4 years after the entry into force of the GDPR, information, and transparency toward data subjects are still at the heart of the news. If companies are becoming increasingly aware of this obligation of information imposed by the GDPR, some uncertainty remains regarding the following points: the content and the degree of precision of the information to be provided to data subjects, the time of the provision of information and especially the practical modalities of this provision.
In addition to the clarifications provided by the EDPB guidelines on transparency and the practical recommendations on the website of the French Data Protection Authority (CNIL), to achieve the right level of compliance on information to individuals, we can now also draw on some insights provided by the CNIL in the sanctions it published since 2020.
The right to information of individuals is enshrined in Articles 13 and 14 of the GDPR. These articles exhaustively list all the information to be provided by the data controller to the data subject whenever personal data is collected.
Before looking at the content and timing of the information to be provided, two points must be considered: the responsibility for providing the information to the data subject and the different ways in which data is collected.
Regarding the responsibility for providing information, the GDPR specifies that this obligation is incumbent on the controller. Therefore, before any collection of personal data, the collecting entity needs to determine whether it has the status of data controller. This point becomes even more important when the processing of personal data is carried out by several actors, who may be partners or service providers. In any case, the responsibility for informing the data subjects never lies with the processor, even if he or she carries out the processing entirely. It is the responsibility of all parties who are qualified as data controllers.
Regarding the different ways of collecting data, Articles 13 and 14 of the GDPR operate a distinction between direct and indirect collection. Direct collection occurs when data is collected directly from the data subject, for example, through an online data collection form (e.g., contact form, account creation form, newsletter subscription form, collection of data through cookies, oral collection of information from the data subject, collection of data through video surveillance devices, geolocation, use of IT tools, etc.). In contrast, indirect collection is when the data has not been collected directly from the data subject. The data may have been transmitted by a partner (for example purchase or rental of databases or files, collection of data from social organizations or administrations, etc.). In the case of indirect collection, additional information must be provided to the data subject.
To adapt the content of the information to be provided, it is important to identify all the means of collecting or obtaining the data within the company. This preliminary work will make it possible to ensure the conformity of the provided information.
Furthermore, when and by what means must the data controller provide this information? What should this information include?
The moment when data subjects should be informed depends on the nature of the collection. Indeed, the GDPR specifies that when personal data are collected directly from the person, the information must be provided at the time of collection. In contrast, when personal data is collected indirectly, the individual must be informed within a reasonable period, and no later than one month following the collection. In this case, two options can be considered:
– If the data is used to communicate with the individual, the information must be provided no later than the first communication.
– If the data is to be communicated to a third party, the information must be provided at the latest when the data is communicated to the third party for the first time.
In both cases, if this first communication is planned one or more months after the collection, the information period is reduced to one month.
In practice, the data controller must identify all the sources of data collection within his company, classify them and ensure that a notice is present for each source of collection. For example, in the case of direct collection, the disclosure statement must be present on each data collection form on the website. If there are paper data collection forms, the statement must be present on each paper form.
In the case of indirect collection, it is important to identify and schedule the first communication with the individual after the database is acquired. It is therefore important to date the acquisition of a database to comply with the requirements of the GDPR. In the compliance process, a template for a statement or email should be established with wording that includes all the different sources of indirect collection understandably and transparently.
The means used to inform the data subject must be adapted to the means of data collection. The goal of this is to ensure proper transparency to data subjects.
One of the most stable ways to provide information to data subjects is to expose a comprehensive privacy policy on the company’s website. This privacy policy should not be limited to the data processing done only through the website but should include all the processing of personal data done by the company.
The CNIL lists some of the means that may be acceptable: a recorded message for telephone calls, a paper notice delivered by hand or posted on the company’s premises, notices in contractual documentation or information brochures, emails, visible information panels, icons, etc. The list is not exhaustive. It is up to the data controller to find the most appropriate modality depending on the service or product provided.
