Introduction

In this fifth update we discuss the (new) obligations on the provision of information to data subjects under the General Data Protection Regulation (the GDPR). In the subsequent two updates we will address the other data subjects' rights (such as the right to access, rectification and erasure).

One of the core principles of the GDPR is that controllers must be transparent to the data subjects that personal data concerning them is collected, used, consulted or otherwise processed and to what extent such personal data is or will be processed. This principle of transparency requires that any information and communication relating to the processing of personal data must be easily accessible and that clear and plain language is used.

In this respect the GDPR substantially extends the number of categories of information to be provided to data subjects.

Transparency

Under the GDPR, organisations that process personal data must provide the information listed below in a concise, transparent, intelligible and easily accessible form, using clear and plain language (in particular where the data subjects include children). Where appropriate visualisations may be used (e.g. standardised icons).

In principle the information must be provided in writing (e.g. via a privacy policy) and where appropriate by electronic means (for example through a website).

Information to be provided when personal data are collected from the data subject

If personal data is collected directly from the data subject, the controller must provide the following information to the data subject:

  1. its identity and contact details (and if applicable of its representative);
  2. contact details of the data protection officer, if applicable;
  3. purposes of and legal basis for the processing of personal data, including the legitimate interests pursued by the controller if the processing is based on the legal basis "necessary for the purposes of the legitimate interests pursued by the controller";
  4. recipients or categories of recipients;
  5. details of data transfer outside the EU, including how the data will be protected (e.g. the use of EU Model Clauses or Binding Corporate Rules) and how the data subjects can obtain a copy of the implemented safeguards;
  6. retention period for the personal data, or if that is not possible the criteria used to determine the retention period (e.g. 1 year after the end of the contractual relationship);
  7. that the data subject has a right to access and rectify its personal data, to object to or request erasure or restriction of the processing, and to data portability;
  8. where the processing is based on consent, that the data subject has a right to withdraw its consent for the processing at any time;
  9. that the data subject can lodge a complaint with a supervisory authority;
  10. whether there is a statutory or contractual requirement to provide the data or if the provision of data is necessary to enter into a contract, whether the data subject is obliged to provide data, and the consequences if the data is not provided; and
  11. whether there will be any automated decision taking, together with information about the logic involved and the significance and consequences for the data subject.

The information should be given to the data subject at the time of collection from the data subject.

Information to be provided when personal data are not collected directly from the data subject

In addition to the above information, the controller must also provide the following information, if the personal data are not collected directly from the data subject:

  1. the categories of personal data concerned; and
  2. from which source the personal data originates, and if applicable whether it came from publicly accessible sources.

The information must be given to the data subject:

  1. within a reasonable period of having obtained the personal data (maximum one month);
  2. if the data is to be used to communicate with the data subject, at the latest when the first communication takes place; or
  3. if disclosure to another recipient is envisaged, at the latest, before the personal data is disclosed.

Further processing

If the controller envisages to further process personal data for a purpose other than the purposes for which the personal data is initially collected, the controller must provide the data subject information on such purpose(s) together with any other relevant information, prior to the further processing.

Exceptions

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information (information only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

  1. the data subject already has the information;
  2. the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including by making the information publicly available;
  3. if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject's legitimate interests; or
  4. if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

Practical recommendations

The GDPR will substantially affect the existing information obligation of data controllers, and we therefore recommend organisations to analyse their processing activities and update their existing (privacy) policies, notices, (employee) handbooks, etcetera to meet the information obligations under the GDPR. Further, organisations that process personal data that are not collected directly from the data subjects should ensure that the information is provided at the appropriate time.

Please click Please click here to subscribe to our monthly updates on the GDPR.here to subscribe to our monthly updates on the GDPR.

Overview of subjects

January 2017

Territorial scope of the GDPR

February 2017

The Concept of Consent

March 2017

Sensitive Data

April 2017

Accountability, Privacy by Design and Privacy by Default

May 2017

Rights of Data Subjects (information notices)

June 2017

Rights of Data Subjects (access, rectification and portability)

July 2017

Rights of Data Subjects (objection, erasure and restriction of processing)

August 2017

Data Processors

September 2017

Data Breaches and Notifications

October 2017

Privacy Impact Assessment and Data Protection Officers

November 2017

Transfer of Personal Data (outside the EEA)

December 2017

Regulators (competence, tasks and powers)

January 2018

One Stop Shop

February 2018

Sanctions

March 2018

Processing of Personal Data in Employment

April 2018

Profiling and Retail

May 2018

Overview

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.