Information to be provided when data are collected from the data subject:
When obtaining personal data from data subjects, the controller is required to inform them how he/she processes that data. This information should include the elements that the GDPR lists as mandatory in Article 13.
The controller does not have to provide the above information to the extent that the person already has it.
Who is required to comply with the information obligation under Article 13 of the GDRP and when:
Pursuant to Article 13 of the GDPR, when collecting personal data from data subjects, the controller is required to inform them how he/she processes their personal data. This information should contain the elements set out in Article 13 of the GDPR.
Practical guidance on complying with the information imparting obligation can be found in Article 29 Working Party Guidelines on Transparency under Regulation 2016/679 (the "Guidelines").
When is personal data collected from data subjects? Not only when the data subject consciously provides personal data to the controller, e.g. when completing an online form, but also when the controller obtains data from the data subject by observation - in accordance with the Guidelines, for examplebyusing automatic data capturing devices or data capturing software such as cameras, network equipment, Wi-Fi tracking, RFID, or other types of sensors.
Whether we are dealing with the collection of personal data from the data subject or from another person has specific implications. This is because Article 13 of the GDPR will apply in the first scenario and Article 14 of the GDPR - in the second.
Consequently, this affects the content of the information clause itself and the applicability of the exemption from the requirement to impart the information clause. Indeed, if personal data are not collected directly from the data subject, the GDPR provides for the possibility of not imparting the information to the data subject under certain circumstances.
Elements from Article 13 of the GDPR – comments:
Pursuant to Article 13 of the GDPR, the controller should impart the information clause that includes the following elements:
The identity and contact details of the controller and, where applicable, the identity and contact details of the controller's representative - in accordance with the Guidelines, it is best to indicate the various forms of communication with the controller (for example, not to be limited to only the registered office address but to indicate also an email address). Regarding the imparting of information regarding the controller's representative, this only applies to controllers without an organisational unit in the European Union, who are required to appoint a representative pursuant to Article 27 of the GDPR.
Where applicable, the contact details of the Data Protection Officer (DPO) - the controller who has appointed a DPO within the meaning of the GDPR should provide the DPO's contact details. This requirement only applies to controllers who have appointed a DPO within the meaning of the GDPR. It does not apply to controllers who, for example, are not obligated to designate a DPO and have entrusted the performance of personal data duties to, for example, a personal data clerk. If the controller wishes to impart the contact details of that clerk, he/she should remember that data subjects should not be misled into the impression that the clerk acts as DPO within the meaning of the GDPR if in fact his/her role within the organisation is different.
There is no requirement to provide the name of the DPO as part of the information clause under Article 13 of the GDPR, but it should be kept in mind that, under the Personal Data Protection Act, the entity that has appointed the DPO is required to make the DPO's data (name and email address or telephone number) available immediately after his/her appointment, on its website - we write about this in the commentary to Article 37 of the GDPR.
Purposes of personal data processing and the legal basis for processing - controllers often describe in one section of the information clause the purposes of processing and in another section the grounds for processing. As a result, it is difficult for data subjects to know which of the grounds will apply to which purpose. It is therefore recommended to make this clear and to allocate a specific ground to a specific purpose.
If the processing is carried out on the basis of Article 6(1)(f) of the GDPR - legitimate interests pursued by the controller or by a third party - this means that if the controller processes personal data on the basis of a legitimate interest, the controller should indicate which interest is at stake. According to the Best Practice Guidelines, the controller may also provide the data subject with the information obtained as a result of the balancing test that must be carried out in order to rely on Article 6(1)(f) as a legal basis for the processing before any personal data of the data subject is collected. (...) it should be clear from the information provided to the data subject that the information on the balancing test can be obtained upon request.
Information on recipients of personal data or categories of recipients, if any - in accordance with the Guidelines, if the controller intends to present categories of recipients, the information should be as detailed as possible, i.e. the type of recipient should be indicated (e.g. by reference to the activity it carries out), the industry, sector, sub-sector and location of the recipient.
Where applicable, information about the intention to transfer personal data to a third country or an international organisation and whether or not an adequate level of protection has been found by the Commission or, in case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the GDPR, a note about the appropriate or adequate safeguards and the possibility of obtaining a copy of the data or of the place where the data are made available - information about the processing should allow data subjects to understand whether their data will be transferred outside the European Economic Area and, if so, where, and what mechanisms have been put in place by the controller to make such a transfer compliant with the GDPR.
The period for which personal data will be kept and, where this is not possible, the criteria for determining this period - avoid general statements (e.g. that data will be kept for as long as necessary for the legitimate purposes of the processing) and try to indicate specific time limits or information allowing an estimation.
Information on the right to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning the data subject, or the right to object to processing, as well as the right to data portability - in addition, as regards the right to object to processing, this right should be presented clearly and separately from any other information.
Where the processing is based on Article 6(1)(a) or Article 9(2)(a), information on the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal - the controller should also indicate how consent can be withdrawn.