Some practical examples:
– If the data subject downloads an application, the information can be included in the General Terms of Use, in a privacy policy, or in a dedicated portal within that application;
– If the data subject collects business cards at trade shows, the data controller may send an informational email the day after or a few days after the event;
– If the data subject makes a purchase on an e-commerce site, he or she may be informed before validating his or her purchases through a mention in the General Terms of Sale, in the privacy policy, or through the information mentions under the purchase form;
– In the case of purchase or rental of databases, the information can be provided in an email sent to individuals.
– If the data is collected directly through tools made available to employees, the information may be provided in an information notice given to employees
Whatever the means of data collection, information must be provided to the data subject. The CNIL recently reminded TOTALENERGIE of the obligation to inform the data subjects, even in the context of a telephone call. It specified that: “The essential information concerning the processing of their data was not communicated to the persons contacted, nor were they offered the possibility of accessing more information, for example by activating a key on their telephone keypad […] It is sufficient to give access to a pre-recorded message to the data subjects by pressing a key:
For example: “To access the information notices please press key 2”.”
Regarding online data collection forms, it should be noted that the notice must be present on each form on the website. The notice must be clearly visible and contain the information required by the CNIL.
Regarding the design and clarity of the information, Article 12 of the GDPR specifies that the information must be transmitted “in a concise, transparent, understandable and easily accessible manner, in clear and simple terms”. In practice, this must translate into the use of clear and non-legal terms. On this point, the CNIL has provided a table to simplify certain legal terms to make them more understandable and thus meet this obligation.
The requirement for clarity of understanding is even stronger when it comes to minors. Indeed, the CNIL recommends providing information under an adapted design for services used by minors. To do so, the information must be even clearer, more concise, and understandable, because the difficulty of exercising one’s rights is even greater for minors.
This requirement of clarity must be a criterion for analyzing the compliance of the information notices drafted by companies. The CNIL had the opportunity to remind us of this in its sanctions against the companies Carrefour Banque and Carrefour France on November 18, 2020. Indeed, it considered that: “The information provided to users of the carrefour.fr and carrefour-banque.fr websites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (excessively complicated access to the information, in very long documents containing unrelated information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations)”.
The content of the information to be provided to data subjects is specified in Articles 13 and 14 of the GDPR. These elements are mandatory. The fact of not including a piece of information that should be provided is constitutive of a breach of the GDPR. The CNIL had the opportunity to remind this to the company Bricoprivé, which was fined 500,000 euros for non-compliance with transparency requirements because the information provided on the company’s website did not include all the mandatory information required by the GDPR.
The only exemption granted by the CNIL concerns the online environment for which the CNIL specifies that it is possible, in this case, to provide partial information, by referring to a more complete privacy policy that would contain all the mentions required by the GDPR. This means that a data collection form on a website must contain less complete priority mentions. This will only be considered compliant if the notices are accompanied by a hyperlink to a more complete notice or policy. The high-priority elements, in this case, are the following:
– the identity of the data controller;
– the purposes ;
– the rights of the data subjects;
– if applicable, essential information that guarantees the transparency of the processing.
The more complete statement must then contain all the information required by Articles 13 and 14 of the GDPR. In fact, in a sanction pronounced against the Nestor Company, the CNIL noted that not all the mandatory information was present on the collection form and that the latter: “did not refer to a dedicated page that would have contained the missing information”.
The statements listed in sections 13 and 14 are as follows:
The name of the company that is responsible for processing the data must be indicated. When data is collected through an online form, the identity can also be specified by the name of the website (e.g. www.my-smart-fridge.com).
Similarly, when it is an informative email, the identity is normally already specified via the name of the sender (example: contact@ my-smart-fridge.com).
The data subject then knows who is addressing them. It is important to avoid sending emails from an ambiguous email address, which does not allow the data subject to identify the sender (example: contact@xmail.com).
In any case, whether it is an information email, a letter of information, or even a privacy policy, it is preferable to start the text by presenting the company’s activity in one line. Example: “my-smart-fridge is a company based in France that markets connected refrigerators”.
