Welcome to the next blog in our exclusive series on the impact of the GDPR.
This edition will look at how organisations holding (data controllers) or processing (data processors) data are obliged to provide more detailed information within their Privacy Notices with regard to personal data they hold or process.
Privacy Notices that were drafted in line with the Data Protection Act (DPA) will need to be reviewed and revised in accordance with the requirements of the GDPR.
Currently under the requirements of the DPA, when an organisation collects data, certain information has to be given to the people giving their data (the data subjects). This information is limited to providing details of the organisation’s identity and also informing the data subjects of how the organisation intends to use the information they provide. The usual vehicle for this is the Privacy Notice on the organisation’s website.
The requirements of the GDPR expand the information the data controller must provide to data subjects. Organisations will need to tell the data subjects the lawful basis for processing the data collected, the data retention periods and the complaints procedure. Within the complaints procedure the data controller must inform data subjects of their right to complain to the Information Commissioner’s Office if they believe their data is being handled inappropriately. All information within a Privacy Notice must be given in clear, concise and easily understood language.
Below is a very brief, and by no means exhaustive, list of the information that needs to be provided by a data controller in a Privacy Notice. This list expressly omits the extra details required when data subjects are children, or other people considered to be at risk. Articles 12, 13 and 14 of the GDPR cover these requirements in detail.
Data controllers should include the following in their Privacy Notice:
• Identity and contact details, and where appropriate contact details of their representative
• Identity and contact details of the data protection officer
• Purpose for collecting the data
• Legal basis for collecting and processing the data
• The legitimate legal interests of the controller or third party (if applicable)
• Any recipient or categories of recipients of the personal data
• Specific details of the transfer of data to third countries inside the EU
• Specific details of the transfer of data to countries outside the EU and specification of data safeguards in place
• The retention period for the data with explicit details of the criteria used to determine the retention period
• The existence of all of the data subject’s rights
• The right to withdraw consent at any time, where relevant
• The right to lodge a complaint with the supervisory authority, which in the UK is the Information Commissioner’s Office (ICO)
• The Privacy Notice should specify whether there is a provision of statutory or contractual requirement to provide the data, and the possible consequences for failure to provide the requested information
• Should automated decision making be used with the data, such as profiling, how the decision is made, the significance of the decision and the probable consequences
All of the information listed above should be provided at the time the data is obtained. Additionally, there are extra responsibilities on data processors who do not obtain the data directly from the data subject. In that case, data processors must in addition include the following in their Privacy Notice:
• Categories of personal data processed
• The sources of the personal data
• Whether the data originates from a public source
Data processors must provide this additional information within one month of obtaining the data.
Where the data processing involves communication with the data subject, all of the information above (both the data controller and data processor information) must be provided to the data subject when the first communication takes place. When disclosure of the data subject’s personal details to another recipient is to take place, all the information above must be disclosed to the data subject before the data are disclosed.
Do note that all of the above information must be provided to data subjects free of charge. The Privacy Notice, however, may be layered and may be issued just in time. For example, the Privacy Notice could be a menu item on a website but must automatically pop up before allowing people to populate forms with their personal details. The data subject must then actively give their consent by being asked to tick a box on screen. Under no circumstances can implied consent be assumed before the data subject completes and submits their personal details.