Information on the right to lodge a complaint with a supervisory authority - in accordance with the Guidelines, this information should explain that, pursuant to Article 77, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place where the alleged breach of the GDPR has been committed.
Information whether the provision of personal data is a statutory or contractual requirement or a condition for entering into a contract and whether the data subject is obliged to provide such data and what are the possible consequences of not doing so - e.g. the form in which the data are provided should specify which fields must be completed and which may be left blank, as well as the consequences of failureto complete the required fields (e.g. impossibility to enter into a contract, impossibility to contact in a certain way, etc.).
Information on automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, and - at least in those cases - relevant information on the modalities of such decision-making, as well as on the significance and envisaged consequences of such processing for the data subject - this requirement refers to the need to provide information on automated decision-making (i.e. without actual human involvement) carried out on the basis of personal data processed by the controller that produces legal effects on the data subject or has similar significant effect thereon. The implementation of this obligation to provide information on decision-making principles may pose difficulties in practice, as it may require explaining in simple language the principles of complex algorithms.
Often controllers take a rather creative approach to formulating the content of the information clause, including "non-standard" information (e.g. describing data security measures), but at the same time forget to include in the information clause the elements required under Article 13 of the GDPR, which may expose the controller to accusations of improper performance of the information obligation. When drafting the information clause, the first focus should be on presenting the information that is explicitly required by Article 13 of the GDPR.
How to comply with the information obligation? Practical tips on transparency:
Central to the implementation of the information obligation is the principle of transparency - according to Recital 39 of the GDPR, the principle of transparency requires that all information and all communications relating to the processing of such personal data are easily accessible and understandable and in clear and plain language.
Practical guidance on transparency can be found in the Guidelines, which reads:
(...) data controllers should present information/communication efficiently and succinctly to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use.
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. Intelligibility is intricately linked to the requirement to use clear and plain language. An accountable data controller will have knowledge about the people whose information he/she collects and can use this knowledge to determine what that audience would likely understand.
(...) the data subject should always be able to determine in advance what the scope and consequences of the processing entails and they should not be taken by surprise at a later point about the ways in which their personal data have been used.
(...) the data subject should not have to search for information.
Language qualifiers such as 'may', 'some', 'often' and 'possible' should also be avoided.
The GDPR does not specify the format and way the information obligation is to be fulfilled. According to Article 12 of the GDPR, the information shall be provided in writing or by other means, including, where appropriate, electronically. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is confirmed by other means. According to the Guidelines, the most important thing is that the chosen methods of providing information should be adapted to the specific situation, i.e. to the way in which the controller communicates with the data subject or how information relating to the data subject is collected. Thus, for example, the Guidelines recommend that a controller operating on the internet should comply with the information obligation by using what is known as a layered online privacy statement, as we discuss below.
Controllers should keep in mind the principle of accountability. While there is no legal requirement for the data subject to sign an acknowledgement that he or she has read the information clause, or to tick a checkbox confirming that they have read it, the controller must be able to demonstrate that he or she has complied with the information obligation of a certain content by a certain date.
Must all the information listed in Article 13 of the GDPR appear at the point of personal data collection?
To avoid information overload, the Guidelines recommend the use of a so-called layered approach when providing information on the processing of personal data, whereby visitors to the website can read the parts that are of most interest to them.
The so-called first layer should include information on:
The identity of the controller
Processing purposes
Rights of the data subject
The place where one can find full information about the processing of one’s personal data (including all the elements of Article 13 of the GDPR)
Alongside this information, there should also be information available on the processing that has the greatest impact on the individual or that may come as a surprise to the individual.
Independently of the first layer, a document should also be available on the website to which the first layer links and which contains all the information from Article 13 of the GDPR (consistent with the information from the first layer).
In what language to fulfil the information obligation:
The information obligation should be implemented in the language used by the data subjects to whom the controller is addressing the information.
How to determine to which data subjects the information is addressed? The Guidelines list as an indication, for example, that the controller allows payment in the currency of a particular country, offers country-specific options, or operates a website in a particular language.
The President of the Office for Personal Data Protection also expressed his opinion in this respect: In the case where the controller processes the data of many persons speaking different languages, a possible solution is to create - in addition to the information clause in Polish - an information clause in a universal language such as, for example, English. Where the controller will be processing the data of citizens of one country, e.g. Ukraine, it should ensure that the information referred to in Article 13 or 14 of the GDPR is provided to those persons in a language they understand.
When is it not necessary to provide information under Article 13 of the GDPR:
The only situation foreseen by the GDPR where the controller does not have to present the information from Article 13 of the GDPR to the person from whom he or she obtains data directly is where the person already has the information.
The Guidelines note that the controller must, however, be able to demonstrate (and have documentation of) what information the data subject already has, when and how it was received, and that there have been no changes to that information since then that would render it obsolete.
Exemptions from the implementation of the information obligation when personal data is collected otherwise than from the data subject are indicated in Article 14 of the GDPR (see commentary to Article 14 of the GDPR).