The identity of the data controller must be accompanied by its contact information. For example, the main address or the address of the company’s registered office. If the contact information is the same as that of the DPO, it will also need to be reiterated in the dedicated section of the statement, so that data subjects can know to contact the company or the DPO at that address.
Where the company is not located in the European Union and must appoint a representative within the European Union, the name of this representative and their contact information must be included in the notice.
Even if the company is not obliged to appoint a data protection officer, it can at least designate a contact person to whom data subjects can turn to exercise their rights. If no contact person has been designated, the legal department or the customer service department may be charged with this task. In any case, if a DPO has been appointed, its contact details (email and postal address) must be indicated.
The company must explain simply and explicitly the purpose for which it collects the data subject’s data and the legal basis on which it is based.
For example: “We collect your personal data to offer you our best promotions and commercial offers, based on your consent”.
When data is collected for more than one purpose, all of them should be specified.
For example: “Your personal data will be processed in the context of personnel administration, payroll management, health insurance registration, leave and absence monitoring, and training management”.
In the case of a processing activity involving an Artificial Intelligence system, the CNIL indicates that the Data Controller must ensure that clear information is provided to individuals, particularly with regard to the use of such a system.
All the purposes of processing must be indicated, both those carried out directly through the website and those carried out outside the website.
To ensure the completeness of the purposes listed, the data controller may perform a comparative analysis with the record of processing operations, ensuring that all identified processing operations have been notified to the data subjects.
The legal basis should not be indicated globally for all the purposes listed. A legal basis must be indicated for each purpose.
For processing activities whose legal basis is the legitimate interest of the controller, this legitimate interest must be detailed. The legitimate interest can be defined as the benefit that can be derived from the processing. It can only constitute a legal basis if the interests of the data subjects are sufficiently respected. A company may have a legitimate interest in knowing the preferences of its customers to adapt its offer, but if it has to monitor its customers online and offline, without any limits, it cannot rely on the legitimate interest as a legal basis. In return, there must be protective measures for the rights and freedoms of individuals. For example: “This processing activity is carried out based on the legitimate interests of the company my-smart-fridge, insofar as it allows us to adapt and improve the services we offer you.”
This element refers to the persons or organizations that will have access to the data collected, whether internally (different departments or subsidiaries of the company) or externally (business partners, service providers, B2B customers). All internal and external recipients must be identified. The categories of recipients may include
– the internal departments to which the data are transmitted;
– service providers or subcontractors who process the data on behalf of the company
– public administrations or social organizations;
– the company’s partners (subject to the consent of the data subjects);
– regulated professions to which the company may have recourse in the context of litigation management (lawyers, bailiffs, etc.)
For example: “Your data will be processed by our Sales Department and our Marketing Department. It will be transmitted to some of our email campaign providers”.
If personal data is transferred outside the European Economic Area (to a subsidiary, to a service provider, etc.), this must be specified. The legal basis for this transfer should also be mentioned: Is it an adequacy decision? Binding Corporate Rules (BCR)? Standard Contractual Clauses (SCCs)?
If possible, the country of destination should also be specified.
Example: “Your data may be transferred to our subsidiaries in Brazil and Vietnam, with which we have concluded standard contractual clauses.
In the decision sanctioning Carrefour France and Carrefour Banque, the CNIL noted that: “Concerning the carrefour.fr website, the information provided was also insufficient about data transfers outside the European Union and to the legal basis for the processing”.
In case of a data transfer, the Data Controller should therefore ensure that the country of destination is specified, as well as the guarantees put in place to ensure the transfer.
The period of retention of the data set by the company must be indicated. This period must not exceed the periods provided for by law. A retention period must be indicated for each processing purpose listed. The mention of a global duration for all the treatments can be considered non-compliant by the CNIL, e.g. “The data will be kept for the whole duration of our commercial relationship, and 3 years following the end of this relationship.”
