Download in Section 3 below
1. Is this just about making consent fully informed?
No, this is information that data subjects must receive in order to make any type of processing fair. It might be linked to consent (data subjects need to know how their data will be used and shared in order to know what they’re consenting to). But this information needs to be given even if consent is not relied on, and our processing is based on our legitimate interests, necessity for legal compliance or performance of a contract (or any other legal basis).
2. Does this only apply if we collect data directly from data subjects?
No, we also need to give similar information if we obtain the data from a third party. The GDPR specifically forsees that situation. The information is not so different – and the GDPR helpfully explains that:
a) We don’t need to provide things the data subject already has received from somewhere else – so if we can convince the first party to include everything necessary in the information that they provide then we might be fine. Eden Legal is naturally suspicious of depending on third parties to do these things so doesn’t recommend (or see much benefit in) solely relying on the third party to give all the required information forever.
b) We don’t need to contact every data subject if this is impossible or would involve a disproportionate effort. Or if this would defeat the object of the processing (which might be the case in scientific studies).
c) The collection and protection of the data are mandated by law.
d) The data is confidential under a professional or statutory secrecy obligation (so you can pass data to your lawyer and they don’t need to reveal this to the data subjects, who might be your employees, users, vendors etc.)
Eden Legal recommends not paying too much attention to this part. It might be nice to fall back on if something goes wrong. As an example, if our website says “we need to pass your data to DHL to deliver your package” then that might be clear enough (and as other delivery companies are available perhaps it could save us from having to specify and keep changing the list in our Privacy Notice).
But websites change. A lot. Apps are hard to read. And change a lot too. Third parties may change the information disclosed and not tell you. And even within our own organisation, often the person writing the Privacy Notice is not the same (or even in the same office or country) as the one writing the website. Eden Legal would prefer to be sure that everything required is in our own Privacy Notice, under our control.
3. Are there any options?
In fact there are, and we can boil down the information to be given into two lists:
List 1: compulsory information that needs to be given always, and
List 2: information that may at times need to be given “as necessary” in order to make the processing fair.
We’re getting used to GDPR now so there are plenty of examples of how to do this, and the Working Party of Data Protection Authorities produced some (rather conservative) Guidelines.
Or download Eden Legal’s handier table here
Eden Legal takes the view that more transparency, clarity and specificity rather than less is very likely to help us, and may even reduce the impact of any future discrepancies over legal bases or transfers. Not only regulators but also our business partners are now asking to check privacy notices.
Not just the content, but also the way it is given may also be important. Is our current privacy notice “concise, transparent, intelligible and easily accessible…”, using clear and plain language? Ease of understanding will be even more under scrutiny for information addressed specifically to a “child” (usually under 16s but not everywhere and not for all purposes). If you have millennials as your target group, consider whether lots of long text is even the correct medium and whether something like a video could be more suitable. Where our notice is long, then the EU Guidelines encourage a “layered” approach (e.g. short paragraph summaries with fuller text behind a link). However, in practice this is not that commonly seen, possibly due to the difficulties of updating multiple pages. The GDPR also envisages icons, certification systems, seals and marks, which may be interesting options where they become available and commonly used.
There are also special situations where information can (or must) be given in other ways than in writing – e.g. when collecting data by telephone (though even then we’d say the call should be followed up by an email or some other way of accessing the information and showing it was given).
Whatever the situation, almost everyone needs a clear, GDPR compliant privacy notice in a publicly accessible place. GDPR doesn’t quite turn us into one of those restaurants where diners can see into the kitchen, but it does set out a few things that they are entitled to know before they sit down.