The National Data Protection and Freedom of Information Authority (Authority) recently published its recommendation on information requirements (Recommendation). According to the Authority's experience, most data controllers are aware of their obligation to prepare data processing information documents. However, these documents often do not comply with certain fundamental constitutional requirements, and individuals are not able to recognise the effects of the data processing on their privacy. In order to help develop good practice, in its Recommendation the Authority provides data controllers with detailed guidelines regarding the requirements to be taken into consideration when preparing data processing information documents.
The Authority strongly recommends that data controllers should review their data processing information documents according to the Recommendation, and implement changes where necessary. Further, according to the Recommendation, the Authority advises reviewing and updating the data processing information documents each year, as certain data processing circumstances and applicable laws may change.
According to Article 20 (2) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Privacy Act), data controllers should inform the individuals in advance, in a clear and detailed manner about all facts concerning the data processing. This provision includes exemplificative enumeration of content requirements of the information document (legal basis, purpose, duration of the data processing). Importantly, this list is not exhaustive. The Recommendation points out that other provisions of the Privacy Act should also be taken into account when providing the information. For instance, Article 15 (1) of the Privacy Act must be considered, which specifies the content of the information provided subsequently upon the individual's request. In the Authority's opinion, the information provided in advance must contain all the details specified in this Article, such as the scope of the data processed, the source of the data, the name and address of the data processor, and its activity related to the data processing. Further, Article 11 (2) of the Privacy Act must be considered, which specifies an additional information obligation in relation to the decision made based on automated data processing.
In which form should the information be provided?
Pursuant to the Recommendation, the information may be provided in writing and in any other form, including verbally. However, it is important to note that the burden of proof is on the data controller that the information was provided. Therefore, the general rule is that information needs to be provided in writing. The Authority notes that a template information document cannot be issued since the specific circumstances of the data processing must be taken into account in each case.
According to the Authority's position - based on the principle of fair data processing defined in Article 4 of the Privacy Act - the information must be clear, readily accessible and easily readable. The Recommendation emphasises that by citing certain provisions of the Privacy Act, data controllers do not properly fulfil the information obligation. The information document should use short sentences and phrases used in everyday life when describing the data processing circumstances. It is recommended to provide information via examples. It is also recommended to facilitate the clarity of the information document by structuring, enumerating and using bullet points. Finally, it is required that the information document be available prior to the commencement of the data processing, and if possible before each important data processing actions. Furthermore, according to the Authority, it is expected that the information document should be constantly available on the front page of the data controller's website. In the event that standard contractual clauses contain the data processing information then it should be displayed separately in the text.
What should be the scope of the information?
Data controller: The data controller's contact details, such as address, e-mail address, website and phone number must be given. In case of multiple data controllers and data transfer, each data controller should be named.
Purpose of data processing: Importantly, the description of the purposes of data processing must be concrete, precise and clear. For instance, according to the Authority, it is not sufficient to provide that the data processing is for marketing purposes, as it may refer to various forms of marketing. In this case the purpose should be defined more precisely, such as "sending direct marketing messages via email". In case of more complicated data processing (for instance in case of multiple data processing purposes), the purpose of the data processing must be specified in connection with the scope of data processed. It is essential that the individual must be informed about the real data processing purpose. Therefore, for example, it is not appropriate to inform data subjects about data processing for medical purpose when a health day is a disguised product presentation.
Legal basis of data processing: In case of data processing based on consent given by the individual or based on laws, the features of the legal basis should be briefly described, and the provisions of the relevant laws must also be indicated. In case of other legal bases of data processing included in the Privacy Act (performance of legal obligation, legitimate interest), a short description should also be provided. It is important that in case of data processing for the purpose of pursuing legitimate interest, the data controllers must complete a so-called balancing test, and also inform the individuals concerned about the result of the test.
The scope of data processed: Personal data that are subject to data processing must be listed precisely. The use of general terms (such as personal identification data, contact details) is not sufficient. In case of complex data processing (for example if data processing has multiple purposes), the scope of data processed should be determined in accordance with the purposes of the data processing.
Duration of data processing: Information on the duration of data processing must be provided in connection with the purpose of data processing and the scope of data processed. If any laws contain provisions related to the duration of data processing, then this should be indicated in the information document.
Data processor: The name and contact details including address, e-mail, website and phone number of the data processor must be provided. It is not sufficient to indicate that the data controller subcontracts a data processor. Furthermore, the Authority requires that the information document contains precisely what activities the data processor is pursuing, as well as what personal data and for how long the data processor may have access to.
Persons entitled to have access to data: It is necessary to provide information about who has access and under what conditions access to the data occurs. Persons and organizations entitled to access personal data must be specified according to job positions and departments, and it is also necessary to provide details on the data processing activity pursued by them.
Data security measures: The essence of the main data security measures must be briefly and clearly described. It is not sufficient to cite Article 7 of Privacy Act in the information document.
Data processing according to Article 6 (5) of Privacy Act: Information on data processing under Article 6 (5) of the Privacy Act must be provided separately (i.e. where personal data is collected with the consent of the individual, the personal data can be processed without any further consent, or after the withdrawal of the consent to perform a legal obligation, or for the purposes of legitimate interest pursued by the data controller or by a third party). In this respect, the Recommendation refers to Opinion 6/2014 of the Article 29 Data Protection Working Party, according which in case of data processing for the purpose of legitimate interest, data controllers must apply a so-called balancing test and individuals must be informed about the result of the test.
Rights and remedies of individuals: Individuals must be informed in detail about their rights (right to access; rectification, erasure, blocking of personal data; right to object). Such information should contain details on the manner and the time within which the individuals can exercise their rights. Furthermore, the content of each right should also be described (such as, through examples). In respect of the remedies, individuals must be informed about the possibility to initiate proceedings before the Authority and to turn to the court. The Authority's official e-mail, postal address, phone number and website must be included in the information document. In relation to the judicial remedy, the information should include that the individual may file a lawsuit before the court of the place of his residence.
How insufficient information might affect the lawfulness of the data processing?
In case of data processing based on the individual's consent, insufficient information results in one of the essential conditions of the consent not being fulfilled, i.e. it will not be an informed consent. According to the Recommendation, if inappropriate information has significantly influenced the individuals on their expression of their intention, and this limited the individuals in relation to recognising the effects of the data processing, then the data controller does not have a proper legal basis for data processing, so the data processing will be unlawful. In case of data processing based on the law, the relevant provisions of the law must be indicated precisely, and in the Authority's opinion following from the principle of fair data processing detailed information must also be provided. In case of data processing based on legitimate interest, the conditions of lawful data processing include applying the balancing test and providing information on it for the individuals.
Based on the above, in the Authority's opinion, providing appropriate information on the data processing in advance has significant importance in relation to the lawfulness of the entire data processing. Thus, it is recommended to allocate adequate time and energy for the preparation of data processing information documents, their regular revision, and their modification where necessary.