GDPR 7 Minute Read

Fair Processing & Privacy Notices. The Why, When, How & What of Enforcement

Kathy Williams Oct 31, 2018

Why you need Fair Processing or Privacy Notices?

Fair Processing Notices or Privacy Notices are key to fulfilling the transparency requirements under the GDPR. Individuals have the right to be informed about the collection and use of their personal data and the GDPR places more emphasis on information that should be provided to individuals about what you do with their personal data.

Article 5 requires that data processing is fair, lawful and transparent
Article 12 requires that information provided to individuals must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Articles 13 and 14 specify what individuals have the right to be informed about.

Transparency is also about engendering trust. If you’re not honest with people about what you do with their data, or you hide important information behind overly complex and legalistic language, people will be less willing to put their trust in you and provide you with their personal data. In addition to any fines you may be subject to is the reputational damage you could suffer for getting it wrong.

Put in simple terms, use plain language, tell people who you are and how to contact you, tell them why you are processing their data, how long it will be stored and who it will be shared with.

Hourglass

When you need Fair Processing or Privacy Notices?

When you collect personal data from individuals you must provide them with the information at the time you obtain their data. When you obtain personal data from a source other than the individual it relates to, you need to provide the information within a reasonable period of obtaining the personal data and no later than one month.

Exceptions to this requirement :

The individual already has the information – If you know, or it’s obvious, that an individual already has some of the necessary information, you do not need to provide it to them. However, you must still provide them with anything that they don’t already have. You may not know what information an individual already has. If you are unsure, it is best to provide individuals with all the relevant privacy information.

When you obtain personal data from a source other than the individual it relates to, you do not need to provide them with privacy information if:
- The individual already has the information
- Providing the information to the individual would be impossible
- Providing the information to the individual would involve a disproportionate effort
- Providing the information to the individual would seriously impair meeting the objectives of the processing
- You are required by law to obtain the personal data
- You are subject to an obligation of professional secrecy regulated by law that covers the personal data

Mail

How should you deliver them

Depending on the business channel there are various ways of delivering the information. The European Data Protection Board (formerly WP29) suggests several methods of providing transparency information:

The use of layered privacy notices online: allowing data subjects to navigate to whichever part of the privacy statement they wish to access without being required to scroll through large amounts of text. The design and layout of the first layer “should be such that the data subject has a clear overview of the information available to them” and need only expand sections for greater detail.
A “just-in-time” notice will provide specific privacy information when it is most relevant to the data subject — for example, during an online purchase a pop-up next to a field requesting the purchaser’s telephone number might explain that the information is only being collected concerning contact related to the purchase and will only be disclosed to the relevant delivery service.
Alternatives may include hard copy notices with written explanations or notices included in leaflets, infographics or flowcharts for contracts concluded via post;
Oral explanations provided via telephone either by a real person or automated system that includes options to access more detailed information;

It is good practice to use the same medium you use to collect personal data to deliver privacy notices. Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy notices.

Info bubble

What you should you tell people

Article 13 Requirement	What should you tell people	When Required
the identity and the contact details of the controller and, where applicable, of the controller's representative;	Who you are and how to contact you. A representative is an organisation that represents you if you are based outside the EU	Always
the contact details of the data protection officer;	How to contact your DPO (some organisations are required to appoint a DPO).	If applicable
the purposes of the processing	Explain clearly each different purpose for which you use people’s personal data.	Always
the legal basis for the processing;	Explain which lawful basis you are relying on in order to collect and use people’s personal data.	Always
the legitimate interests pursued by the controller	Explain what the legitimate interests for the processing are if you rely on the lawful basis under article 6(1)(f)	If Applicable
the recipients or categories of recipients of the personal data, if any;	Who you share personal data with. You can tell people the names of the organisations or the categories that they fall within.	If Applicable
If the controller intends to transfer personal data to a third country or international organisation	Tell people if you transfer their personal data to any countries or organisations outside the EU and the basis (i.e. an adequacy decision or appropriate safeguards such as standard contractual clauses)	If Applicable
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;	How long you will keep people’s data for. If you don’t have a specific retention period, then you need to tell people the criteria you use to decide how long you will keep their information.	Always
the existence of data subject rights	Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.	Always
The right to withdraw consent	Consent must be as easy to withdraw as it is to give. Tell people that they can withdraw their consent and how they can do this.	If Applicable
the right to lodge a complaint with a supervisory authority;	It is good practice to provide the name and contact details of the supervisory authority.	Always
whether the data subject is obliged to provide the personal data as a statutory or contractual requirement and of the possible consequences of failure to provide such data	Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.	If Applicable
the existence of automated decision-making, including profiling	Whether you make decisions based solely on automated processing, including profiling, that have legal or significant effects on individuals. Give meaningful information about the logic involved explain the significance and possible consequences.	If Applicable

Gavel

Enforcement of Fair Processing & Privacy Notices?

While the level of a fine will always be determined against the “nature, gravity and duration” of the infringement, the setting out of two tiers of maximum fines is a clear pointer as to those elements of the GPDR that carry most weight.

Non-compliance with the data subjects’ rights under Articles 12-22 attract the upper-level fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

The Data Protection Commission Ireland set out their priorities for GDPR supervision and enforcement early in 2018 stating “we will be targeting our early GDPR supervision and enforcement activities on compliance with the transparency obligation given its centrality to ensuring that individuals can easily understand what, how and why their data is being processed”.