The hottest topic these days seems to be the GDPR, and, apparently, it needs no introduction. We are sure you have done your research and legwork and have studied the matter enough to understand terms such as personal data, data subject, controller, etc. Still, what about the principle of transparency when it comes to the processing of personal data, which is so often mentioned in the GDPR?
The principle of transparency means, or rather requires, that all information and communication relating to the processing of personal data be easily accessible by and intelligible to data subjects, concise and use clear and plain language. On the other hand, the GDPR simultaneously says that individuals should be informed of all risks, rules, assurances and rights with respect to the processing of their personal data. Here, we come across a fundamental problem. How can we ensure that such huge amount of information concerning the processing of personal data is easily understood, concise and clear? This seems to be rather complicated in real life.
The obligation to inform data subjects of the basic terms & conditions of processing their personal data is one of the most important obligations provided by the GDPR. This is because no matter what personal data you process or for what purpose, or whether you do so with or without the data subject’s consent, it is always important that you fulfil your information obligation and provide the data subjects with the information laid down in Article 13 of the GDPR, or, where personal data is not obtained directly from the data subjects, you are required to communicate the information provided in Article 14 of the GDPR.
How do you then properly perform this information obligation?
When processing personal information on your website (typically when personal data are filled into forms to receive newsletters, enter competitions, deliver goods, etc.), you can fulfil the information obligation by disclosing the terms & conditions of data processing on your website. In case you are monitoring your brick-and-mortar store by CCTV, it is appropriate to display these terms & conditions visibly in your store or make them part of the sign informing the customers of the fact that they are being monitored by CCTV, or make a reference to your website containing the terms & conditions. When processing personal data of your employees, you should inform them accordingly, for example, by posting the terms & conditions at the workplace. It needs to be emphasized that you may use several methods simultaneously to meet your information obligation, meaning that for the sake of legal certainty, you may post the terms & conditions on your website and also physically display them on the premises where the data subjects are staying or where they are able to read them. In this relation, a frequent question seems to be coming up, and that is whether businesses may include the data processing information in their general business terms if they process personal data by reason of signing contracts and supplying goods and/or services. The answer is yes, but the GDPR requires that this information be clearly distinguishable from other parts of the general business terms, for instance by way of providing the data processing terms with a special title.
How should you then approach the information obligation proper and what should the terms & conditions of processing personal data contain? Given the broad topic, this section will only deal with cases where personal data is obtained from the data subject. If you want to make sure your privacy policy is on track, it should contain at least the following information:
Firstly, introduce the data controller, provide its identification data, including contact details; we suggest not only including the post address, but also stating the phone number and e-mail.
Provide contact details of the data protection officer (DPO). Unless a DPO has been designated, you need to indicate that you have not appointed a DPO as the GDPR does not require this.
Provide the purposes and the legal basis for the processing. If you process data for several purposes, you should name these clearly and provide the legal basis for the processing, such as:
purpose: entering into a contract with the customer, processing customer orders and delivering goods or services, issuing invoices, paring payments with orders;
legal basis: Article 6 (1) (b) GDPR - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
State the legitimate interest of the controller where the processing of personal data stems from this legal basis (Article 6 (1) (f) GDPR). It is expressly at the discretion of the controller how the controller defines the legitimate interest, but we recommend phrasing it as broad as possible and, where appropriate, adding an explanation why the interests or fundamental rights and freedoms of the data subjects do not prevail in this case.
Name the recipients or categories of recipients. In this group, we include the persons to whom personal data are provided; most frequently, these are processors, such as persons in charge of controller’s accounting and bookkeeping.
Where personal data are transferred outside of the European Union to third countries or to an international organization, include information on such transfer and the appropriate level of data protection. In this context, controllers often fail to realise that such transfer of personal data to third countries happens every time you have a website using a data centre storing data outside of the EU, and the controller is then obliged to address this issue accordingly.
Indicate the storage period or the criteria for determining the period. Where practicable, it is always recommended specifying the period during which data are stored, and that the length of this period is determined by the controller depending on the purpose of the data processing (e.g. billing data necessary for performing a contract, as a rule, the period should be ten (10) years, as this is required by law).
Inform the data subjects on their rights under the GDPR. These rights include: the right to access their personal data, to have their data rectified or erased or to restrict the scope of processing, or the right to object to the processing, the right to portability. We recommend providing a short explanation witch each right on how the data subjects may exercise each of their rights (e.g. sending a request to the address of the controller or changing web browser settings, etc.)
Instructing the data subjects on the option to withdraw their consent to the data processing, where consent is required for the processing.
Informing the data subjects on the option of filing a data protection action with the Office for the Protection of Personal Data of the Slovak Republic.
Informing the data subjects whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary for entering into contract, and whether the data subject is obliged to provide the data, and specify the consequences of failing to do so.
Where automated decision-making, including profiling, takes place, informing the data subjects accordingly.
As you may see, making sure the privacy policy terms are easily understood, concise and simple may prove to be quite a feat, considering the sheer extent of the information the controller is obliged to provide to the data subjects. On top of that, the correct specification of the purpose and the legal basis for the data processing is a hard nut to crack even for lawyers, let alone regular entrepreneurs who are usually no experts on this issue. That said, as it seems reasonable to assume that correct and timely fulfilment of the information obligation in accordance with the basic transparency principle under the GDPR will be exactly what the Office for Personal Data Protection of the Slovak Republic will look into in case of an inspection, it is wise to spend time and money to have a detailed privacy policy drafted to fully comply with the GDPR.