All the data subject’s rights provided by the GDPR must be listed. However, listing them is not enough. The data subject must also be informed of the means through which these rights can be exercised (postal mail, email, dedicated portal…).
It is at this point that the contact details of the DPO or the department in charge of managing the requests must be specified. For example: “You have a right of access, rectification, erasure, objection, portability, as well as a right to limit the processing. You can exercise these rights at any time by contacting our Legal Department:
– by e-mail: legal@my-smart-fridge.com
– by postal mail: My-smart-fridge, To the attention of the Legal Department, 1 Data Street, 750XX Paris.
Where the processing activity is based on consent, the means to withdraw this consent (e.g. a link to unsubscribe to the newsletter or prospecting) must also be included in each information notice. This withdrawal must be as easy as the initial consenting act. For example: “To unsubscribe from our newsletter, you can click on the unsubscribe link directly at the bottom of the email.”
The data subject has the right to lodge a complaint with the supervisory authority of its choice: that of its country of residence or that of the country of the controller.
In general, the information notice can redirect to the supervisory authority of the country where the controller is located. If the controller has subsidiaries in several countries, the notice can either refer to the lead supervisory authority or to the local supervisory authority (that of the country where the data subjects to whom the information is addressed are located).
It is also possible to include the authority’s contact information, but the GDPR does not specify whether this is mandatory.
For example: “You may lodge a complaint with the Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy, 75007 Paris”.
This is where the individual’s refusal to provide personal data is either contrary to a regulatory obligation, contrary to a contractual obligation, or would prevent the conclusion of a contract.
For example, providing certain information to the civil registry is a regulatory obligation. Some data may also be mandatory for the provision of a service, such as an email address in a contact form.
For example: “Fields marked with an asterisk are mandatory, they are necessary for the provision of our services. If you decide not to fill in these fields, we will not be able to provide you with the requested services”.
The controller must find simple ways to inform the data subject of the decision-making criteria.
To explain this underlying logic, simple information should be given that allows the data subject to understand the reasons for the decision, without giving complex explanations about the algorithms used.
It is also necessary to explain the consequences of the processing for the data subject, i.e. how it could affect him or her (concrete examples of the potential impacts can be given).
Finally, as the G29 guidelines state, contact information must be included to allow the data subject to challenge the decision.
For example: “The financial data we collect will be subject to scoring that allows us to assess your creditworthiness and make our decision regarding your loan application. This processing allows us to make fair and accurate decisions. We base our scoring on the information you provide when filling out the application form, but also on information resulting from your banking activity, such as late payments. Our scoring methods are regularly tested to ensure their effectiveness and fairness.
You can contest a decision that concerns you and request a re-evaluation of your file by contacting our Data Protection Officer
by e-mail: dpo@bankoftheworld.com
by postal mail: Bank of the World, to the attention of the DPO
2 Bank street, 750XX Paris”.
When personal data is not collected directly from the data subject (for example when it is obtained via the purchase of databases, via a commercial partner, etc.), the following information must be provided in addition to the information listed above:
– The categories of personal data processed
Example 1: “The personal data collected are your identification data (name, first name), your job title, and your professional contact information”.
– The source from which the personal data originates and an indication of whether the source is publicly available
Example 1: “Your data was provided to us by our partner The Flying Car, and was not collected from publicly available sources.”
Example 2: “Your data was collected from publicly available sources (daily press, yellow pages, trade journals).”
In conclusion
The disclosure statements outlined above seem to be numerous, but depending on the case, not all of them will be applicable and your statements will not be as long.
The information given to people must be:
– Complete
– Concise
– Clear
– Easily accessible
We must avoid drowning data subjects in pages of information and details that are sometimes complex and incomprehensible. The CNIL now analyses information statements in detail. It is therefore important to involve the DPO in the drafting of these statements or to be assisted by an expert to ensure the compliance of the statements drafted.
If you wish to be accompanied by our experts in personal data protection, do not hesitate to visit our website and contact us.
In the same topic: GDPR and marketing: how to manage consent?
Chaimae Attahiri