Module 6 - Information Provision Obligations Flashcards
1
Q
What do the transparency obligations under GDPR require?
A
- EDBP guidance - THREEFOLD OBLIGATION relevant to FAIR PROCESS DISCLOSURES, CONTROLLER COMMUNICATIONS with DSs and CONTROLLER FACILITATION OF DS RIGHT EXERCISE.
- Controllers must communicate in INTELLIGIBLE AND EASILY ACCESSIBLE FORM, FREE OF CHARGE (except for unfounded or excessive requests).
- Controllers should use CONCISE, CLEAR AND PLAIN LANGUAGE - not technical.
- .
2
Q
What nine facts should be included in privacy notice where there is direct processing?
A
- Details of controller (and DPO, if appointed).
- Purpose and scope of processing (e.g. legitimate interests).
- Controller’s legitimate interests (if relevant).
- Data recipients.
- Any automated decision-making undertaken.
- DS GDPR rights.
- If international/ex-EEA data transfers will occur and the means of legitimising these.
- Retention period and criteria used to determine storage length.
- Whether provision of data is a contractual or statutory requirement, or otherwise required to be provided, and the consequences of not doing so.
3
Q
What seven facts should be included in privacy notice where there is indirect processing?
A
- All of the detail required if there is direct processing, together with:
1. Data sources; and
2. Data categories. - Privacy notice must be provided upon first communication with DS or a reasonable period after receiving data (no longer than one month).
4
Q
What are the five exemptions from the requirement to provide an indirect privacy notice?
A
- Impossibility or disproportionate effort (subject to ensuring rights/freedoms of DS).
- Privacy notification would render impossible or seriously impair processing (subject to ensuring rights/freedoms of DS).
- DS already informed.
- EU / MS law already require data processing and appropriately protect individual interests.
- EU / MS law requires the personal data remain secret.