1 Who is this guide designed for?

Transcription

1

2

3 Contents 1 Who is this guide designed for? What does the GDPR change regarding the duty to inform? Who must be informed and when? Where and how to inform? Layered information Basic information (first layer) Additional information (second layer) Controller Purpose Legitimation Recipients Rights Origin... 14

4 1 Who is this guide designed for? The General Data Protection Regulation 1 (hereinafter, the GDPR), published in May 2016 and applicable as of 25 May 2018, directly applies throughout the European Union, covering the protection of individuals regarding the processing of personal data and the free circulation of these data. As of May 2018, the GDPR shall replace the current Organic Data Protection Law 2 (hereinafter, LOPD) and its implementing regulation RD- 1720/2007. It introduces a series of changes and developments that current processing operations must adapt to before the date of full implementation. The specific purpose of this Guide is to offer best practices to comply with the duty to inform data subjects, under the principle of transparency, of the circumstances and conditions of data processing and their rights. This guide only covers this specific purpose, and must be complemented with other guides issued by the Data Protection Agency to implement the GDPR. This Guide is designed firstly for Data 3 Controllers subject to the GDPR, as well as professionals who contribute, either within their Organisations or as Data 4 Processors, to advising Data Controllers on their obligations under the Regulation. This guide is also designed for individuals who carry out or will carry out the role of Data 5 Protection Officer (hereinafter, DPO), a new position in our field, afforded a significant role by the GDPR. 2 What does the GDPR change regarding the duty to inform? Currently, the LOPD establishes the following obligations regarding the information to be provided to data subjects when data is requested: If there is a file or processing, its purpose and recipient. Whether a response is mandatory or not, and its consequences. The possibility of exercising the rights of access, rectification, erasure and objection. The identity and contact details of the data controller. 1 Official State Gazette (BOE): 2 Official State Gazette (BOE): 3 Controller : natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing 4 Processor : natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller 5 Data Protection Officer : natural or legal person, employed as a staff member or under a service contract, who informs and advises the Controller, the Processor and other employees on their obligations under the GDPR and monitors compliance, cooperating and acting as a point of contact with Control Authorities GUIDE TO COMPLY WITH THE DUTY TO INFORM 2

5 From now, the GDPR adds additional requirements regarding the need to inform data subjects, generalising the concept of Processing 6, and incorporating the following details: The contact details of the Data Protection Officer, if any The legal basis or legitimation for processing The period or criteria for storing information The existence of automated decisions or creation of profiles The possibility of transfers to Third Countries The right to bring a claim before Control Authorities And, if the data are not obtained from the data subject: The source of the data Categories of data Therefore, the procedures, models or forms designed pursuant to the LOPD must be reviewed and adapted by Data Controllers prior to the full implementation of the GDPR, incorporating the new requirements pursuant to the guidelines in this guide. As the new requirements extend and do not contradict the obligation to inform set forth in the LOPD, we recommend revising and applying this adaptation as soon as possible. For more details, please consult Articles 13 and 14 of the GDPR regarding the right to information of data subjects. 3 Who must be informed and when? The obligation to inform data subjects of how their data are processed lies with the Data Controller. Information must be provided to data subjects at the time the data is requested, prior to collection or recording, if the data is obtained directly from the data subject. If the data is not obtained from the data subject, under legitimate transfer, or from publicly accessible sources, the Controller shall inform data subjects within a reasonable period, but in any case: within a month from obtaining the personal data before or in the first communication with the data subject before the data have been communicated to other recipients, if at all This obligation must be met with no need for any request, and the controller must be able to subsequently accredit that the obligation to inform has been satisfied. 6 Processing : any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (the GDPR does not use the concept of file ) GUIDE TO COMPLY WITH THE DUTY TO INFORM 3

