On 25 May 2018, the famous RODO, or Data Protection Regulation, came into force throughout the European Union, and therefore also in Poland, which introduced a number of new obligations about the acquisition, storage and processing of data not provided for in the Personal Data Protection Act of 29 August 1997. One of the key changes, especially for data admirers, was the introduction of the information obligation, i.e. the need to provide clear information about the collection or processing of data to the data subject. Not surprisingly, the 2018 regulation caused panic as it imposed a very large obligation on controllers under penalty of a fine, although fortunately most businesses were able to comply - spending no small amount of money on legal aid. There were, however, some who did not want to comply and paid hefty fines - even hundreds of thousands of euros - as a result, so for your peace of mind, it is worth knowing what the information obligation is and how to implement it.
What is a duty to information?
The duty of information is the responsibility of data controllers towards the persons whose data they obtain and intend to process. The controller must inform the person whose data they intend to process of the purpose and the legal basis for the processing, as well as provide contact details and clearly communicate their identity.
The information obligation in the RODO is provided for in two variants, depending on the origin of the data we process:
The first variant is described in Article 13 of the RODO and applies when we obtain personal data directly from the data subject The second variant is described in Article 14 of the RODO and applies when we obtain personal data by means other than directly from the data subject.
In the first option, it is important to note that the controller must comply with the information obligation at the stage of obtaining the personal data, i.e. even before the processing of the data starts. In the second option, on the other hand, there are several essential situations. If we obtain the data otherwise than directly from the data subject, we must inform the data subject within one month at the latest. However, if the acquisition of the data involves contacting such a person, we are obliged to comply with the information obligation at the first communication. The same is true if personal data is disclosed to another recipient - the information obligation must be fulfilled the first time the data is disclosed.
The information obligation, in both options, is limited to the extent that the person whose data we are processing already has information about the processing of their data. It is worth remembering, however, that the mere provision of information is not always sufficient to comply with the information obligation, as the appropriate form must be met. According to the RODO, the data controller must make every effort to provide information about the data processing in a clear, transparent and concise manner using plain language, i.e. to comply with the information obligation.
When must the duty of information be fulfilled?
The duty of information must be complied with when personal data is collected directly from a person or indirectly, as defined by Articles 13 and 14 of the Data Protection Regulation. Interestingly, the Regulation does not precisely define the concept of data collection, and it is assumed that it is a series of actions constituting processing in general, i.e. even coming into possession of the data with the intention of processing the data in the future. Thus, the key thing is the mere coming into possession of personal data, which we can process for a specific purpose, and it is of little importance whether the person himself/herself provided the data to us, e.g. by consenting to the processing of the data in a mailing list, or whether we obtained the data by other means.
Moreover, the controller is obliged to comply with the information obligation even with regard to the person from whom he/she has already obtained personal data when he/she wants to expand the catalogue of such data. This means that the controller may only collect and process the data for which he/she has obtained consent, and if he/she wants to process new data, he/she has to comply with the information obligation again and obtain consent from the person concerned. An exception to this rule is where the controller has merely updated or deleted data that it has already obtained. In this case, the controller does not have to comply with the information obligation, as he or she is already processing these data and has obtained consent to come into possession of the respective catalogue of these data. Of course, there is nothing preventing the controller from fulfilling the information obligation even in such a case, but the Regulation does not require this.
The controller must comply with the information obligation when the purpose of the data processing has changed. This provision in the Regulation is intended to eliminate unfair practices by controllers who, otherwise, could mislead users and then change the purpose of data processing from mere storage to extracting benefits from the data. Therefore, the RODO in Article 13(3) and Article 14(4) describes in great detail the need to comply with the information obligation in case of a change of purpose. The controller must obtain consent to process the data for a purpose other than that for which it was obtained before processing the data for the new purpose, and the information itself about the new purpose must be clear and include information about the possibility to opt out of processing as a result of the change.
There are also situations where the controller does not have to comply with the information obligation. The first, and most common, case is where the individual has already been adequately informed and consented to the data processing, regardless of the source, provided that the scope of the data processing and the data directory itself remain unchanged. This is the basis on which, for example, a free person search engine operates, from which we can obtain, for example, the e-mail addresses of the persons concerned on the basis of a known name.
The lack of need to comply with the information obligation applies even when the controller has obtained the data from a source other than directly from the person, which is further regulated by Article 14 of the RODO, specifying three possible cases when the controller does not have to comply with the information obligation towards the data subject:
- When this would require a disproportionate effort or is even impossible - e.g., when the data are collected for scientific or historical purposes
- When the collection, processing or disclosure of the data is governed by Union law, or the law of a Member State, which lays down safeguards to protect the interests of data subjects
- When the personal data is of a confidential nature, e.g. concerning professional secrecy, which is regulated by Union law or the laws of certain Member States
However, even if the controller does not have to comply with the obligation directly vis-à-vis the data subject, the controller should still inform about the processing in a general way, e.g. by fulfilling the information obligation in the footer of an e-mail or the footer of a website, where the regulations and information about the processing are located, together with the purpose of the processing. The controller should make every effort to ensure that information about the data processing is easily accessible, as otherwise he/she may be accused of acting in bad faith - hindering information about how the data are processed. This is why most companies choose to include information about data processing, regulations or privacy policy in the footer of the website, which is available on each of its subpages.
How to implement the duty to information?
The duty of information involves the need to adequately inform the person whose data we are processing, so this should be done in a clear, legible and concise manner to avoid communication errors. This is crucial for controllers who collect larger volumes of data, because if the information about the data catalogue and the purposes of the processing are not clearly expressed, the controller can be accused of acting in bad faith in any distant future, and this can lead to legal problems when more people see such abuses. For this reason, it is advisable to use properly prepared RODO templates or to work with a lawyer who will ensure that the processing information is communicated in the right way.
The information obligation itself can be fulfilled in three forms: in writing, electronically or verbally. The basis for a well fulfilled information obligation is legibility in written form, machine-readability in electronic form and willingness and confirmation of the identity of the person concerned in oral form.
In order to fulfil the information obligation, the controller should provide, among other things:
- his or her identity and contact details, and in addition the contact details of the Data Protection Officer, if appointed
- the specific purposes of the processing
- the legal basis for fulfilling the purposes of the processing - the legal justification of his/her interests
- information on the recipients of the personal data
- information as to whether the data are transferred to third countries and international organisations
- the period for which the personal data will be stored
- information on the possibility of withdrawal of consent to the processing of personal data
- information on the possibility of lodging a complaint to the President of the Office for Personal Data Protection
- information whether the processing of data is carried out on a statutory or contractual basis
- information on whether the acquired data are subject to profiling and the consequences of such actions for the subject.
Additional criteria arise when the data does not originate from the data subject. In such a situation, the controller must additionally inform about the source of personal data and the categories of processing of these data.
