on the draft FADP, which comments on the duty to provide information within the meaning of Art. 17 of the e‑DSG as follows:
Thus, a general information suffice if the personal data be obtained from the person concerned (for general business conditions see Art. 18 Par. 1). Conceivable in this case are a Privacy policy on a websitebut, if necessary, also symbols or pictograms, as far as they reflect the necessary information. If a general form is chosen, the information must Easily accessible, complete and sufficiently visible be made. Also a multilevel access is possible, which, for example, contains an overview on a first level that gives access to detailed information on a second level. On the other hand, it is not sufficient if a contact person is simply given. The person concerned should receive the information without having to ask for it first.
The FDPIC and the dispatch are therefore of the opinion that the duty to inform under Art. 17 E‑DSG can be fulfilled by publishing the required information on a website and communicating it only in this way. This applies in any case if the data direct are collected from the data subject. But also with the Third party survey such information must be sufficient, provided that the data subject is aware of the collection, which can be ensured, for example, by a corresponding notice. It would therefore be sufficient, for example, to include a notice in the GTC that the controller obtains personal data via third parties, such as a credit agency; the other information required under Art. 17(2) FADP can also be provided in this case, for example, via a website.
What is required, however, is a clear language, and recommended is a “multi-level” declaration. This refers to “staged” information – in this case, the required information is initially provided only in general form; however, the visitor to the website has the opportunity to explore the individual topics in greater depth via more in-depth links. Further explanations of this approach can be found in the Media release of the FDPIC on the clarification of the facts regarding Windows 10:
[…] In the second release, users will be able to additionally access the corresponding passage in the latest version of the privacy policy directly during the installation process. This increases transparency and makes it easier for users to find the relevant information in the extensive explanation. […]The FDPIC considers the solution reached with Microsoft, in particular the Direct link to the relevant passages of the privacy policy and the options to choose from, as Minimum standard for applications and services of other companies. In future clarifications, the FDPIC will measure the data processing under review against the solution achieved.