If data controllers want to collect and process personal data, they must inform the data subjects about this. These so-called information obligations result directly from the General Data Protection Regulation (GDPR). For example, website visitors, newsletter recipients, customers, applicants or employees must be informed. How the information obligations are to be fulfilled differs according to some important aspects.
What are information obligations?
The right to information is probably the most important data subject right under the GDPR. The regulation distinguishes between the collection of personal data from the data subject (Art. 13 GDPR) and a collection that does not take place directly from the data subject but from third parties or public sources (Art. 14 GDPR). In both cases, however, data subjects must be informed about the circumstances of the data collection.
This disclosure is called an information obligation. For example, employers must draw up an information letter as soon as they process personal data of job applicants or employees. But also for business operations with customers, the information must be provided if personal customer data – this also includes prospect data – is processed.
What is the content of the information requirements?
Since the GDPR is built on the principles of fairness and transparency, among others, it also requires that the information necessary for fair and transparent processing is provided. Thus, Art. 13 (1) and Art. 14 (1) GDPR stipulate that the controller must provide information on the following when processing personal data:
- The name and contact details of the data controller and, if applicable, his representative, as well as the contact details of the data protection officer, if applicable. This shall enable the data subject to contact the controller in order to exercise his/her rights. The mandatory contact details to be published include at least the postal address and the e-mail address.
- The purpose and the legal basis of the processing of the personal data: The information on the purpose must be sufficiently complete and detailed for the data subject to be able to understand exactly what data processing he or she must expect.
- If the legal basis is the legitimate interest pursuant to 6(1)(f) GDPR, the controller must list these interests individually. However, processing on the basis of this legal basis is only justified if it outweighs the conflicting interests and rights of the data subject.
- The recipients or categories of recipients of the personal data: This means any entity to which personal data is disclosed. Recipients can also be internal departments, processors or other third parties.
- Information about the controller’s intention to transfer the data to (or recipients in) a third country or an international organisation: The information about a transfer to third countries refers to the case of a foreseeable transfer of data to a destination country or organisation outside the European Union. The purpose of this is to inform the data subject about the transfer risk so that he or she can object to the transfer in advance. In order to enable the data subject to make this assessment, he or she must be informed whether there is an adequacy decision of the European Commission permitting the data transfer pursuant to Art. 45 GDPR or whether there are other guarantees for compliance with the level of data protection (e.g. Standard Contractual Clauses (SCCs)).
In order to meet the requirements of transparency and fairness, a privacy notice or privacy statement pursuant to Art. 13(2) and Art. 14(2) GDPR must additionally contain:
- Information on the storage period of the personal data and, if this is not possible, information on the criteria for determining this period. The information shall be sufficiently meaningful to enable the data subject at least to calculate when his or her data will be deleted.
- Informing the data subjects about their rights under Art. 15 to Article 22 GDPR to information, correction, deletion, restriction of processing, data portability, objection and complaint to a supervisory authority.
- When collecting data directly from the data subject, which is covered by Art. 13 GDPR, the controller must also indicate whether data subjects owe the provision of their personal data by law or by contract or whether it is necessary for an intended conclusion of a contract. This information must always be supplemented by the possible consequences for the data subject of not providing it.
- In the cases of Art. 14 GDPR, i.e. if the collection of the data does not take place directly from the data subject, it is necessary to inform the data subjects about the source from which the data originate and in this context also whether the data originate from publicly accessible sources.
Form and timing of information to data subjects
In the case of direct collection of data from the data subject
As a general rule, a controller must fulfil its information obligations towards the data subject at the latest at the time of data collection. The form of presentation of the information is also specified by the GDPR. Art. 12 (1) GDPR contains general requirements on appropriate measures to provide the information in a precise, transparent, comprehensible and easily accessible form in clear and simple language. With regard to the implementation of this “requirement of easy accessibility” in everyday life, it can be based on the concrete data processing. Information obligations should therefore be fulfilled without media discontinuity (e.g. from paper to a QR code) or in a graduated form appropriate to the situation (with media discontinuity).
The European Data Protection Committee (EDSA) has recognised a graduated information as permissible. According to this, information on the identity of the controller and the purposes of the processing must always be provided in the first step. If this information is already obvious, this step can be omitted (e.g. in the case of a call to make an appointment with the hairdresser or tax advisor). Depending on the type of contact with the data subject, the existence of the data subject’s rights must also be pointed out, e.g. in advertising letters.
In a second step, all information according to Art. 13 or Art. 14 GDPR must then be provided for the data subject. In practice, this can be done, for example, via a link to the relevant website. It is also possible to keep a corresponding information sheet available, which can be handed out, handed over or sent at any time.
If the collection does not take place directly from the data subject
With regard to the timing of the information, the special feature here is that it is not connected to the data collection in terms of time and subject matter. In this respect, the data controller has considerable leeway. Taking into account the circumstances of the individual case, the controller has up to one month to comply with its information obligations. However, if the personal data is used to communicate with the data subject or if the data is to be disclosed to another recipient, the data subject must be informed at the latest at the time of the first communication or disclosure.
Regulations for both cases in the event of any changes of purpose
As already mentioned, according to Art. 13 (3) and Art. 14 (4) GDPR, the controller must also be guided by the principle of purpose limitation. According to this, every collection of personal data requires a defined and unambiguous purpose. If a controller intends to further process personal data for a different and originally not specified purpose, he or she must inform the data subjects in advance and provide all details about the new purpose and all other relevant information.
Exceptions to the information requirements
Art. 13 (4) and Art. 14 (5) (a) of the GDPR provide for exceptions to the information requirements. Accordingly, the obligation does not apply if and to the extent that the data subject already has the information. Pursuant to Art. 14 (5) (b-d) of the GDPR, a situation of exclusion also exists if the provision of this information proves to be impossible or would require a disproportionate effort. A disproportionate effort to provide information can result from the fact that numerous persons are affected by a data collection whose interests are only affected to a minor extent. Likewise, there is no duty to inform if the collection or disclosure of certain data is expressly regulated by law or is subject to professional secrecy.
Consequences of a breach of the obligations to provide information
If the controller does not provide the data subject with the information foreseen in Art. 13 and 14 GDPR at the required time, this constitutes a breach of duty which may result in a fine. However, it does not have to remain a financial sanction alone. It is not unlikely that a breach of the duty to inform will also have an impact on the lawfulness of the data processing. In the best case – if the data subject was obliged to tolerate or cooperate in the data collection – the omitted notification can be made up for. In these cases, the data collection that has already taken place remains lawful and does not affect the data processed.
However, if the data collection depended on the will of the data subject and if the data subject could not consent to the data collection and data processing due to lack of timely information, a double illegality exists. On the one hand, the data collection has taken place unlawfully, on the other hand, further processing of the data is also unlawful. As a result, the unlawfully collected and processed data must be deleted.
Conclusion: Obligations to provide information must be fulfilled
The preparation of appropriate privacy notices / privacy statements / privacy polices enables data subjects to be fully informed in the context of the collection of their personal data. This is a prerequisite for the lawful collection and processing of personal data by controllers, regardless of whether the data is collected from the data subject himself or from third parties. If a controller does not comply with this obligation, he risks a fine as well as the loss of all processed data.