Obligations of information to the data subject
Obligations of information to the data subject – information ex arts. 13-14, GDPR
The main aim of the GDPR is to protect the rights and fundamental freedoms of natural persons. So, it is no wonder that the controller shall be required to describe to data subjects the features of the processing of their personal data. The principles of fair and transparent processing require that the data subject shall be informed of the existence of the processing activity and its purposes. The controller shall provide any other information to the data subject to ensure that data processing is carried out fairly and with transparency and give the data subject a meaningful overview of the intended processing.
Data subjects shall exactly know the details of data processing and be aware of its context and circumstances: in such a manner, they shall be in a position to decide whether provide their personal data. Data subjects shall also be informed whether they are obliged to provide their data and of the consequences, where they do not provide such data.
Needless to say, information shall specify the rights of data subjects and how to exercise them, including the right to lodge a complaint with the supervisory authority.
This obligation is not new, being prescribed by the former legislation in force before the GDPR but further information on processing are to be added.
There is still a distinction between where data are provided by the data subject and where they have not been obtained from the data subject.
Information to be provided where personal data are collected from the data subject
It is the most common case and takes place when the controller collects data from the data subject by paper and electronic forms: data subjects shall provide the controller with their data. Here are some examples: data collection to sign up to a service, to place an order, to submit employment application, to request information about the controller’s business activity.
Information to be provided shall not be generic and free choice, but the controller shall specify the elements required by art. 13, GDPR.
As a rule of thumb, where data are collected directly from the data subject, information shall be provided «at the time when data are collected», not forgetting to inform the data subject if the controller intends to process data for other purposes than the ones for which data are collected. These purposes shall be indicated «prior to that further processing». It is a good practice that all purposes of the intended processing activities shall be specified when collecting data. There may then be a residual condition which obliges the controller to inform the data subject about new purposes of processing adding any relevant information on these new purposes.
If data are collected from the data subject, the controller shall provide the data subject with all of the following information. Here are also some examples to better understand this obligation:
a. the identity and the contact details of the controller and, where applicable, of the controller’s representative. Identity and contact details of the representative shall be specified when the processing of personal data of data subjects who are in the European Union is carried out by a controller which is not established in the European Union and such processing relates to the offer of goods and services to such data subjects in the European Union or when the processing relates to the monitoring of data subjects’ behaviour as far as it takes place in the European Union
b. the contact details of the Data Protection Officer, where applicable
c. the purposes of the processing as well as the legal basis for the processing. For instance, when data are processed to perform an order (purpose), the legal basis is the execution of contractual obligations
d. where the processing is based on the legitimate interest, the legitimate interests pursued by the controller or by a third party: the legitimate interest shall be specified. It may be the establishment, the exercise or the defence of legal claims of the controller or of a third party
e. the recipients or categories of recipients of the personal data, if any: for instance, if data shall be communicated to institutional bodies, the controller shall specify such bodies or the categories of bodies which are the recipients of data
f. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the safeguards which allow such transfer: for instance, when data are transferred to a processor in Chile for telemarketing activities, the safeguards may be the standard data protection clauses adopted by the European Commission
g. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. If data shall be processed for tax obligations purposes, the period of storage is 10 years in Italy according to the legislation on tax obligations
h. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability: these are the fundamental rights which allow the data subject to control data processing context and to make decision on the matter even after their provision
i. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. At any time and free of charge, the data subject can withdraw consent which has been previously expressed. Processing activities carried out on the basis of the consent given before its withdrawal remain lawful
j. the right to lodge a complaint with a supervisory authority: it is a new right of immediate applicability: data subjects can lodge a complaint with a supervisory authority to enforce their data protection rights (authority of the European Union country where the data subject lives, works or where the alleged infringement has taken place)
k. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide personal data and of the possible consequences of failure to provide such data: for instance, if in the context of an order, information on job should not be requested as mandatory and if not provided, the person has the right to have the order fulfilled. Such information is not necessary to perform the order
l. the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. An example relating to profiling cookies on a website for marketing activities purposes clarifies the point: the user shall be aware of such processing in order to give or deny consent to such profiling purpose.
As the previous legislation, the GDPR provides that the obligation of information does not apply if the data subject has already such information. Any amendment shall be provided to the data subject.
Information to be provided where personal data have not been obtained from the data subject
Data may also be provided by or obtained from third parties: it is the case where data are not directly provided by the data subject, but by another natural or legal person. For instance, a customer can specify that the goods ordered shall be delivered to a neighbour or a donor can provide first and last name and contacts (e.g.: e-mail) of a friend who may be interested to donate to a specific not-for-profit organisation.
Where data are not obtained directly from the data subject, the controller shall provide the data subject with information:
a. within a reasonable period after obtaining the personal data, but «at the latest within one month»
b. if the personal data are to be used for communication with the data subject, «at the latest at the time of the first communication to that data subject»; or
c. if a disclosure to another recipient is envisaged, «at the latest when data are first disclosed».
Information to be provided is:
a. the identity and the contact details of the controller and, where applicable, of the controller’s representative
b. the contact details of the Data Protection Officer, where applicable
c. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
d. the categories of personal data
e. the recipients or categories of recipients of the personal data, if any
f. where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the safeguards which allow such transfer
g. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
h. where the processing is based on the legitimate interest, the legitimate interests pursued by the controller or by a third party
i. the existence of the right to request access to and rectification or erasure of data or restriction of processing and to object to processing as well as the right to data portability (rights of data subjects)
j. where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
k. the right to lodge a complaint with a supervisory authority
l. from which source the personal data originate, and if applicable, whether data came from publicly accessible sources
m. the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Examples given in the previous paragraph can be useful, where appropriate considering the context of the collection, also for this case.
It should be noted that if data are not collected from the data subject, information shall contain also the categories of data and the source from which they come. When it is not possible to specify the source, because data have been collected from several sources, general information shall be provided.
As the previous legislation, the GDPR provides that the obligation of information does not apply if the data subject has already such information. Any amendment shall be provided to the data subject.
How to provide information
Information shall be provided in a clear, plain language, easily accessible and concisely, and, where appropriate, visualisation shall be used. Information shall be provided in writing but also orally, such as when data are collected via phone, concisely, and full information is to be provided by redirecting the data subject to a website or by using other instruments which allow the data subject to know all the elements required by the GDPR. Such information could be provided in electronic form, for example, when addressed to the public, on a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purposes personal data are being collected (such as in the case of on-line advertising).
The GDPR makes provisions for the use of standardised icons to be provided in combination with such information in an easy, legible, intelligible manner and, if used on-line, machine-readable. The Commission shall issue delegated acts to define these icons and the procedures to provide them.
To learn more, read FAQs or contact me.
Leave a Reply