Indeed, the data processor is subject to an obligation to provide information, as introduced by Articles 13 and 14 of GDPR1. This obligation applies regardless of the organization’s size or sector of activity. The list of information to be shared is exhaustive, and the scope of the obligation depends on whether it is collected directly or indirectly. This means that the content of the information is not the same whether the data has been collected directly from the user or via a third-party.
The GDPR has introduced a number of principles that any organization processing personal data must abide by. Many obligations arise from these principles. Compliance with such obligations usually requires the definition of an action plan and a set of processes. Among those principles is the obligation to guarantee the transparency of processing. To ensure effective transparency, information must be communicated in a way that is accessible and easy to understand.
This principle of transparency also enables data subjects to decide whether they wish to exercise any of the rights conferred on them by the regulations. So, for example, he or she can decide to object to processing.
The information to be included is almost identical for both direct and indirect data collection.
In the case of data collected from the data subject, the information concerns:
the identity and contact details of the data controller or its representative
contact details of the Data Protection Officer, where applicable
the purposes of the processing
the legal basis for processing
the recipients or categories of recipients of personal data
the fact that the data controller intends to transfer the data to a country outside the EU, and the reasons for this transfer, as well as the means of obtaining a copy of the data
the legitimate interests pursued by the data controller or by the third party where the legal basis for processing is legitimate interest
the data retention period or the criteria for determining it
the rights to which individuals are entitled
whether data collection is mandatory or optional, and the possible consequences of not providing data
the existence of any automated decision-making, including profiling, and the underlying logic.
If the data has not been collected from the data subject, additional information are required:
the categories of personal data concerned
the source of the data
Find out how to make your projects Privacy by Design compliant with DLD GDPR!
There is nothing in the regulations that specifies how the information must be communicated. However, it is mandatory to comply with a certain number of requirements linked to the way information is presented. Thus, under Article 122 of the GDPR, information must be transmitted “in a concise, transparent, comprehensible and easily accessible manner, in clear and simple terms”. These obligations imply adapting the form of presentation used to consider the recipient of the information, “in particular for any information specifically intended for a child“.
For example, it is important to consider the difficulties one might encounter when reading the information displayed on an electronic medium. The user should not have to make an effort to assimilate all the information, and the data processor should ensure that the content is effectively understood.
In principle, any organization that processes and collects personal data is required to provide users with a document explaining how their data is processed.
In certain limited cases, the data processor is not obliged to display this information. For example, when data has been retrieved from a third party and the data subject already has this information, or when providing the information proves impossible or would require disproportionate effort, the organization is not obliged to provide the data subject with any information. In such cases, appropriate measures to protect the rights of individuals must be put in place. Other exceptions concern cases where obtaining or communicating information is provided for by EU regulations or the law of a Member of the EU to which the data processor is subject.
Failure to comply with this obligation can result in fines of up to 20 million euros, or up to 4% of worldwide annual revenues in the case of a company.