6 When is there NO obligation to inform? There is only no need to inform when the data subject already has the information, or if the data does not come from the data subject, when: communication is impossible or requires disproportionate effort the record or communication is expressly established by Union or Member State law when the data must remain confidential due to a legal duty to secrecy 4 Where and how to inform? Information collection procedures can be varied and, therefore, the methods for informing data subjects must adapt to the circumstances of each means used to collect or record data. For example, some of the most common data collection methods, and therefore, the methods used to inform, could be: Paper forms Web browsing or forms Personal activity data Telephone interviews Mobile application records Sensor data (IoT) Furthermore, communications to the data subject regarding data that is already available, or additional processing, can be sent by means including: Post Electronic messaging Pop-up notifications in services and applications The characteristics of each of these means vary regarding extension, availability of space, legibility, the possibility of linking information, etc. In any case, information must be provided to data subjects: in a clear and simple language in a concise, transparent, understandable way that is easy to access 5 Layered information To make the greater requirement for information introduced by the GDPR compatible with presenting it in a concise, easily understandable manner, Data Protection Authorities recommend adopting a layered or level-based information model. The multi-level approach to information consists of: presenting basic information first, in a summarised format, at the time and via the means used to collect the data sending second-level additional information, presenting the rest of the information in a detailed manner, using a means suitable for its presentation, understanding and, if required, storage GUIDE TO COMPLY WITH THE DUTY TO INFORM 4

7 The set of information required by the GDPR can be grouped into specific headings for the purpose of organisation and presentation, particularly regarding the summarised information to be presented in the first layer or level. For example, one recommended grouping and the information to be presented in each layer or level is: Heading Controller (of data processing) Purpose (of the processing) Legitimation (for the processing) Recipients (of transfers) Rights (of data subjects) Origin (of data) Basic information (1st layer, summarised) Identity of the Data Controller Simple description of the purpose of processing, including creating profiles Legal basis of processing Intention to Transfer or not Intention to Transfer, or not, to third countries Reference to exercising rights. Source of the data (when not from the data subject) Additional information (2nd layer, detailed) Controller contact details Identity and contact details of the representative Data Protection Officer contact details Extended description of the purpose of processing Periods or criteria for storing information Automated decisions, profiles and applied logic Details of the legal basis of processing, in the case of legal obligation, public interest or legitimate interest. Obligation or not to provide data and the consequences of no doing so Recipients or categories of recipients Adequacy decisions, guarantees, binding corporate rules or applicable specific situations How to exercise rights to access, rectification, erasure and portability of data, and restriction or opposition to processing Right to withdraw consent provided Right to bring a claim before the Control Authority Detailed information on the origin of data, even if they come from publicly accessible sources Categories of data processed We recommend always presenting the first five headings ( Controller, Purpose, Legitimation, Recipients and Rights ), only adding the sixth heading Origin if the data do not come from the data subject. It is important to note that this multi-level approach was introduced to make the Data Controller s task easier when designing procedures and forms, and so that data subjects receive the most relevant information in a quick, simple manner, but without any prejudice to the principles of lawfulness, loyalty and transparency set forth in the GDPR. GUIDE TO COMPLY WITH THE DUTY TO INFORM 5

8 6 Basic information (first layer) The preferred manner of presenting this first layer is in table format (similar to how nutritional information is presented on food), ensuring that this information is within the field of view of the data subject, depending on the means used to collect the information. It must be clearly identified with a title such as Basic information on data protection On an application form, for example, the basic information must be in the same field of view as the space for consenting to the application (signature on paper, or the send button on an electronic form); it must also be included in the copy available to the data subject. If this is not feasible due to design restrictions, a note or warning must be included in the field of view of the signature, informing the data subject where the table with information on data protection is located. Example: before signing the application, please read the basic information on data protection available ( on the back, in the footer, etc. ) Legitimation refers to the legal basis for processing; this is regulated in the GDPR 7, with the following possibilities 8 : Performance of a contract Compliance with a legal obligation Public interest or Exercising Public Authority Legitimate interest of the Controller or Legitimate interest of a third party Consent from the data subject When a processing operation has various purposes, the legitimation of the main purpose for processing shall be noted here. Recipients must always be included in the basic information, even if there is no plan to communicate data to third parties, as this contributes to data subjects understanding the processing better. Example: Data shall not be transferred to third parties, except under legal obligation Rights must also always appear in the basic information, although a brief reference to the most common rights can be made, as well as reference to the relevant heading in the additional information. Example: You have the right to access, rectify and erase data, as well as other rights, as explained in the additional information section 7 For more details, please see Article 6 of the GDPR on the lawfulness of processing 8 This does not include legitimation based on the protection of vital interests of the data subject or another individual. For more information, see below, in the relevant heading of the additional information. GUIDE TO COMPLY WITH THE DUTY TO INFORM 6

