The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.
What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.
Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.
What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.
Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.
Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.
When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).
Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.
How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.