4 years after the implementation of GDPR, information and transparency towards data subjects are still a focal part of the news. Although companies are more and more aware of this obligation to inform imposed by GDPR, questions still remain on the following points: the content and the degree of precision of the information to be provided to data subjects, the time of the provision of the information and especially the practical modalities.
In addition to the clarifications provided by the EDPS guidelines on transparency and the practical recommendations available on the CNIL website, in order to achieve the right level of compliance with the information to be provided to data subjects, we can now also draw inspiration from some of the clarifications provided by the CNIL in the sanctions publishedsince 2020.
The right of individuals to be informed is enshrined in Articles 13 and 14 of GDPR. These articles exhaustively list all the information to be provided by the data controller to the data subject whenever personal data is collected.
Before looking at the content and timing of the information to be provided, it is important to remember two points: the responsibility for providing information to the data subject and the different ways in which data is collected.
GDPR specifies that the person responsible for providing information is the data controller. It is therefore important for a company to determine for any collection of personal data whether it would act in the capacity of or have the status of data controller and is therefore responsible for providing information to the data subjects. This point becomes all the more important when personal data processing is carried out by several actors who may be partners or service providers. It should be kept in mind that the responsibility for informing data subjects does not lie with the processor, even if the latter carries out the entire processing operation. It is the responsibility of all parties who are qualified as data controllers.
Regarding the different modes of data collection, Articles 13 and 14 of GDPR make a distinction between direct and indirect collection. In the case of indirect collection, additional information must be provided to the data subject. Direct collection occurs when data is collected directly from the data subject, for example, through an online data collection form (e.g., contact form, account creation form, newsletter subscription form, collection of data through cookies, oral collection of information from the data subject, collection of data through video surveillance devices, geolocation, use of IT tools, etc.). In contrast, indirect collection is when the data has not been collected directly from the data subject. The data may have been transmitted by a partner (e.g.: purchase or rental of databases or files, collection of data from social organizations or administrations, etc.).
In order to adapt the content of the information to be provided, it is important to identify all the means of collecting or obtaining the data within the company. This preliminary work will make it possible to guarantee the compliance of the information provided.
Then, when and by what means must the data controller provide this information? What should this information contain?
The time to inform data subjects depends on the origin of the collection. Indeed, GDPR specifies that when personal data are collected directly from the person, the information must be provided at the time of collection. In contrast, when personal data is collected indirectly, the individual must be informed within a reasonable period of time, and no later than one month following the collection. In this scenario, two options can be considered:
In both cases, if this first communication is planned one or more months after the collection, the information period is reduced to one month.
In practice, the data controller must identify all sources of data collection within their company, classify them and ensure that an information notice is present for each source of collection. For example, in cases of direct collection, the disclosure statement must be present on each data collection form on the website. If there are paper data collection forms, the statement must be present on each paper form.
For indirect data collection, it is important to identify or schedule the first communication with the individual after the database is acquired. It is therefore important to date the acquisition of a database in order to comply with the requirements of GDPR. In the compliance process, a template for a statement or email should be established with wording that includes all the different sources of indirect collection in an understandable and transparent way.
The means used to inform the data subject should be tailored to the means of data collection. The goal is to ensure transparency to data subjects.
The CNIL lists some of the means that may be acceptable: a recorded message for telephone calls, a paper notice delivered by hand or posted on the company’s premises, mentions in contractual documentation or in information brochures, emails, visible information signs, icons, etc. The list is not exhaustive. It is up to the data controller to find the most appropriate modality depending on the service or product provided.
Some practical examples:
Regardless of the means of data collection, information must be provided to the data subject. The CNIL recently recalled in a sanction issued against TOTALENERGIE the obligation to inform data subjects even in the event of a telephone call. It stated that : “The essential information regarding the processing of their data was not communicated to the contacted persons, who were also not offered the possibility to access more information, for example by activating a key on their telephone keypad […] Giving access to a pre-recorded message to the data subjects by pressing a key would be sufficient: Example: “To access the information notices please press 2”.
Concerning the online data collection forms, it should be noted that the mentions must be present on each form present on the website. The mention must be clearly visible and contain the information required by the CNIL.
Regarding the form and clarity of the information, Article 12 of GDPR specifies that the information must be transmitted “in a concise, transparent, understandable and easily accessible manner, in clear and simple terms”. In practice, this must translate into the use of clear and non-legal terms. On this point, the CNIL has made available a table that allows for the popularization of certain legal terms in order to make them more understandable and thus satisfy this obligation.