9 Finally, in addition to the summarised information table, there must be a clear indication of where or how to access second-level additional information. Example: You can consult additional and detailed information on Data Protection ( text instructions, hyperlink, etc. ) Example of Basic information on paper A trivial case of summarised information, in table format, used on a paper form to subscribe to a magazine, for example, could be: Basic information on Data Protection Controller Ediciones Warren&Brandeis, S.A. Purpose Managing subscription Legitimation Performance of a contract Data shall not be transferred to third parties, Recipients except under legal obligation To access, rectify and erase data, as well as Rights other rights, as explained in the additional information section You can consult additional and detailed Additional information on Data Protection on our website: information Note that, although this is a paper form, a hyperlink to additional information has been included as it is assumed that this is a case of limited space. Example of Basic information in electronic format A case of summarised information used on a web form, for example, to request the download of certain documentation which requires registering in a commercial information distribution list, could be: Controller Purpose Legitimation Recipients Rights Additional information Basic information on Data Protection Ediciones Warren&Brandeis, S.A. more info To manage sending commercial information and marketing materials more info Consent from the data subject more info Other Warren&Brandeis, Inc. group companies Data Processors outside the EU, adhered to the Privacy Shield more info To access, rectify and erase data, as well as other rights, as explained in the additional information section more info You can consult additional and detailed information on Data Protection on our website: GUIDE TO COMPLY WITH THE DUTY TO INFORM 7

10 Note that the example includes a hyperlink with the basic information provided, which would lead to the relevant heading in the additional information. This practice is recommended when informing via electronic means. Example of Basic information during a telephone interview Basic information must be provided during a telephone interview as a clear and concise statement, ensuring that the individual has understood the information provided, before collecting information. The individual will be offered additional information by another means, but if the data subject requires any clarification, they must be provided with a complementary statement with the additional information from the heading they requested. 7 Additional information (second layer) The information provided in the second layer must provide complete details on the summarised information, as well as add the additional information required by the GDPR that was not included in the first layer. The information provided in this second layer must be complete, i.e., do not omit information because it was already included in the basic information. How can additional information be provided? How this second layer is provided also depends on the characteristics of the means used to inform, although there must be no limit to the length of the information. In this case, the possibilities are more flexible: Additional information on paper: On the same form (e.g., on the back) As an appendix or supplement provided to the data subject, which they can keep As clearly visible information on posters, panels, leaflets, etc., of which a copy can be requested for keeping. Electronic additional information On a specific website via a hyperlink As a document available for download from a URL As an attachment to an sent to the data subject Additional information by telephone: A statement offered to the data subject, as a supplement or alternative to offering additional information available online, or sent by post or . What language should I use? The language used must be clear, concise and understandable. As a style guide, you can follow these guidelines: We suggest using a well structured format, based on questions and answers, following the headings described above. GUIDE TO COMPLY WITH THE DUTY TO INFORM 8

11 You must seek a balance between conciseness and accuracy; avoid circumlocution, unnecessary explanations or confusing details Avoid overusing legal quotations, confusing jargon, or terms that are ambiguous or have little meaning for the recipients What information should be included in each heading? The length or level of detail for each heading will depend on the complexity of the specific circumstances. The sections below explain the variations applicable to each heading, including practical examples related to the hypothetical cases used above ( Ediciones Warren & Brandeis, S.A. ). Transparency and loyalty can also be improved by voluntarily providing additional information that is not required by the GDPR on: Best practices, guarantees and additional measures applied Uses and practices that will be expressly avoided in order to contribute to improving personal data protection and generating trust in data subjects. 7.1 Controller Although the identity of the data controller will have been provided in the basic information, this must be completed in the additional information to include the following details: Identity and contact details of the Controller and, where appropriate 9, their representative Contact details 10 of the Data Protection Officer, if any The contact details must include, as appropriate, a postal address and an electronic address, if available. It is preferable to always provide a localised postal address, although a PO Box can also be provided. The electronic address could be, for example, an address or a URL that leads to an electronic contact application or form. Example: Who is the Data Controller for your data? Identity: Ediciones Warren&Brandeis, S.A. - Tax ID: A Postal address: Calle Universidad de Harvard, nro Madrid Telephone: info@warrenbrandeis.com Data Protection Officer: DPO contact: 9 If the Controller is not established in the European Union, they must appoint a representative in the Union. For more information, see Article 27 of the GDPR 10 There is no need to provide the identity of the Data Protection Officer, merely their contact details GUIDE TO COMPLY WITH THE DUTY TO INFORM 9

