The content of the information may differ slightly whether or not the personal data have been obtained directly from the individuals
2. As to the content,
2.1. Information to be provided regardless of the type of collection of data (i.e. direct or indirect)
-Identity and contact details of the data controller and where applicable of the data protection officer.
-Purposes of the data processing (i.e. What does the controller need personal data for?) including the existence of profiling and any automated decision making (including the logic involved) and the consequences of such data processing for the data subject.
-Legal basis of the data processing and where applicable a description of the legitimate interest pursued
-Recipients or categories of recipients of the personal data processed (given the definition of “recipient”, it should cover both recipient data controllers and processors).
-Where applicable, details of the transfer outside of the EU, the legal basis of such transfers (i.e. guarantees implemented: BCR, EU model clauses etc.) and the means to obtain a copy of the document
-Data retention period or criteria to determine it
-The rights of data subjects (e.g. right to access, the right to lodge a complaint with the authority etc.) : this is not new but the individuals are given new rights under the GDPR such as right to portability and erasure and more detailed information should be provided (e.g. see right to data portability). It also includes the right to withdraw consent at any time where applicable.
2.1. Information to be provided only where data is obtained from the data subject:
-Indication as to whether or not data are mandatory as well as the consequences of not providing the information.
-Indication as to whether the provision of personal data is a statutory or contractual requirement or a requirement to enter into a contract.
The last two bullet points might be linked to the one relating to legal basis of the processing as it is more or less the same information. In most cases, the information may be more relevant on a form to be filled out by the individual than in a privacy notice and more particularly if the collection of personal data is only necessary for a processing based on individual consent. The data controller also have to remind the users/individuals their right to withdraw their consent at any time.
2.3. Information to be provided where data is not obtained from the data subject:
-If the data is not collected directly from the individual, the data controller should also indicate the categories of data collected as well as the source of the data and whether this source is publicly available.
Where a processing is based on individual’s consent or on data controller’s legitimate interest specific safeguard will be required.
- As for the consent, the rules are laid down in the GDPR (see here for more details)
- As for the legitimate interest, a balance must be struck between the data controller’s legitimate interest and the legitimate interest, rights and freedom of the individuals . That could mean a possibility to opt out has to be implemented but this is a decision to be made on a case by case basis.
Where data is not obtained from the data subject the modalities of information may vary and be subject to exemption under certain circumstances. Indeed the information must provided:
- within a reasonable period after obtaining personal data (at the latest within one month;
- if the personal data is used to communicate with the data subject, the information must be provided before the first communication
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed
These rules apply unless the information was previously provided to the data subject; it would prove impossible or involve disproportionate effort to provide such information; it would impair the achievement of the processing; a member states law provides for obtaining or disclosure of the information and; where professional secrecy or statutory obligation of secrecy applies to the data.