Fair Processing & Privacy Notices. The Why, When, How & What of Enforcement

Why you need Fair Processing or Privacy Notices?
Fair Processing Notices or Privacy Notices are key to fulfilling the transparency requirements under the GDPR. Individuals have the right to be informed about the collection and use of their personal data and the GDPR places more emphasis on information that should be provided to individuals about what you do with their personal data.
- Article 5 requires that data processing is fair, lawful and transparent
- Article 12 requires that information provided to individuals must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- Articles 13 and 14 specify what individuals have the right to be informed about.
Transparency is also about engendering trust. If you’re not honest with people about what you do with their data, or you hide important information behind overly complex and legalistic language, people will be less willing to put their trust in you and provide you with their personal data. In addition to any
Put in simple terms, use plain language, tell people who you are and how to contact you, tell them why you are processing their data, how long it will be stored and who it will be shared with.
When you need Fair Processing or Privacy Notices?
- The individual already has the information – If you know, or it’s obvious, that an individual already has some of the necessary information, you do not need to provide it to them. However, you must still provide them with anything that they don’t already have. You may not know what information an individual already has. If you are unsure, it is best to provide individuals with all the relevant privacy information.
- When you obtain personal data from a source other than the individual it relates to, you do not need to provide them with privacy information if:
- The individual already has the information
- Providing the information to the individual would be impossible
- Providing the information to the individual would involve a disproportionate effort
- Providing the information to the individual would seriously impair meeting the objectives of the processing
- You are required by law to obtain the personal data
- You are subject to an obligation of professional secrecy regulated by law that covers the personal data
How should you deliver them
Depending on the business channel there are various ways of delivering the information. The European Data Protection Board (formerly WP29) suggests several methods of providing transparency information:
- The use of layered privacy notices online: allowing data subjects to navigate to whichever part of the privacy statement they wish to access without being required to scroll through large amounts of text. The design and layout of the first layer “should be such that the data subject has a clear overview of the information available to them” and need only expand sections for greater detail.
- A “just-in-time” notice will provide specific privacy information when it is most relevant to the data subject — for example, during an online purchase a pop-up next to a field requesting the purchaser’s telephone number might explain that the information is only being collected concerning contact related to the purchase and will only be disclosed to the relevant delivery service.
- Alternatives may include hard copy notices with written explanations or notices included in leaflets, infographics or flowcharts for contracts concluded via post;
- Oral explanations provided via telephone either by a real person or automated system that includes options to access more detailed information;
It is good practice to use the same medium you use to collect personal data to deliver privacy notices. Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy notices.
What you should you tell people
Article 13 Requirement
|
What should you tell people
|
When Required
|
the identity and the contact details of the controller and, where applicable, of the controller's representative;
|
Who you are and how to contact you.
A representative is an organisation that represents you if you are based outside the EU
|
Always
|
the contact details of the data protection officer;
|
How to contact your DPO
(some organisations are required to appoint a DPO).
|
If applicable
|
the purposes of the processing
|
Explain clearly each different purpose for which you use people’s personal data.
|
Always
|
the legal basis for the processing;
|
Explain which lawful basis you are relying on in order to collect and use people’s personal data.
|
Always
|
the legitimate interests pursued by the controller
|
Explain what the legitimate interests for the processing are if you rely on the lawful basis under article 6(1)(f)
|
If Applicable
|
the recipients or categories of recipients of the personal data, if any;
|
Who you share personal data with.
You can tell people the names of the organisations or the categories that they fall within.
|
If Applicable
|
If the controller intends to transfer personal data to a third country or international organisation
|
Tell people if you transfer their personal data to any countries or organisations outside the EU and the basis (i.e. an adequacy decision or appropriate safeguards such as standard contractual clauses)
|
If Applicable
|
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
|
How long you will keep people’s data for.
If you don’t have a specific retention period, then you need to tell people the criteria you use to decide how long you will keep their information.
|
Always
|
the existence of data subject rights
|
Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.
|
Always
|
The right to withdraw consent
|
Consent must be as easy to withdraw as it is to give. Tell people that they can withdraw their consent and how they can do this.
|
If Applicable
|
the right to lodge a complaint with a supervisory authority;
|
It is good practice to provide the name and contact details of the supervisory authority.
|
Always
|
whether the data subject is obliged to provide the personal data as a statutory or contractual requirement and of the possible consequences of failure to provide such data
|
Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.
|
If Applicable
|
the existence of automated decision-making, including profiling
|
Whether you make decisions based solely on automated processing, including profiling, that have legal or significant effects on individuals. Give meaningful information about the logic involved explain the significance and possible consequences.
|
If Applicable
|