12 7.2 Purpose In addition to the summarised purpose provided in the first layer, more details must be given on the purposes of processing the personal data, including the period during which such personal data shall be stored or, when this is not possible, the criteria used to determine this period. Remember that the purpose limitation principle establishes that the data will only be collected for specific, explicit and legitimate purposes, and they will not be further processed in a manner that is incompatible with those purposes. When further processing of personal data is planned for a purpose other than that for which they were collected, the data subject will be provided information on this other purpose and any relevant additional information before such further processing. Data subjects will also be informed of any automated decisions, including creating profiles and, at least in such cases, significant information will be provided on the logic applied, as well as the importance and expected consequences for the data subject of such processing 11. Example: For what purpose do we process your personal data? At Warren & Brandeis we process the information provided by individuals for the purpose of ( managing sending the information requested / providing data subjects with offers on products and services of interest / ) For the purpose of ( offering you products and services according to your interest / improving your user experience ), we will create a commercial profile based on the information provided. No automated decisions will be made based on this profile. How long will we store your data? The personal data provided shall be stored ( for the duration of the commercial relationship, / if the data subject does not request erasure / for a period of xx years after the last confirmation of interest ). Avoid including purposes that are too generic or unspecific, which may lead to further processing that exceeds the reasonable expectations of the data subject. 11 For more information on automated decisions, see Article 22 of the GDPR GUIDE TO COMPLY WITH THE DUTY TO INFORM 10

13 7.3 Legitimation As indicated for the basic information, this heading refers to the legal basis for processing. In addition to the basic information offered in the first layer, the following must be indicated, as appropriate: Legitimation based on performance of a contract: When processing is necessary to perform a contract (mercantile, labour, administrative, etc.) the data subject is party to, or to apply pre-contractual measures, a reference will be made to the contract or type of contract involved, with sufficient detail to ensure no ambiguity. Legitimation based on compliance with a legal obligation: When processing is necessary to comply with a legal obligation applicable to the data controller, i.e., an obligation under Union law or domestic law, there must be an unambiguous mention of the legally binding rule imposing the obligation. Legitimation based on Public Interest or Exercising Public Authority: When processing is necessary to comply with public interest or exercise public authority conferred to the data controller (as in the case of the public sector), there will also be an unambiguous mention of the legally binding rule conferring the public powers or qualifying the activity as being in the public interest. Legitimation based on the Legitimate Interest of the Controller, or a third party: When processing is necessary to satisfy the legitimate interests pursued by the data controller or a third party, these interests shall be specified. It is considered best practice to include a summary weighting the legitimacy 12 compared to the interests, and rights and freedoms of the data subject when this contributes to the principle of transparency. Legitimation based on consent from the data subject: When the legitimation of the main purpose does not fall under any of the above legal bases, consent to process their personal data must be requested from the data subject and noted in this section 13. If the main purpose is legitimated by any of the legal bases mentioned above, but any specific purpose requires consent from the data subject, both grounds for legitimation shall be noted. In this later case, the data subject must be informed that the main purpose is not subject to consent for the data not required for this main purpose as otherwise consent would not be considered to be freely granted. 12 Determining when a specific interest of the Controller can be classified as legitimate is beyond the scope of this guide. For more information, see Article 29 Working Party Opinion 06/2014 on the concept of legitimate interest, available at: 13 Consent management conditions are beyond the scope of this guide. For more information, see Article 29 Working Party Opinion 15/2011 on the definition of consent, available at: GUIDE TO COMPLY WITH THE DUTY TO INFORM 11

14 If there is a legal or contractual requirement to communicate data, or it is a necessary requirement to sign a contract, as may occur in the first three cases of legitimation, the data subject must be informed if they are obliged to provide personal data, as well as the consequences of not doing so. Finally, the GDPR also includes protecting the vital interests of the data subject or another individual among the possible legal bases for processing. This has not been included among the legitimation grounds as it is considered a residual circumstance, applicable to special, urgent or unexpected situations, and must not be a general cause for legitimating processing. Example: What is the legitimation for processing your data? The legal basis for processing your data is the performance of a subscription contract for the magazines in our order portfolio ( according to the terms and conditions stated in ) Products and services are offered based on the consent requested; in no case does withdrawing this consent affect the performance of the subscription contract Avoid practices such as including pre-checked boxes in consent management procedures, taking into account the requirement imposed by the GDPR that consent must be given by means of a clear affirmative action that reflects the free, specific, informed and unequivocal will of the data subject. 7.4 Recipients When the personal data collected are to be legitimately transferred or communicated, information must be given on the identity of the recipients, if they have been clearly predetermined, or the categories of recipients, if they have not been determined in advance. Specifically, it is also advisable to provide information on any Processors whose legitimacy for processing is to perform the processing contract, especially if this entails transfers to third countries. Example: What recipients will receive your data? Data will be communicated to other Warren&Brandeis, Inc. business group companies for internal administrative purposes, including processing the personal data of customers or employees. Warren&Brandeis, Inc. has Binding Corporate Rules, approved by the European Data Protection Committee and available at: Warren&Brandeis S.A contracts its virtual infrastructure according to a cloud computing model via AWS and under the EU-US Privacy Shield agreement. - Information available at: GUIDE TO COMPLY WITH THE DUTY TO INFORM 12