The requirement for clear understanding is even stronger when it comes to minors. Indeed, the CNIL recommends that services used by minors should have a specific design and information should displayed a suitable manner. To do this, the information must be clear, concise and understandable, as the difficulty of exercising one’s rights is even greater for an underage audience.
This requirement of clarity must be a criterion for analyzing the compliance of the information statements drafted by companies. The CNIL had the opportunity to reiterate this in the sanctions against Carrefour Banque and Carrefour France handed down on November 18, 2020. Indeed, it considered that “The information provided to users of the websites carrefour.fr and carrefour-banque.fr as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations.”
The content of the information to be provided to data subjects is specified in Articles 13 and 14 of GDPR. These mentions are mandatory and not optional. Failure to mention information that would be applicable constitutes non-compliance with GDPR. The CNIL reiterated this to Bricoprivé, which was fined €500,000 for non-compliance with informing people, because the information delivered on the company’s website did not include all the mandatory mentions required by GDPR.
As for the more complete statement, it must contain all the information required by Articles 13 and 14 of GDPR. Indeed, in a sanction pronounced against Société Nestor, the CNIL noted that not all the mandatory information appeared on the collection form and that the latter: ” Did not refer to a dedicated page that would have contained the missing information either.”
The information listed in Articles 13 and 14 are as follows:
The name of the company that is responsible for processing the data must be clearly stated. When data is collected through an online form, the identity can also be specified by the name of the site (example: www.mon-frigo-intelligent.fr).
Similarly, when it is an informational email, the identity is normally already specified via the sender’s name (example: firstname.lastname@example.org). The person then knows who is addressing them. It is important to avoid sending emails from an ambiguous email address, which does not allow the person to identify the sender (example: email@example.com).
The identity of the data controller must be accompanied by its contact information. For example, the main address or the address of the company’s registered office. If the contact information is the same as that of the DPO, it will also need to be indicated again in the dedicated section of the statement so that data subjects can know that they should contact the company or the DPO at that address.
When the company is not located within the European Union and has an obligation to appoint a representative within the European Union, that representative and that contact information should be included in the statement.
Even if the company does not find itself obliged to appoint a data protection officer, it may at least appoint a person who can be contacted by data subjects in order to exercise their rights. Otherwise, the legal department or the customer service department may do so. In any case, if a DPO has been appointed, their contact information (email and postal address) must be indicated.
It is a matter of the company explaining in a simple and explicit manner for what purpose it collects the person’s data, and on what legal basis it is based.
For example: “We collect your personal data in order to offer you our best promotions and commercial offers, based on your consent.”
When data is collected for more than one purpose, all of them should be specified.
For example: “Your personal data will be processed in the context of personnel administration, payroll management, health insurance registration, leave and absence monitoring, and training management”
In the event of processing involving an Artificial Intelligence system, the CNIL indicates that the Data Controller will have to make sure to deliver clear information to individuals, especially regarding the use of such a system.
All the purposes of processing must be indicated, both those carried out directly through the website and those carried out outside the website.
To ensure the completeness of the purposes listed, the data controller may perform a comparative analysis with the register of processing operations, ensuring that the data subjects have been informed of all identified processing operations.
The legal basis should not be indicated in a global way for all the purposes listed. A legal basis must be indicated for each purpose.
For purposes in which the legitimate interest of the controller forms the legal basis, this legitimate interest must be detailed. The legitimate interest is the benefit that can be derived from the processing. It can only constitute a legal basis when it respects the interests of the data subjects. A company may have a legitimate interest in knowing the preferences of its clients in order to adapt its offer, but if it has to monitor its clients online and offline, without any limits, it cannot rely on the legitimate interest as a legal basis. In return, there must be guarantees for the rights and freedoms of individuals. For example: “This processing is carried out on the basis of the legitimate interests of the company Mon-frigo-intelligent, insofar as it allows us to adapt and improve the services we offer you.”
This information concerns the persons or organizations that will have access to the data collected, whether internally (different departments or subsidiaries of the company) or externally (business partners, service providers, B2B clients). All internal and external recipients must be identified. In the categories of recipients, we can have:
For example: “Your data will be processed by our Sales Department and our Marketing Department. They will be transmitted to some of our email campaign providers.”
If personal data is transferred outside the European Union (to a subsidiary, to a service provider…), this must be specified by indicating on what basis this transfer is based: adequacy decision? BCR? CCT?
If possible, the country of destination should also be specified.
