Providing information by personal data controller

GDPR[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) imposes many requirements on the personal data controller. One of the first that the controller should perform is to provide the persons whose personal data are collected, with information. Unfortunately, very often that obligation is neglected and people providing their data don’t know for what purpose they are processed or who is the controller. In this post, I would like not only to make controllers aware that such obligation exists, but also to show when and how to implement it.

What is obligation to provide information?

According to GDPR, the controller is obliged to fulfill the obligation to provide information in two situations:

  1. in the case of collecting personal data from the data subject (Article 13 of GDPR);
  2. in the case of collecting personal data not from the data subject (Article 14 of GDPR).

In each of the above situations, the obligation to provide information looks a little different.

Collecting personal data from data subject

Pursuant to Article 13 of GDPR, where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

  1. the identity and the contact details of the controller;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. where the processing is based on point (f) of Article 6(1) of GDPR – the legitimate interests pursued by the controller;
  5. the recipients or categories of recipients of the personal data, if any;
  6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission.

Except for the information indicated above, which should always be provided, the controller, when obtaining personal data, should also provide the data subject with the following further information necessary to ensure fair and transparent processing (in practice, it’s the safest to assume that all the following information should be provided):

  1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  3. where the processing is based on point (a) of Article 6(1) (consent) or point (a) of Article 9(2) of GDPR (processing of special categories of personal data), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  4. the right to lodge a complaint with a supervisory authority;
  5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  6. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Below I prepared a brief explanation of some points. I focused on the most important ones. Those that raise the least doubts and those that are applicable very rarely, I have omitted. I also didn’t elaborate on points 8 and 12 – in the future I plan to publish separate posts on that issues.

Identity and contact details of controller

It is best to start providing information obligation by giving the address of the registered office and the full name of the controller (in the event of a company or other organizational unit), or the name and surname and address of residence or business activity of the controller (in the case of a natural person). Providing only the abbreviation of the controller’s name is unacceptable – in many judgments, administrative courts considered this to be incorrect.

It is debatable what exactly shall be meant by the controller’s contact details. Some believe that an address is enough, others that a telephone number is also required. And I – as usual – prefer a safe approach and recommend adding an email address too.

Purposes and legal basis of processing

Each person whose data is processed should obtain information about the purpose of processing. In addition, the controller should inform that person on what legal basis the data is processed. An overview of the possible grounds for processing can be found here.

Legitimate interests pursued by controller

If you collect personal data on the basis of your legitimate interest as an controller, you must specify the particular purpose and provide relevant information to the data subject. You can find more about what can be considered a legitimate purpose of the administrator in this post.

Recipients of personal data

The person whose data is processed also has the right to know whether and to whom you provide that data. You should inform about that, even if you intend to transfer data to third parties only in the future. If you are able to determine specific entities to which you provide or will transfer data, that’s great – I don’t see the risk of considering that you have incorrectly perform this element of the controller’s duties. However, if this is not possible, at least specify what categories of recipients of personal data you expect – the more precisely you specify it, the better.

Information about right to withdraw consent

I described in detail the issue of the right to withdraw consent in this post. I encourage you to read. If you process personal data on the basis of consent, you must inform the person who gave the consent about this right.

Freedom or obligation to provide data

The obligation to provide personal data may only result from the law. That rule is established by Article 51 sec. 1 of the Constitution, according to which “No one may be obliged, except on the basis of statute, to disclose information concerning his person”. If there is no provision imposing any obligation to provide personal data, it is voluntary. If the controller’s makes the performance of services dependent on provision of the customer’s personal data, providing of them is voluntarily. There is no legal obligation to provide them. If the customers refuses to give his data, he will not be able to use the services. In such situation, the controller should inform that providing data is voluntary, but necessary to provide the service.

Collecting data not from data subject

The second case in which the controller is obliged to provide information, is when personal data are collected not from the data subject. What might these situations be? It may be a situation where data are received from another controller (e.g. in the case of purchasing a set of personal data – the Supreme Administrative Court in Warsaw in the judgment of July 13, 2013, reference number OSK 507/04, when the previous personal data protection act was in force, decided that the purchase of a database pf personal data is the same as the process of collecting data) or created from generally available data (e.g. on the Internet). I don’t see any more possibilities.

According to Article 14 of GDPR, where personal data have not been obtained from the data subject, the controller shall provide the data subject with all the following information:

  1. the identity and the contact details of the controller;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients or categories of recipients of the personal data, if any
  6. where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the European Commission.

In addition to the information indicated above, which should always be provided, the controller should also provide the data subject with the following other information to the extent necessary to ensure fair and transparent processing (in practice, the safest way is to consider that all the following information should be provided):

  1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  2. where the processing is based on point (f) of Article 6(1) of GDPR, the legitimate interests pursued by the controller or by a third party;
  3. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  4. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  5. the right to lodge a complaint with a supervisory authority;
  6. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  7. the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

It is very similar to collecting personal data from the data subject. To a large extent, the scope of information is the same. However, there is two additional requirements – the categories of personal data concerned and the source of personal data must be provided.

