Section 2 Information and access to personal data

 

Author: Alexander Dix

 

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

 

A. Preliminary remarks

The processing of personal data entails obligations to actively notify with which the controller must comply regardless of any request by the data subject. Union law specifies the principles of fair and transparent processing by listing certain information which the controller has to deliver on his own initiative. According to the Court of Justice the obligation to notify shall enable the persons affected to exercise their rights under Arts. 7 and 8 of the Charter, in particular to request access to their personal data and to avail themselves of an effective remedy according to Art. 47 of the Charter (→ Art. 79). The Regulation distinguishes between cases of collecting data directly from the data subject (Art. 13) and indirectly from third parties (Art. 14). However, the differences are limited to the point in time when the information must be provided and the exceptions to the obligation to notify. The scope of the information which must be provided is the same in both cases. Directive (EU) 2016/680 in Article 13 contains similar obligations to notify without distinguishing between direct and indirect collection of data. The scope of the information to be provided is more limited and the Member States have greater room for manoeuvre when determining the time when the information must be given.

B. Legislative history

Commission and Parliament had proposed to provide for obligations to notify when collecting data directly or indirectly in one Article. The clearer layout in two provisions following the structure of Art. 10 and 11 of Directive 95/46 was only integrated in the Regulation following a proposal by the Council. On the other hand, the obligation to notify was extended by the Council to the legitimate interests of the controller or a third party in the case of Art. 6 para. 1 lit. f (Art. 12 para. 1 lit. d). the duty to inform about potential automated decisions and profiling (Art. 13 para. 2 lit. f) was added at by Parliament whereas the duty to inform about scheduled changes of purpose was included following a suggestion by the Council (Art. 13 para. 3).

C. Obligations to inform when collecting data directly

I. Primary obligations (para. 1)

The provision considerably extends the controller’s duty to inform compared with the previous law (Art. 10 Directive 95/46/EC). Whereas the Directive of 1995 only provided for a short minimum list of information which had to be provided to the data subject in case certain conditions are met Art. 13 of the Regulation gives a comprehensive list of information which have to be provided to the data subject when collecting personal data from him. The Art. 29-Working Party has interpreted the term “provide” so as to oblige the controller to take “active steps to furnish the information in question to the data subject or to actively direct the data subject to the location of it (e.g. by way of a direct link, use of a QR-code etc)”. This rules out the mere inclusion of this information in the controller’s terms and conditions or privacy policy (→ mn. 12; Art. 12 mn. 10). The controller’s obligation to inform does not justify requesting the data subject’s signature for actually having taken notice of the information provided.

The obligation to notify arises when data are collected with the data subject. Collecting data is one of the operations of processing them (Art. 4 para. 2) which is not defined separately by Union law (→ Art. 4 mn. 35 et seq.). Collecting data normally but not necessarily precedes their storage. Collection means the willful acquisition of data. The mere reception of an application or providing for a technical device to receive messages (e.g., opening an e-mail account) does not amount to the collection of data. On the other hand, filming identifiable persons, measuring the domestic energy consumption by smart meters, reading cookies or identifying Internet users e.g., by device fingerprinting is collection of personal data. Furthermore personal data are also collected within the meaning of Art. 13 when data are stored via an application, wearable device or virtual assistant not locally on the computer or device but simultaneously or exclusively on servers of the manufacturer or the app provider. The mere monitoring of persons with video cameras without storing images cannot be seen as collection of data. A website operator who embeds content of a third party which leads to the collection or other forms of processing of personal data (“Like-Button”) is himself under an obligation to inform the data subject about this processing.

Although the data have to be collected from the data subject for Art. 13 to apply this does not preclude that they are collected without the data subject’s knowledge (e.g., through a private detective’s investigation, data retention, observation (e.g., using automated data capturing devices or data capturing software such as cameras, network equipment, virtual assistants (→ mn. 4), Wi-Fi tracking, RFID or other types of sensors with subsequent data storage) or telephone tapping). In principle the Regulation in Arts. 13 and 14 rules out the collection of personal data behind the back of the data subject, i.e., without the data subject receiving certain information about this process. This is in line with the jurisprudence of the European Court of Human Rights and Art. 8 Charter of Fundamental Rights (→ Recital 1). Exceptions from this rule may be provided by restrictions in Union or Member State law according to Art. 23 GDPR.

 

 

[…]