- Processing of personal data
- Data protection principles
- Demonstrate your compliance with data protection regulations
- Inform data subjects about processing
- Rights of the data subject
- Data protection officers
- Processors
- Personal data breaches
- Transfers of personal data out of the European Economic Area
Inform data subjects about processing
The requirements of the notification practices for controllers changed with the application of the GDPR. The Office of the Data Protection Ombudsman urges industries to create shared notification practices as part of the codification of practices in the industry.
Article 29 Working Party's transparency guidelines contain more detailed instructions and examples of transparent notification.
How will the GDPR change notification practices from the Personal Data Act?
The notification obligation provided for in the GDPR differs in certain respects from the requirement to draw up and publish a description of file, as provided for in section 10 of the Personal Data Act, and from the obligation to provide information, specified in section 24 of the Act. The most important changes are described below.
Description of file
The GDPR does not provide for maintaining a description of file. The descriptions of file provided for in the Personal Data Act are drawn up individually for each personal data file. In the Personal Data Act, a personal data file refers to all personal data processed for the same purpose, regardless of the information systems in which the data is processed or whether a part of the data is processed manually (e.g. customer register, employee register, direct marketing register).
In practice, controllers have been able to comply with the Personal Data Act's obligation to provide information by drawing up a privacy statement, i.e. a document combining the information required by the obligation to provide information, provided for in section 24 of the Personal Data Act, and the information required by the description of file provided for in section 10 of the Act.
If the controller plans to continue using descriptions categorised by purpose of use, it is vital to evaluate how this practice will comply with the GDPR's requirement of delivering all information on the processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form. In particular, the controller is required to evaluate whether data subjects will easily and unambiguously receive an overall picture of the processing of their personal data if they are processed for more than one purpose.
Intelligibility of information
The GDPR also obligates controllers to evaluate whether the information is provided in intelligible language and consistent form. The evaluation should be made with regard to the potential target group. The purpose is for an average member of the target group to obtain a comprehensive and clear overall picture of the processing of personal data.
It is not sufficient to simply make the information on the processing of personal data available to the data subject; it must be provided in an intelligible, concise and clear form.
Information content
Unlike the Personal Data Act, the GDPR specifies that the contents of the information to be delivered to the data subject are partly dependent on whether the personal data was collected directly from the data subject or from another source.
Transparency
The principle of transparency is provided for as part of the principle of lawful and fair processing. The personal data must be processed transparently in relation to the data subject, and the controller must be able to demonstrate this (accountability).
Where to start?
Your notification practices should be updated as part of preparing for the GDPR. For the update, you will first need to chart and document the current state of personal data processing in your organisation as part of the demonstration of accountability.
With regard to informing the data subjects, it is essential that the controller has a clear understanding of the provisions of Articles 13 and 14 of the GDPR regarding the processing of personal data: for instance, whose data is being processed, for which purposes and on what basis, is data transferred or disclosed to third parties, and for how long will the data be stored.
In light of the provisions of the GDPR, the manner of delivery and intelligibility of language are as important as delivering the information on the processing of personal data to the data subject.
The information provided to data subjects is subject to the following criteria:
- The information must be concise, transparent, intelligible and accessible.
- The language used must be clear and plain. This is particularly important when providing information to children.
- The information must be provided in writing or, in specific cases, electronically. The information may also be provided verbally if requested by the data subject.
- The information must be provided free of charge.
The transparency criteria concerning communications on the processing of personal data apply to all communication between the controller and data subject throughout the life cycle of data processing.
Pay particular attention to defining the purpose for the processing of personal data. Data subjects must have a clear understanding of the purposes for which their personal data is processed. Please note that your organisation can process personal data for a variety of different purposes, such as recruitment, management of employment contracts, marketing, maintenance of customer relations and partnerships, and the organisation of events.
As part of the risk-based approach, the controller is also required to evaluate the risks involved for the rights and freedoms of the data subjects. Such risks must be described as objectively as possible to the data subjects in connection with notifying them of the processing.
If the organisation has drawn up a description of file pursuant to the current Personal Data Act, it can be used as a basis for planning the notification of data subjects. Please note, however, that a description of file complying with the Personal Data Act will probably not fulfil the requirements arising from the GDPR.
If, as part of the overall evaluation of personal data processing, the organisation has drawn up the record of processing activities referred to in Article 30 of the GDPR, it would be sensible to use it as a basis for planning the notification of data subjects.
It is essential to identify the sources of the personal data collected by your organisation: is it collected directly from the data subject or from another source? If the personal data is collected directly from the data subject, Articles 12 and 13 of the GDPR will apply, while Articles 12 and 14 of the GDPR apply to personal data collected from another source.
The source of the personal data will have an impact on the contents, schedule and limitation principles of informing the data subjects.
Impact on information content
The contents of the information to be delivered to the data subject are partly dependent on whether the personal data was collected directly from the data subject or from another source, and partly on the legal basis for the processing. For example, if the data is processed on the basis of the consent of data subjects, they must be informed of the possibility to withdraw their consent.
