Transparency, Control and the Right to be Informed
Let me take you back a year, to April 2018 – a time when there was a considerable flurry to ensure Privacy Notices (often called Privacy Policies) were updated to reflect the GDPR information requirements.
Organisations needed to cover the purposes of processing personal data, the relevant lawful bases, overseas data transfers, individual rights, work out what on earth to say about data retention periods… and so the list went on. Once the checklist of requirements was ticked, next was the challenge of presenting this information in a clear, easy to understand and concise way. No easy task.
Fast forward a year and I suspect your Privacy Notices have been tweaked along the way, but are you remembering to not just meet the requirements to provide information to individuals when you collect their personal details directly from them (Article 13), but also the requirements of Article 14? To comply with the latter you should provide privacy information to individuals whose data you process when you have NOT collected their details directly from them.
This could be personal information you may have received from a third party, or perhaps business prospects you have researched from openly-available sources (under your carefully assessed Legitimate Interests, of course). It’s important not to forget to provide privacy information to these individuals too.
Well, an interesting case popped up recently in Poland. The President of the Personal Data Protection Office (UODO), has fined a company 220,000 euros (yes, you read that correctly) for not fulfilling Article 14. The company was found to have obtained records from publicly-available sources, but had not informed many of those individuals that they were processing their personal data. This meant those individuals were denied the ability to exercise their rights.
Admittedly, in this case, the company was processing millions of publicly-sourced records – hence the size of the fine. However, it’s a wake-up call for all of us and tells us that regulators are prepared to enforce the law for Article 14. How can an individual exercise their right to object to processing or request erasure if they don’t even know you’re handling their personal information? And, remember personal data includes business contact information too, not just your customers.
What does Article 14 require organisations to do?
Article 14 sets out the information you should provide to individuals when you’ve sourced their personal data indirectly. This information should include:
- The identity and contact details of the controller
- Contact details for the DPO, where applicable
- Purposes of processing and lawful basis
- Categories of personal data concerned
- Recipients or categories of recipients, if any
- Transfers to a third country, and reference to appropriate or suitable safeguards
- Data retention periods, or criteria used to determine that period
- The legitimate interests pursued by the controller or a third party (if relevant)
- The right to withdraw consent (if relevant)
- Individual Rights, including right to lodge a complaint with a Supervisory Authority
- Existence of automated decision-making, including profiling
This should all sound familiar, as it’s the information you would have ticked off as requirements for your Privacy Notice (under Article 13).
Furthermore Article 14, sets out when this information must be provided:
1. Within a reasonable period after obtaining the personal data, but at least within one month
2. If personal data are to be used for communications with the individual, at the latest in the first communication with them.
Plus, if a disclosure to another controller is expected, this information must be provided at the latest when the information is first disclosed.
Are there any exceptions?
The provision of information is not required if the individual already has this information, or the provision of this information proves impossible or would involve disproportionate effort (particularly in relation to processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes). Disproportionate effort is difficult to demonstrate, the scope of the exceptions is limited and therefore to avoid falling foul of the rules it would be wise to endeavour to fulfil Article 14.
What should you do?
For example, with researched prospects, bought-in marketing lists and personal data received from another third party, you should contact the individuals concerned within a month, inform them you’re processing their personal data and why. You should also provide them with an opportunity to object and (at the least) present a clear link to your Privacy Notice to fulfil other requirements.
Philippa Donn, April 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.