Inform data subjects about processing

For the information, you will first need to chart and document the current state of personal data processing in your organisation as part of the demonstration of accountability.

With regard to informing the data subjects, it is essential that the controller has a clear understanding of the provisions of Articles 13 and 14 of the GDPR regarding the processing of personal data: for instance, whose data is being processed, for which purposes and on what basis, is data transferred or disclosed to third parties, and for how long will the data be stored.

Charting the overall status of personal data processing is a part of demonstrating accountability.

The information provided to data subjects is subject to the following criteria:

• The information must be concise, transparent, intelligible and accessible.
• The language used must be clear and plain. This is particularly important when providing information to children.
• The information must be provided in writing or, in specific cases, electronically. The information may also be provided verbally if requested by the data subject.
• The information must be provided free of charge.

The transparency criteria concerning communications on the processing of personal data apply to all communication between the controller and data subject throughout the life cycle of data processing.

Pay particular attention to defining the purpose for the processing of personal data. Data subjects must have a clear understanding of the purposes for which their personal data is processed. Your organisation can process personal data for a variety of different purposes, such as recruitment, management of employment contracts, marketing, maintenance of customer relations and partnerships, and the organisation of events.

The controller is also required to evaluate the risks involved for the rights and freedoms of the data subjects. Such risks must be described as objectively as possible to the data subjects in connection with notifying them of the processing.

If, as part of the overall evaluation of personal data processing, the organisation has drawn up the record of processing activities referred to in Article 30 of the GDPR, it would be sensible to use it as a basis for planning the notification of data subjects.

If the organisation has drawn up a description of file under the old Personal Data Act, this can be used as a basis for planning. Please note, however, that a description of file as provided for in the Personal Data Act will probably not meet the requirements of the GDPR.

It is essential to identify the sources of the personal data collected by your organisation: is it collected directly from the data subject or from another source? If the personal data is collected directly from the data subject, Articles 12 and 13 of the GDPR will apply, while Articles 12 and 14 of the GDPR apply to personal data collected from another source.

The source of the personal data will have an impact on the contents, schedule and limitation principles of informing the data subjects.

Information content

The contents of the information to be delivered to the data subject are partly dependent on whether the personal data was collected directly from the data subject or from another source,  and on the legal basis for the processing. For example, if the data is processed on the basis of the consent of data subjects, they must be informed of the possibility to withdraw their consent.

Schedule

If the personal data is collected directly from the data subject, the controller must inform the data subject of the processing in connection with collecting the data. 

If the personal data is collected from another source than the data subject, the information on the processing must be delivered to the data subject within a reasonable time from the collection, and a month at the latest. The information must be provided sooner than the one-month deadline in the following cases:

• If the personal data will be used for communications with the data subject before the deadline, the information on the processing must be delivered in connection with the communication.
• If the controller intends to disclose the personal data to another recipient before the deadline, the information on the processing must be delivered to the data subject in connection with the first disclosure at the latest.

Limitation basis

When the data is collected directly from the data subject, information concerning the processing does not have to be provided if the data subject has already received the information. The controller must be able to demonstrate that the data subject has actually received the information, and that the information provided has not changed since it was delivered.

There are more extensive grounds for deviating from the notification obligation if the personal data was not collected directly from the data subject.

The GDPR provides for deviating from the notification obligation in the following situations:

• If the collection or disclosure of data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests.
• If the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, such as a statutory obligation of secrecy.
• National legislation complementary to the GDPR may also provide for limitations to the obligation to provide information.

The controller should chart its target group, i.e. the data subjects and potential data subjects: does the target group include individuals such as children, to whom the information on the processing of personal data should be provided in an especially clear form? What about other groups requiring special protection?

One criterion for evaluating the transparency of information is that an average member of the target group should be able to understand the information provided.

The careful identification of the target group normally has a positive impact on the customer experience. Providing information on the processing of personal data is a statutory obligation but, above all, an important part of customer service and building a customer relationship based on trust.

The GDPR does not provide for a specific form (e.g. a record) in which the information subject to the notification obligation should be provided to the data subject.

Information intended for the public can be given in electronic form, such as on the organisation's website. The information should be published under a generally used title, such as ”privacy”, ”privacy policy” or ”data protection notice”. Information concerning the processing of personal data must be separated clearly from other information. The information must be available to data subjects free of charge.

As a rule, the information needs to be provided in writing. However, the method of collecting the personal data can restrict the way in which this information can be provided (e.g. if personal data is collected over the telephone or through devices without screens). The target group can also affect the manner in which the information is given (e.g. the visually impaired).

Make sure that the information is available when you begin collecting personal data. Also make a plan for delivering the information to the data subject if the data is not obtained directly from the data subject, such as by email or letter.

Example: layered information

In layered information, the total amount of information on the processing of personal data is divided into smaller parts. The purpose is to provide the information to the data subject in easily understandable segments, proceeding from a general description of the processing towards more detailed descriptions of individual processing activities. Content and subsets of information is divided into smaller parts and linked to each other in a layered manner. The most essential information and any surprising terms should be placed in the first layer. Layering can improve the clarity and intelligibility of information and prevent information overload.

The information content must be described in clear and plain language. Pay particular attention to describing the purpose and consequences of the processing in intelligible terms. Ensure that the meanings of possible translations are equivalent.

As part of the risk-based approach, the controller is also required to evaluate the risks involved for the rights and freedoms of the data subjects. Such risks must be described as objectively as possible to the data subjects in connection with notifying them of the processing.

With regard to transparency, accountability means that controllers are required to document the processing of personal data in a manner that is transparent with relation to the data subjects. Make sure that the organisation has methods for ensuring accountability.

In addition to the practical implementation of the transparency principle, controllers should ensure that the following matters are documented at minimum:

• the request, if the information was requested verbally
• the method used to identify the data subject if identification was required (not in connection with fulfilling the obligation to provide information provided for in Articles 13 and 14)
• a record that the information has been offered to the data subject and
• the reason for and details of any deviation from the obligation to provide information.

Consider the use of documented user testing as a means for achieving the greatest transparency. Please note that if you use the personal data of data subjects for the testing, it must be included in the stated processing methods.

The transparency principle and its impact on the obligation to provide information must be taken into account throughout the life cycle of the data. Conduct periodic evaluations of the information provided to data subjects to see whether it corresponds to the actual state of personal data processing.

Communicate any changes clearly and well in advance. Please remember that the purpose of the processing of personal data can only be changed to one that is incompatible with the original purpose by virtue of a legal provision or with the consent of the data subject. 

Transparency is also important when communicating changes to the data subject to the obligation to provide information, exercising the rights of the data subject or communicating on possible personal data breaches.