Impact on schedule
If the personal data is collected directly from the data subject, the controller must inform the data subject of the processing in connection with collecting the data.
If the personal data is collected from another source than the data subject, the information on the processing must be delivered to the data subject within a reasonable time from the collection, and within one month at the latest. The information must be provided sooner than the one-month deadline in the following cases:
- If the personal data will be used for communications with the data subject before the deadline, the information on the processing must be delivered in connection with the communication.
- If the controller intends to disclose the personal data to another recipient before the deadline, the information on the processing must be delivered to the data subject in connection with the first disclosure at the latest.
Impact on the limitation basis
When the data is collected directly from the data subject, information concerning the processing does not have to be provided if the data subject has already received the information. The controller must be able to demonstrate that the data subject has actually received the information, and that the information provided has not changed since it was delivered.
There are more extensive grounds for deviating from the notification obligation if the personal data was not collected directly from the data subject.
The GDPR provides for deviating from the notification obligation in the following situations:
- If the collection or disclosure of data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests.
- If the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, such as a statutory obligation of secrecy.
- National legislation complementary to the GDPR may also provide for limitations to the obligation to provide information.
The controller should chart its target group, i.e. the data subjects and potential data subjects: Does the target group include individuals such as children, to whom the information on the processing of personal data should be provided in an especially clear form? What about other groups requiring special protection?
One criterion for evaluating the transparency of information is that an average member of the target group should be able to understand the information provided.
The careful identification of the target group normally has a positive impact on the customer experience. Providing information on the processing of personal data is a statutory obligation but, above all, an important part of customer service and building a customer relationship based on trust.
Providing the information on the processing of personal data to the data subjects requires active measures on the part of the controller.
The GDPR does not provide for a specific form (e.g. a record) in which the information subject to the notification obligation should be provided to the data subject. As a rule, the information must be delivered in writing, but this requirement can vary depending on the device used to collect the data (e.g. telephone or IOT devices) and the target group (e.g. those with impaired vision).
There is usually a large amount of information concerning the processing of personal data. Therefore, the controller must consider the best method for offering the information to data subjects in order to give them the most comprehensive and intelligible picture of the processing as possible. Such information must be clearly differentiated from other information. Please note that the matter must be evaluated from the perspective of the data subject.
In layered information, the total amount of information on the processing of personal data is divided into smaller parts. The purpose is to provide the information to the data subject in easily understandable segments, proceeding from a general description of the processing towards more detailed descriptions of individual processing activities. In other words, not all of the information is included on one form, but content and subsets of information is divided into smaller parts and linked to each other in a layered manner. The most essential information and any surprising terms should be placed in the first layer. Layering can improve the clarity and intelligibility of information and prevent information overload.
The controller must also chart the devices used to collect personal data: will the device limit the manner in which the information can be provided (e.g. personal data collected by telephone or with screenless devices)? Make sure that the information will be available when the data is collected.
Plan how to deliver the information to the data subject if the personal data was not collected directly from the data subject, for example, by e-mail or letter.
The information must be available to the data subject free of charge and be published on the organisation's website.
The Article 29 Working Party's transparency guidelines (pdf)
The information content must be described in clear and plain language. Pay particular attention to describing the purpose and consequences of the processing in intelligible terms. For example, when defining the purpose of the processing, avoid expressions such as ”we may”, ”it is possible” and ”frequently”. Ensure that the meanings of possible translations are equivalent.
As part of the risk-based approach, the controller is also required to evaluate the risks involved for the rights and freedoms of the data subjects. Such risks must be described as objectively as possible to the data subjects in connection with notifying them of the processing.
Consider the use of documented user testing as a means for achieving the greatest transparency. Please note that if you use the personal data of data subjects for the testing, it must be included in the stated processing methods.
With regard to transparency, accountability means that controllers are required to document the processing of personal data in a manner that is transparent with relation to the data subjects.
Make sure that the organisation has methods for ensuring accountability. For the implementation of accountability, it can be useful to organise and document user tests for charting the clearest method for providing the information to data subjects. This will help with demonstrating that the chosen notification method and language used correspond to the requirements of the GDPR.
In addition to the practical implementation of the transparency principle, controllers should ensure that the following matters are documented at minimum:
- the request, if the information was requested verbally
- the method used to identify the data subject if identification was required (not in connection with fulfilling the obligation to provide information provided for in Articles 13 and 14)
- a record that the information has been offered to the data subject and
- the reason for and details of any deviation from the obligation to provide information.
The transparency principle and its impact on the obligation to provide information must be taken into account throughout the life cycle of the data. Conduct periodic evaluations of the information provided to data subjects to see whether it corresponds to the actual state of personal data processing.
Communicate any changes clearly and well in advance. The more important the change, the earlier it should be communicated. Please remember that the purpose of the processing of personal data can only be changed to one that is incompatible with the original purpose by virtue of a legal provision or with the consent of the data subject.
Transparency is also important when communicating changes to the data subject to the obligation to provide information, exercising the rights of the data subject or communicating on possible personal data breaches.
What information does the notification obligation require?
See the table: Information subject to the notification obligation (pdf)