Categories of personal data

The controller collecting data not from the data subject, should inform that person what categories of data are processed. If the data subject did not provide the data to the controller, the data subject does not have any knowledge in that scope.

Source of personal data

Because personal data are collected not from the data subject, the controller is obliged to inform about the source from which the data was obtained. As I indicated above, I see only two possibilities – obtaining data from another controller (e.g. buying a set of personal data) or obtaining data from a publicly available source (e.g. from the Internet).

How and when provide information?

GDPR requires the controller to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Remember that when you prepare information clauses in your company.

Information should be provided directly to the person to the data subject. In the report from 2000, GIODO (General Inspector for Personal Data Protection – the predecessor of the current President of the Personal Data Protection Office) indicated that the information provided in the local press about the names of personal data files kept by the controller together with information about the rights of the data subject, cannot be considered as provided correctly. In my opinion rightly – not everyone reads the local press. And even if anyone reads it, that person may not notice such announcement. The personal data controller should ensure that the information is provided directly to the data subject, who should have possibility to easily get familiar with that information.

However, nothing prevents providing information by an entity other than the data controller. It is only important that the person whose data has been collected receives all the information indicated by art. 13 or 14 GDPR. Such a situation may occur if data are collected by an entity entrusted with the processing of personal data.

It is also worth remembering that the obligation to provide information rests only on the entity which, as a result of the transfer of personal data, becomes their administrator. In the case of entrusting the processing of personal data (the entity entrusted with the processing of data does not become the administrator of personal data), the information obligation does not arise.

Collecting data from data subject

Where personal data is collected from a data subject, GDPR indicates that the information must be provided at the time of collection. In order to avoid doubts as to whether the information have been fulfilled at the right time, I advise that the person from whom you obtain the data should have all the information specified in Article 13 of GDPR already at the time of giving the data to you.

If you collect personal data on the basis of consent, it is best to include all information next to the consent formula. This enables not only the proper provision of the information, but also obtaining confirmation that the information have been provided correctly (if the consent is given in writing or recorded in another way – e.g. in electronic form or recorded).

However, if personal data is processed on a different basis, make sure that the required information is in a place visible to the person providing their data.

Collecting data not from data subject

If the personal data is not collected from the data subject, the controller has limited possibilities to provide the information required by GDPR. Therefore, the question arises when the information obligation should be fulfilled. Article 14 sec. 3 of GDPR contains quite precise guidelines in this regard – according to it, the required information should be provided:

  • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Exemption from providing information

It is best to adopt the information obligation as a rule and implement procedures in your company to ensure its implementation every time you collect personal data. However, there are situations when you do not need to do this – GDPR provides for one exception when collecting personal data from the data subject and four exceptions when collecting data from other sources.

Exception in case of colleting data from data subject

According to Article 13(4) of GDPR, the information does not have to be provided if the data subject already has this information. Therefore, if any of the information is already in the possession of that person, this information may be omitted. However, it should be remembered that in the event of an inspection, the controller should be able to prove that the data subject already had this information.

Exceptions in case of colleting data from other subjects

Article 14 sec. 5 of GDPR provides that the information do not have to be provided to the extent that:

  1. the data subject already has the information;
  2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (in such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available);
  3. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  4. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

The first situation has already been discussed above. The second seems so abstract that it will almost certainly not apply to your business. Therefore, I prepared below only short comments on points 3 and 4.

Ad. 3. Obtaining regulated by law

An example is the processing of personal data by the insurer in order to assess the insurance risk or perform the insurance contract, to the extent necessary due to the purpose and type of insurance, the principles of which are set out in art. 41 of the Polish Insurance Activity Act.

Ad. 4. Statutory duty of confidentiality

In case of this exemption, the processing of personal data by attorneys can be indicated as an example. Very often they receive personal data of other persons from their clients (e.g. opposing parties in a lawsuit) and are legally obliged to keep it confidential.

Failure to provide information

Failure to provide information by the controller(or providing information incorrectly) constitutes a violation of GDPR and is associated with the risk of imposing a penalty by the President of the Personal Data Protection Office.

Przypisy

Przypisy
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Tomasz Korolko

Partner

Related Posts

1 May 2023

Entrusting processing of personal data

Quite often it happens that an entrepreneur performing operations on personal data does not become their controller. Despite the fact that it processes data, someone else is their controller.

Read More
31 March 2023

Data protection officer

GDPR provides for the function of a data protection officer, who should be appointed by the controller in certain situations. I explain when it is mandatory and who and how to appoint to this position, as well as what are his tasks.

Read More
Back To Top