How should you comply with the Right of Information of the data subject?

Comparte el post | Share this post
Share on Facebook
Facebook
Share on Google+
Google+
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email

It is a fact that all enterprises have the next 25th may 2018 marked in their calendars as the limit to adapt their data process to the General Data Protection Regulation (onwards, GDPR). As a help, in the present post we will be dealing with one of the most important obligations of the data controller: comply with The Right of Information of the data subject. However, Which novelty has introduced the GDPR in this Right? How can we diligently comply with this obligation in Spain?

Firstly, the Right of Information consists in the Right of the data subject to be informed about the processing of data. The moment to provide the information will depend on the way the data was obtained (provided by the data subject or obtained by another data controller).

After this brief definition about the Right, we should consider the different regulations applied to this right: the article 13 and 14 GDPR and -even being nowadays just a draft- the article 21 of the Draft of the new Data Protection Spanish Law (onwards, ALOPD).

And, Which information shall be provided to the data controller?

  1. The identity and the contact details of the controller and the controller’s representative -if it exists-;
  2. The contact details of the Data Protection Officer;
  3. The purposes and the legal basis of the processing;
  4. the purposes of the legitimate interests pursued by the controller or by a third party when the processing is based in this motive;
  5. the recipients or categories of recipients of the personal data -if any-;
  6. The intention to transfer personal data to a third country or international organization and the legal base to lawfully transfer data (existence of an adequacy decision, suitable safeguards, etc.),
  7. The period for which the personal data will be stored or the criteria to determine it;
  8. The existence of the rights of the data subject (access, rectification, erasure, restriction, object and portability);
  9. The existence of the right to withdraw consent (where the processing is based on the consent of the data subject);
  10. The right to lodge a complaint with a supervisory authority;
  11. Whether if the provision of personal data is statutory or contractual requirement or necessary to enter into a contract and if the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
  12. The existence of automated decision-making -including profiling- and explaining the logic involved, the significance and the envisaged consequences of the processing for the data subject;
  13. And, in case the personal data was not obtained from the data subject, the source from which the personal data originates.

However, the information shall be provided to the data subject in accordance of the articles 11(1) GDPR and 21(1) ALOPD. These articles state that the information should be provided in a clear and plain language, in a concise, transparent, intelligible and easily accessible form.

So then, there are two major differences between this new regulation and the older one (the article 5 of the Data Protection Spanish Law):

  • The newest regulation emphasizes in the comprehension of the information given to the data subject as it states that a “clear and plain language” shall be used and that the controller should give the information in a “concise, transparent, intelligible and in an easily accessible form”.
  • This regulation requires the controller to give more information to the data subject.

Secondly, after introducing the right and briefing the information that shall be given to the data subject, we should analyze the way this information should be given. To analyze this, we have to take into account the Guide made by the Data Protection Spanish Authorities (cumplimiento del Deber de Informar), in which the authorities recommend giving the information with the “LAYERED INFORMATION” method.

In what consists this method of providing the information to the data subject?

The objective of this method is giving the information in two layers, as a way to provide the information in a clear and plain way, trying that the data subject understands all the information given.

The two layers are:

  1. FIRST LEVEL OR LAYER with BASIC INFORMATION. This information will be given to the data subject when the personal data is collected from him/her or, in case the data is not provided by him/her, by other ways that will be explained afterwards;
  2. SECOND LEVEL OR LAYER with ADDITIONAL INFORMATION. This information will complete the required information by the articles indicated before.

1º LAYER .- BASIC INFORMATION.

  1. WHERE THE INFORMATION SHOULD BE LOCATED. –

WHEN THE PERSONAL DATA HAS BEEN PROVIDED BY THE DATA SUBJECT .-

The Authorities recommend that the basic information should be given in a TABLE inside the form in which the personal data is provided and the processing is consented. If it is possible, the table should be placed in the range of vision of the place where the data subject consents the processing.

This means that:

  • If the form is in a paper, the table should be placed next to the signature gap;
  • If the form is in an electronical support; the table should be placed next to the sent button.

In case that placing the table in the places previously indicated was not possible, the Authorities recommend incorporate a phrase in the range of vision of the signature gap or the sent button where it should be announced the place the data subject will find the information.

Example: This phrase could be used “Antes de firmar la solicitud, debe leer la información básica sobre protección de datos que se presenta en (…el reverso, a pié, etc.)” // “Before signing this form, You shall read the basic information about data protection placed in (the back of this form, below, etc.)”.

WHEN THE PERSONAL DATA HAS NOT BEEN PROVIDED BY THE DATA SUBJECT.-

The Guide indicates two ways of providing the information to the data subject: postal or email.

  1. WHICH INFORMATION SHOULD BE PROVIDED IN THIS LAYER?
  • THE CONTROLLER – his identity.
  • THE PURPOSES OF THE PROCESSING – It should describe concisely the purpose of the processing. In case there are different purposes, in this layer it should be indicated just the principal one, leaving the other ones to the second layer.
  • LEGAL BASIS FOR THE PROCESSING – It should indicate the legal basis (the data subject consent, execution of a contract, a legal obligation, a mission of public interest or exercise of official authority, or a legitimate interest).
  • RECIPIENT – It should indicate the recipient of information in case disclosure of data is planned. If it is not planned to disclose personal data, it should be stated.

