Two years after the EU's General Data Protection Regulation (GDPR) entered into force, Europe as of 25 May 2018 is faced with a new legal situation. It remains to be seen which obligations will be at the focus of the supervisory authorities and data subjects. Nevertheless, the provisions on transparency in the processing of personal data are expected to be a priority concern.
The GDPR specifies several principles that need to be complied with when processing personal data: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and the obligation to provide evidence for compliance with these principles. Whether some of these are considered of a higher order than others cannot be deduced from the Regulation.
Nevertheless the principle of transparency, i.e. the processing of personal data in a comprehensible manner for the data subject, clearly stands out inasmuch as compliance with such obligations can be checked easily and quickly, same as compliance with the provision of legal ownership information and disclosure obligations under the Media Act: of particular relevance in this respect are Articles 13 and 14 of the Regulation, which specify which information regarding the processing of their personal data must be provided to the data subject when and how.
The scope of the information to be provided is by itself remarkable: in addition to the controller's identity and contact details (as well as that of the data protection officer, if any) it includes specifically the purposes of the data processing, its legal basis, a description of recipients or categories of recipients and intended third- country transfers, the period of storage, instructions on the data subject's rights and whether automated decision-making is used.
Many businesses are not so much worried about the information to be provided, but rather about the date and type of providing it: when personal data are collected directly from the data subject such information needs to be provided already at the time of its collection. In an online context, it will in many cases be possible to use a straightforward and constantly retrievable data protection statement on one's own web site.
However, the situation is different when personal data are processed by way of physical, telephone or other offline interaction with the data subject: in the opinion of the Article 29 Data Protection Working Party, suitable formats to provide data protection information may be written statements, flyers or information in contract documents for contracts made by mail; as may be oral statements or automatic prerecorded texts in the case of telephone conversations or oral or written statements given in the case of direct personal contacting.
Data controllers are thus faced with the task of considering which channels to use to collect personal data in order to be able to provide data subjects with data protection information in good time and transparently. We will need to wait for the GDPR's implementation to see which formats will turn out to be best practices for a suitable and reasonable compliance with the information obligations in terms of content, form and timing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.