For example: “Your data may be transferred to our subsidiaries in Brazil and Vietnam, with whom we have concluded standard contractual clauses.”
In the deliberation sanctioning Carrefour France and Carrefour Banque, the CNIL noted that, “As regards the carrefour.fr website, the information was also insufficient as regards data transfers outside the European Union and the legal basis for the processing (files).”
In the event of a data transfer, the Data Controller will therefore have to ensure that the country of destination is clearly specified, as well as the guarantees put in place to ensure the transfer.
The data retention period set by the company must be indicated. This period must not exceed the legal periods provided. A retention period must be indicated for each processing purpose listed. The mention of an overall duration for all processing may be considered non-compliant for the CNIL, e.g. “They will be kept for the entire duration of our commercial relationship, and for 3 years following the end of this relationship.”
All of the rights of data subjects as provided for by GDPR must be listed. However, it is not enough to list them, the data subject must also be told by what means they can exercise them (mail, email, dedicated portal, etc.).
It is at this point that the contact details of the DPO or the department in charge of managing the requests must be specified. For example: “You have a right of access, rectification, deletion, opposition, portability, as well as a right to restrict processing. You can exercise these rights at any time by contacting our Legal Department: by email: firstname.lastname@example.org
-by mail: Mon-frigo-intelligent For the attention of the Legal Department, 1 rue de la donnée,750XX Paris”.
The means (e.g., a newsletter or prospecting unsubscribe link) by which consent can be withdrawn as easily as it was obtained must also be included. For example, “To unsubscribe from our newsletter, you can click on the unsubscribe link found directly at the bottom of the email.”
The data subject has the right to lodge a complaint or claim with the supervisory authority of their choice: that of their country of residence or that of the controller’s country.
In general, the controller can indicate the supervisory authority of the country where they are located. If the controller has subsidiaries in several countries, they can either refer to their lead supervisory authority or to the local supervisory authority (of the country where the data subjects to whom the information is addressed are located).
It is also possible to include the authority’s contact information (but GDPR does not specify whether this is mandatory).
For example: “You can lodge a complaint with the Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy, 75007 Paris.”
This refers to the situation where the individual’s refusal to provide personal data is either contrary to a regulatory obligation, contrary to a contractual obligation, or would prevent a contract from being concluded.
For example, providing certain information to the registrar is a regulatory obligation. Some data may also be mandatory for the provision of a service, such as the email address in a contact form.
Example: “Fields marked with an asterisk are mandatory, they are necessary for the provision of our services. If you decide not to fill in these fields, we will not be able to provide you with the requested services.”
The controller must find simple ways to inform the data subject of the decision-making criteria. To explain the underlying logic, simple information must be given that allows the data subject to understand the reasons for the decision, without giving complex explanations of the algorithms used.
It is also necessary to explain the consequences of the treatment for the person, i.e., how it could affect them (concrete examples of the potential impacts can be given).
Finally, as the G29 guidelines state, contact information allowing the person to challenge the decision must be included.
For example: “You are informed that the financial data we collect will be subject to scoring that allows us to assess your creditworthiness and make our decision regarding your loan application. This processing allows us to make fair and accurate decisions. We base our scoring on the information you provide when filling out the application form, but also on information resulting from your banking activity, such as late payments. Our scoring methods are regularly tested to ensure their effectiveness and fairness.
You can contest a decision that concerns you and request a reassessment of your file by contacting our Data Protection Officer:
by email: email@example.com
by mail: Banque du Monde For the attention of the DPO
2 rue du délégué
When personal data is not collected directly from the data subject (for example when it is obtained via the purchase of databases, via a commercial partner, etc.), the following information must be provided in addition to the information listed above:
– The categories of personal data processed
Example 1: “The personal data collected in this way are your identification data (last name, first name), your job title and your business contact information.”
– The source from which the personal data originates and an indication of whether the source is publicly available
Example 1: “Your data has been transmitted to us by our partner La Voiture Volante, and has not been collected from publicly available sources.”
Example 2: “Your data was collected from publicly available sources (daily press, yellow pages, trade journals).”
The disclosure statements outlined above seem to be numerous, but depending on the case, not all of them will be applicable and your statements will not be as long.
It is essential that the information for people be:
It is important to avoid drowning the person in pages of information and details that are sometimes complex and incomprehensible. The information mentions are now subject to a detailed analysis by the CNIL. It is therefore important to involve the DPO in the drafting of these disclosures or to get help from an expert to ensure the compliance of the disclosures drafted.
On the same topic: How to anonymize and preserve data