For example. No se cederán datos a terceros, salvo obligación legal. // Personal Data will not be disclosed to third parties except in case a legal obligation obliges us to the disclosure.

  • RIGHTS – A brief enumeration of the data subject rights should be made in this section.

For example. Tiene derecho a acceder, rectificar y suprimir los datos, así como otros derechos, como se explica en la información adicional. // You have the right to access, rectify and erase the personal data, along with other rights explained in the additional information clause.

  • THE SOURCE OF THE PERSONAL DATA.- It should indicate the source of the personal data.

After all this information, a phrase should be added to announce where the additional information can be found.

For example. Puede consultar la información adicional y detallada sobre Protección de Datos en (..indicación textual, hipervínculo, etc.) // You will find the additional information and details about the Data Protection/processing of Personal Data in (…).

These are two examples provided in the Guide:

In case the information should be given by TELEPHONE, the Guide recommends:

  • The information should be provided in a clear and plain speech.
  • It should be verified that the interlocutor had comprehended the information before collecting the information.
  • In case the data subject requires more information or any explanation about the information, this should be provided in a complementary speech.

 

2º LAYER – ADDITIONAL INFORMATION:

The objective of this layer is to complete all the information given in the first layer as a way to ensure that all the information required by the Regulation is provided to the data subject.

It is important to take into consideration that all the information given in the first layer should be also provided in this layer, along with the lacking information indicated in the articles 12 and 13 GDPR.

This information can be provided in different ways regarding the way the basic information was provided to the data subject:

  • PAPER.
    • In the same form, for example, in the reverse.
    • In an annex.
    • In panels, poster, leaflet, etc.
  • ELECTRONIC. 
    • In a website.
    • In a document, available to be downloaded by the data subject.
    • In annex information in an email send to the data subject.
  • TELEPHONE.
    • Speech, electronic website given to the data subject, postal mail or email.

After analyzing the way in which the information can be provided, we should delve into which information shall be included.

CONTROLLER – It should indicate:

  1. The identity and the contact details of the controller and the controller’s representative -if it exists-;
  2. The contact details of the Data Protection Officer;

It is important to take into consideration that:

  • The identity of the DPO is not needed;
  • The contact details should include a postal mail direction and an electronical direction (URL or contact form).

THE PURPOSES OF THE PROCESSING – It should include:

  • The purposes of the processing,
  • The period for which the personal data will be stored or the criteria to determine it.
  • The existence/inexistence of automated decision-making (in case it exists, it should indicate the logic involved, the significance and the envisaged consequences of the processing for the data subject).

LEGAL BASIS FOR THE PROCESSING – In this section, we should differentiate between all the legal basis for the legitimate processing of personal data.

  • The performance of a contract or when the processing is needed in order to take steps prior to entering into a contract → It should indicate a reference to the contract or the type of contract.
  • For the compliance with a legal obligation → It should indicate the legal base that stablishes the obligation to the controller.
  • For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller → It should indicate the legal base that gives the authority to the controller or the legal base that typifies the task as of public interest.
  • For the purposes of the legitimate interests pursued by the controller or by a third party → It should explain which are the legitimate interests. The Authorities consider that including a brief explanation of the weighting between the legitimate interest pursued by the controller and the interests, rights and freedoms of the data subject is a good practice because it contributes to the transparency principle.

RECIPIENT – In this section, it should be explained any expectative to disclosure data to a third party. If this is the case, information about the identity of the recipients or category of recipients -in case these where not determined- should be given.

In addition, it should be also indicated in this section that:

  • There is/are processors of data.
  • The expectation of transferring data to third countries or international organizations. In this case, it should be provided all the information related to the transfer of personal data to ensure it is lawfully made.

RIGHTS OF THE DATA SUBJECT – It should inform the data subject about the existence of his rights, which are the following:

  1. The Right to request from the controller access to personal data.
  2. The Right to request the rectification or erase of the personal data.
  3. The Right to request the restriction of the processing of the personal data.
  4. The Right to object to processing.
  5. The Right to data portability.

Along with the enumeration of the right, it should explain the way of exercising these rights, providing forms and contact details to make the solicitation.

In addition, it should also be stated that:

  • The data subject has the Right to withdraw his consent to the processing.
  • The data subject has the Right to lodge a complaint with a supervisory authority.

THE SOURCE OF THE PERSONAL DATA.- It should indicate:

  • The source of the personal data -even if it provides from a public source-.
  • The categories of processed personal data.

The Obligation of Information of the Controller is the key to ensure the compliment of the transparency principle stated in the article 5 GDPR. For this reason, it is essential that the controllers work in the redaction of a series of stipulations that meets with the required clearance and plainness, ensuring that the data subject comprehends the processing of his/her personal data.

All among with the accountability principle stated in the article 5 GDPR -for which the controllers have the burden to demonstrate the compliance of the obligation- should be a way to raise awareness about the importance of informing the data subjects in a correct and comprehensible way.

Would all of this mean the end of the illegible and endless information clauses of data protection?

Only time will tell.

Comparte el post | Share this post
Share on Facebook
Facebook
Share on Google+
Google+
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *