Module 6 - Information Provision Obligations

Question 1

What do the transparency obligations under GDPR require?

Answer 1

• EDBP guidance - THREEFOLD OBLIGATION relevant to FAIR PROCESS DISCLOSURES, CONTROLLER COMMUNICATIONS with DSs and CONTROLLER FACILITATION OF DS RIGHT EXERCISE.
• Controllers must communicate in INTELLIGIBLE AND EASILY ACCESSIBLE FORM, FREE OF CHARGE (except for unfounded or excessive requests).
• Controllers should use CONCISE, CLEAR AND PLAIN LANGUAGE - not technical.
• .

Question 2

What nine facts should be included in privacy notice where there is direct processing?

Answer 2

• Details of controller (and DPO, if appointed).
• Purpose and scope of processing (e.g. legitimate interests).
• Controller’s legitimate interests (if relevant).
• Data recipients.
• Any automated decision-making undertaken.
• DS GDPR rights.
• If international/ex-EEA data transfers will occur and the means of legitimising these.
• Retention period and criteria used to determine storage length.
• Whether provision of data is a contractual or statutory requirement, or otherwise required to be provided, and the consequences of not doing so.

Question 3

What seven facts should be included in privacy notice where there is indirect processing?

Answer 3

• All of the detail required if there is direct processing, together with:
  1. Data sources; and
  2. Data categories.
• Privacy notice must be provided upon first communication with DS or a reasonable period after receiving data (no longer than one month).

Question 4

What are the five exemptions from the requirement to provide an indirect privacy notice?

Answer 4

• Impossibility or disproportionate effort (subject to ensuring rights/freedoms of DS).
• Privacy notification would render impossible or seriously impair processing (subject to ensuring rights/freedoms of DS).
• DS already informed.
• EU / MS law already require data processing and appropriately protect individual interests.
• EU / MS law requires the personal data remain secret.