Commentary to Article 13
Information to be provided when data are collected from the data subject:
Who is required to comply with the information obligation under Article 13 of the GDRP and when:
Pursuant to Article 13 of the GDPR, when collecting personal data from data subjects, the controller is required to inform them how he/she processes their personal data. This information should contain the elements set out in Article 13 of the GDPR.
Practical guidance on complying with the information imparting obligation can be found in Article 29 Working Party Guidelines on Transparency under Regulation 2016/679 (the "Guidelines").
When is personal data collected from data subjects? Not only when the data subject consciously provides personal data to the controller, e.g. when completing an online form, but also when the controller obtains data from the data subject by observation - in accordance with the Guidelines, for example by using automatic data capturing devices or data capturing software such as cameras, network equipment, Wi-Fi tracking, RFID, or other types of sensors.
Whether we are dealing with the collection of personal data from the data subject or from another person has specific implications. This is because Article 13 of the GDPR will apply in the first scenario and Article 14 of the GDPR - in the second.
Consequently, this affects the content of the information clause itself and the applicability of the exemption from the requirement to impart the information clause. Indeed, if personal data are not collected directly from the data subject, the GDPR provides for the possibility of not imparting the information to the data subject under certain circumstances.
Elements from Article 13 of the GDPR – comments:
Pursuant to Article 13 of the GDPR, the controller should impart the information clause that includes the following elements:
There is no requirement to provide the name of the DPO as part of the information clause under Article 13 of the GDPR, but it should be kept in mind that, under the Personal Data Protection Act, the entity that has appointed the DPO is required to make the DPO's data (name and email address or telephone number) available immediately after his/her appointment, on its website - we write about this in the commentary to Article 37 of the GDPR.
Often controllers take a rather creative approach to formulating the content of the information clause, including "non-standard" information (e.g. describing data security measures), but at the same time forget to include in the information clause the elements required under Article 13 of the GDPR, which may expose the controller to accusations of improper performance of the information obligation. When drafting the information clause, the first focus should be on presenting the information that is explicitly required by Article 13 of the GDPR.
How to comply with the information obligation? Practical tips on transparency:
Central to the implementation of the information obligation is the principle of transparency - according to Recital 39 of the GDPR, the principle of transparency requires that all information and all communications relating to the processing of such personal data are easily accessible and understandable and in clear and plain language.
Practical guidance on transparency can be found in the Guidelines, which reads:
The GDPR does not specify the format and way the information obligation is to be fulfilled. According to Article 12 of the GDPR, the information shall be provided in writing or by other means, including, where appropriate, electronically. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is confirmed by other means. According to the Guidelines, the most important thing is that the chosen methods of providing information should be adapted to the specific situation, i.e. to the way in which the controller communicates with the data subject or how information relating to the data subject is collected. Thus, for example, the Guidelines recommend that a controller operating on the internet should comply with the information obligation by using what is known as a layered online privacy statement, as we discuss below.
Controllers should keep in mind the principle of accountability. While there is no legal requirement for the data subject to sign an acknowledgement that he or she has read the information clause, or to tick a checkbox confirming that they have read it, the controller must be able to demonstrate that he or she has complied with the information obligation of a certain content by a certain date.
Must all the information listed in Article 13 of the GDPR appear at the point of personal data collection?
To avoid information overload, the Guidelines recommend the use of a so-called layered approach when providing information on the processing of personal data, whereby visitors to the website can read the parts that are of most interest to them.
The so-called first layer should include information on:
Alongside this information, there should also be information available on the processing that has the greatest impact on the individual or that may come as a surprise to the individual.
Independently of the first layer, a document should also be available on the website to which the first layer links and which contains all the information from Article 13 of the GDPR (consistent with the information from the first layer).
In what language to fulfil the information obligation:
The information obligation should be implemented in the language used by the data subjects to whom the controller is addressing the information.
How to determine to which data subjects the information is addressed? The Guidelines list as an indication, for example, that the controller allows payment in the currency of a particular country, offers country-specific options, or operates a website in a particular language.
The President of the Office for Personal Data Protection also expressed his opinion in this respect: In the case where the controller processes the data of many persons speaking different languages, a possible solution is to create - in addition to the information clause in Polish - an information clause in a universal language such as, for example, English. Where the controller will be processing the data of citizens of one country, e.g. Ukraine, it should ensure that the information referred to in Article 13 or 14 of the GDPR is provided to those persons in a language they understand.
When is it not necessary to provide information under Article 13 of the GDPR:
The only situation foreseen by the GDPR where the controller does not have to present the information from Article 13 of the GDPR to the person from whom he or she obtains data directly is where the person already has the information.
The Guidelines note that the controller must, however, be able to demonstrate (and have documentation of) what information the data subject already has, when and how it was received, and that there have been no changes to that information since then that would render it obsolete.
Exemptions from the implementation of the information obligation when personal data is collected otherwise than from the data subject are indicated in Article 14 of the GDPR (see commentary to Article 14 of the GDPR).