Fair Processing Notices or Privacy Notices are key to fulfilling the transparency requirements under the GDPR. Individuals have the right to be informed about the collection and use of their personal data and the GDPR places more emphasis on information that should be provided to individuals about what you do with their personal data.
Article 5 requires that data processing is fair, lawful and transparent
Article 12 requires that information provided to individuals must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Articles 13 and 14 specify what individuals have the right to be informed about.
Transparency is also about engendering trust. If you’re not honest with people about what you do with their data, or you hide important information behind overly complex and legalistic language, people will be less willing to put their trust in you and provide you with their personal data. In addition to any fines you may be subject to is the reputational damage you could suffer for getting it wrong.
Put in simple terms, use plain language, tell people who you are and how to contact you, tell them why you are processing their data, how long it will be stored and who it will be shared with.
When you need Fair Processing or Privacy Notices?
When you collect personal data from individuals you must provide them with the information at the time you obtain their data. When you obtain personal data from a source other than the individual it relates to, you need to provide the information within a reasonable period of obtaining the personal data and no later than one month.
Exceptions to this requirement :
The individual already has the information – If you know, or it’s obvious, that an individual already has some of the necessary information, you do not need to provide it to them. However, you must still provide them with anything that they don’t already have. You may not know what information an individual already has. If you are unsure, it is best to provide individuals with all the relevant privacy information.
When you obtain personal data from a source other than the individual it relates to, you do not need to provide them with privacy information if:
The individual already has the information
Providing the information to the individual would be impossible
Providing the information to the individual would involve a disproportionate effort
Providing the information to the individual would seriously impair meeting the objectives of the processing
You are required by law to obtain the personal data
You are subject to an obligation of professional secrecy regulated by law that covers the personal data
How should you deliver them
Depending on the business channel there are various ways of delivering the information. The European Data Protection Board(formerly WP29) suggests several methods of providing transparency information:
The use of layered privacy notices online: allowing data subjects to navigate to whichever part of the privacy statement they wish to access without being required to scroll through large amounts of text. The design and layout of the first layer “should be such that the data subject has a clear overview of the information available to them” and need only expand sections for greater detail.
A “just-in-time” notice will provide specific privacy information when it is most relevant to the data subject — for example, during an online purchase a pop-up next to a field requesting the purchaser’s telephone number might explain that the information is only being collected concerning contact related to the purchase and will only be disclosed to the relevant delivery service.
Alternatives may include hard copy notices with written explanations or notices included in leaflets, infographics or flowcharts for contracts concluded via post;
Oral explanations provided via telephone either by a real person or automated system that includes options to access more detailed information;
It is good practice to use the same medium you use to collect personal data to deliver privacy notices. Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy notices.
What you should you tell people
Article 13 Requirement
What should you tell people
the identity and the contact details of the controller and, where applicable, of the controller's representative;
Who you are and how to contact you.
A representative is an organisation that represents you if you are based outside the EU
the contact details of the data protection officer;
How to contact your DPO
(some organisations are required to appoint a DPO).
the purposes of the processing
Explain clearly each different purpose for which you use people’s personal data.
the legal basis for the processing;
Explain which lawful basis you are relying on in order to collect and use people’s personal data.
the legitimate interests pursued by the controller
Explain what the legitimate interests for the processing are if you rely on the lawful basis under article 6(1)(f)
the recipients or categories of recipients of the personal data, if any;
Who you share personal data with.
You can tell people the names of the organisations or the categories that they fall within.
If the controller intends to transfer personal data to a third country or international organisation
Tell people if you transfer their personal data to any countries or organisations outside the EU and the basis (i.e. an adequacy decision or appropriate safeguards such as standard contractual clauses)
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
How long you will keep people’s data for.
If you don’t have a specific retention period, then you need to tell people the criteria you use to decide how long you will keep their information.
the existence of data subject rights
Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.
The right to withdraw consent
Consent must be as easy to withdraw as it is to give. Tell people that they can withdraw their consent and how they can do this.
the right to lodge a complaint with a supervisory authority;
It is good practice to provide the name and contact details of the supervisory authority.
whether the data subject is obliged to provide the personal data as a statutory or contractual requirement and of the possible consequences of failure to provide such data
Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.
the existence of automated decision-making, including profiling
Whether you make decisions based solely on automated processing, including profiling, that have legal or significant effects on individuals. Give meaningful information about the logic involved explain the significance and possible consequences.
Enforcement of Fair Processing & Privacy Notices?
While the level of a fine will always be determined against the “nature, gravity and duration” of the infringement, the setting out of two tiers of maximum fines is a clear pointer as to those elements of the GPDR that carry most weight.
Non-compliance with the data subjects’ rights under Articles 12-22 attract the upper-level fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
The Data Protection Commission Ireland set out their priorities for GDPR supervision and enforcement early in 2018 stating “we will be targeting our early GDPR supervision and enforcement activities on compliance with the transparency obligation given its centrality to ensuring that individuals can easily understand what, how and why their data is being processed”.
We’ve got more coming…
Want to hear from us when we add new articles? Sign up for our newsletter and we'll email you every time we release a new article, as well as other resources.