15 When personal data are to be transferred to a third country or international organisation, data subjects must be informed of the conditions affecting the transfer, and specifically of the existence or absence of a Commission adequacy decision regarding the third country or international organisation. When the controller provides suitable or appropriate guarantees, information on these guarantees will be provided, as will the means to obtain a copy thereof, or of the fact that they have been provided. Such guarantees could be: 7.5 Rights binding legal instruments between public authorities or bodies binding corporate rules 14 within a group of undertakings standard data protection clauses codes of conduct certification mechanisms This heading must offer information on the rights of data subjects in relation to the Controller, according to the GDPR. These are: Right to request access to the personal data of the data subject Right to request their rectification or erasure Right to request restriction of processing Right to object to processing Right to data portability The Controller must provide clear information on how the data subject can exercise these rights by providing them with forms and explaining how to contact the Controller to file their request. Optionally, the Controller can refer the data subject to the relevant Control Authority for additional information on their rights. If consent has been given for a specific purpose, the data subject must also be informed of their right to withdraw consent at any time, and that this will not affect the lawfulness of processing based on consent prior to withdrawal. Furthermore, data subjects must also be informed that they can bring a claim before the Data Protection Control Authority, particularly if they have not been able to exercise their rights, and how to contact the authority. 14 binding corporate rules : personal data protection policies which are adhered to by a controller or processor established in the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity GUIDE TO COMPLY WITH THE DUTY TO INFORM 13

16 Example: What are your rights when you provide data? Any individual is entitled to obtain confirmation on whether Warren&Brandeis is processing their personal data or not. Individuals have the right to access their personal data, request the rectification of inaccurate data or, if appropriate, request their erasure when the data are no longer necessary for the purposes for which they were collected, among other grounds. In certain circumstances, individuals can request the restriction of processing of their data. In this case, we will only store them to file or defend any claims. In certain circumstances and based on their specific situation, individuals may object to the processing of their data. Warren&Brandeis will cease processing data, except for compelling legitimate reasons, or to file or defend any claims. ( ) The above example does not cover all situations. It is not intended to cover all possible information, nor is it a model applicable to all processing operations; on the contrary, its only purpose is to illustrate a possible style of information in specific cases, with the minimum information that should be offered. 7.6 Origin The heading on the origin of data only needs to be included if the personal data have not been obtained from the data subject because they come from a legitimate transfer or a publicly accessible source. The means for providing this information will usually be different from those used to inform data subjects when collecting data. The most suitable means could be: Post Instant messaging The suitability of the means must be weighted against the need to demonstrate compliance with the duty to inform. In the case of mail or , the most suitable practice is: include the basic information in the notification informing the data subject of processing, expanded with the summarised Origin heading attach the additional or full information as an appendix or supplement, including the extended Origin heading optionally, include a link to the additional information in electronic format In the case of instant messaging, you can only include a brief reference to the nature of the communication plus a link to the additional information in electronic format; therefore, this means should only be used when there is no other possibility. An informative statement by telephone does not seem appropriate. GUIDE TO COMPLY WITH THE DUTY TO INFORM 14

17 In this case, the information provided must be: the source of the personal data and, where appropriate, if they come from unrestricted publicly accessible sources the categories of personal data processed, indicating any sensitive personal data Example: How have we obtained your data? The personal data processed by Warren&Brandeis S.A come from other Warren&Brandeis Inc. group businesses. The categories of data processed are: o Identification data o Identification codes o Postal or electronic addresses o Commercial information o Economic data No sensitive personal data is processed GUIDE TO COMPLY WITH THE DUTY TO INFORM 15

18