Inform data subjects about processing
All controllers are required to review their notification practices and update them to correspond to the requirements of the GDPR by 25 May 2018.
The Office of the Data Protection Ombudsman urges industries to create shared notification practices as part of the codification of practices in the industry.
These guidelines are based on the Article 29 Working Party’s transparency guidelines. They contain more detailed instructions and examples of transparent notification.
How will the GDPR change notification practices from the Personal Data Act?
The notification obligation provided for in the GDPR differs in certain respects from the requirement to draw up and publish a description of file, as provided for in section 10 of the Personal Data Act, and from the obligation to provide information, specified in section 24 of the Act. The most important changes are described below.
Description of file
The GDPR does not provide for maintaining a description of file. The descriptions of file provided for in the Personal Data Act are drawn up individually for each personal data file. In the Personal Data Act, a personal data file refers to all personal data processed for the same purpose, regardless of the information systems in which the data is processed or whether a part of the data is processed manually (e.g. customer register, employee register, direct marketing register).
In practice, controllers have been able to comply with the Personal Data Act's obligation to provide information by drawing up a privacy statement, i.e. a document combining the information required by the obligation to provide information, provided for in section 24 of the Personal Data Act, and the information required by the description of file provided for in section 10 of the Act.
If the controller plans to continue using descriptions categorised by purpose of use, it is vital to evaluate how this practice will comply with the GDPR's requirement of delivering all information on the processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form. In particular, the controller is required to evaluate whether data subjects will easily and unambiguously receive an overall picture of the processing of their personal data if they are processed for more than one purpose.
Intelligibility of information
The GDPR also obligates controllers to evaluate whether the information is provided in intelligible language and consistent form. The evaluation should be made with regard to the potential target group. The purpose is for an average member of the target group to obtain a comprehensive and clear overall picture of the processing of personal data.
It is not sufficient to simply make the information on the processing of personal data available to the data subject; it must be provided in an intelligible, concise and clear form.
Unlike the Personal Data Act, the GDPR specifies that the contents of the information to be delivered to the data subject are partly dependent on whether the personal data was collected directly from the data subject or from another source.
The principle of transparency is provided for as part of the principle of lawful and fair processing. The personal data must be processed transparently in relation to the data subject, and the controller must be able to demonstrate this (accountability).