When data controllers collect and process personal data, they must provide individuals with privacy information. The obligation to provide information derives directly from the EU General Data Protection Regulation (GDPR). Accordingly, controllers must provide information to, for example, website visitors, newsletter recipients, customers, job applicants and employees. How you should fulfil this obligation will vary depending on a number of key factors.
Obligation to provide information
The right to be informed is probably the most important right for a data subject under the GDPR. The GDPR distinguishes between personal data collected directly from individuals (Art. 13 GDPR) and personal data that is obtained from third parties or public sources (Art. 14 GDPR). In both cases, data controllers must inform people about the circumstances in which their data will be collected.
Under this obligation employers must, for example, provide a privacy notice when they process the personal data of job applicants or employees. Equally, companies must provide a privacy notice to both clients/customers and prospective clients/customers if their personal data is processed.
What information do controllers have to provide?
Under the GDPR, privacy information must be provided to ensure that the processing is fair and transparent (Art. 13(2). For example, Arts. 13 (1) and 14 (1) GDPR stipulate that controllers provide the following information when processing personal data:
- The name and contact details of: the controller and, if applicable, a representative and/or data protection officer. Individuals should be able to use these details to contact the controller should they need to exercise their rights. The contact details should include a postal address and email address.
- The purpose of and legal basis for the processing of personal data. The description of the purpose should be comprehensive and specific so that individuals can clearly understand how their data will be processed.
- If as a controller you are relying on the legal basis of ‘legitimate interests’ under Article 6(1)(f) GDPR, you must list these interests separately. Processing on this basis is only justified if it passes the following three-part test: a) identify a legitimate interest; (b) show that the processing is necessary to achieve it; and (c) balance it against the individual’s interests, rights and freedoms.
- The recipients or categories of recipients of the personal data: this includes any entity to which personal data is disclosed. Recipients can therefore include internal departments, processors or other third parties.
- Information about data transfers to a third country or an international organisation outside of the EU. This must be done in advance of any transfer so that data subjects have the opportunity to object. In order to give data subjects an opportunity to assess the proposed transfer, they must be informed about whether the European Commission has issued an adequacy decision authorising the data transfer in accordance with Art. 45 GDPR or whether there are other guarantees of compliance with the required level of data protection in place (e.g. Privacy Shield or standard contractual clauses).
Privacy notices must also include the following additional information to meet transparency and fairness requirements pursuant to Art. 13 (2) and Art. 14 (2) GDPR:
- The retention period for the personal data. If this is not possible, information on the criteria for determining this period should be provided. The information must be sufficiently detailed to enable individuals to estimate when their data will be deleted.
- The rights of data subjects under Art. 15-21 GDPR to: access, rectify, delete, restrict the processing of, data portability, object and complain to a supervisory authority.
- Where data is collected directly from data subjects pursuant to Art. 13 GDPR, data controllers must indicate whether individuals are legally or contractually obliged to provide their personal data or whether the data is necessary for the conclusion of a contract. This information must always be supplemented by the possible consequences for the individual of not providing their data.
- Where data is not directly collected from individuals (Art. 14 GDPR), they must be informed of the source of the data and whether the data originates from publicly accessible sources.
How and when you need to provide information to data subjects
When data is collected directly from the data subject
As a general rule, a data controller must provide individuals with privacy information at the time of data collection at the latest. Art. 12 (1) GDPR specifies the form the information must take and requires that is provided in a concise, transparent, intelligible and easily accessible form in clear and plain language. ‘Easily accessible’ means information must be provided to data subjects in writing or by other means including by electronic means or orally upon request and it should be free of charge.
The European Data Protection Board (EDPB) allows for a two-tiered approach to providing information. Accordingly, the first step should always be to provide information about who the controller is and what the purpose of the processing is. This step can be omitted if the information is self-evident (e.g. when calling for an appointment with a hairdresser or tax consultant). You should also emphasise the relevant data subject rights. This will vary depending on how you contact individuals.
The second step is to provide the information required under Art. 13 or Art. 14 GDPR. A simple way to do this is to provide a link to a relevant website. Alternately, you can provide a relevant privacy notice.
If you use video surveillance in your premises, you can create a CCTV information notice with our free generator.
If data is not directly collected from the data subject
You must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. However, if you use the data to communicate with data subjects or if you disclose the data to another recipient, you must inform them at the latest at the time of the first communication or disclosure.
Provisions for both scenarios if the purpose of processing changes
As mentioned above, under Arts. 13(3) and Art. 14(4) GDPR, controllers must comply with the principle of purpose limitation. According to this principle, each time personal data is collected there must be a defined and clear purpose for the collection. If a data controller intends to process personal data for a purpose other than initially defined, individuals must be informed beforehand and provided with complete details of the new purpose and any other relevant information.
Exceptions: when you do not need to provide privacy information
Exceptions defined in Art. 13 (4) and Art. 14 (5)(a) of the GDPR state that controllers do not need to provide privacy information if the individual already has it. You also do not need to provide privacy information if it is not possible or would require a disproportionate effort (Art. 14 (5)(b), (c) and (d) GDPR. An example of a disproportionate effort is where data is collected from a large number of people but their interests are only marginally affected. Furthermore, you do not need to provide privacy information if the collection or disclosure of the data is prescribed by law or is subject to professional secrecy.
Consequences of a failure to provide privacy information
If a controller fails to provide individuals with the information required under Arts. 13 and 14 GDPR when applicable, this is a breach of his/her duties that could result in a fine. In addition, breaching the requirement to provide information could affect the lawfulness of the data processing. Where an individual has given consent to the collection of their data, it is possible provide notification afterwards and the data that has already been collected will remain lawful.
If, however, data was collected subject to consent and the individual did not give consent prior to its collection and processing because they did not receive the privacy information in time, this would be unlawful for two reasons and both the collection of data and its further processing would be unlawful. Consequently, the unlawfully collected and processed data would have to be deleted.
Conclusion: it is essential to provide privacy information
By providing a compliant privacy notice, you will help individuals to understand how their data is processed. This is essential for the lawful collection and processing of personal data by controllers, regardless of whether data is collected directly from data subjects or from third parties. Failure to comply with these obligations could result not only in a fine, but also in the loss of all of the data that has been processed.