The right to be informed

Olivia Satchel

Olivia Satchel

Lawyer

Privacy laws are the outgrowth of the fundamental right to informational self-determination and the enforcement of fundamental human rights. In order for each individual to be able to exercise and enforce his or her rights, the essential information must also be known. Accordingly, the United Kingdom General Data Protection Regulation (UK GDPR) grants data subjects the right to information, in addition to other data subject rights.

As a step to UK GDPR-compliance, controllers should always keep their information obligations in mind. The Information Commissioner’s Office (ICO) has compiled comprehensive guidance on what needs to be taken into account. We have summarised the most important points for you.

Data subject rights and principles

The Data Subject Rights of the UK GDPR, first and foremost the right to information is reflected in the principles of Art. 5 UK GDPR. These principles must be observed and complied with by data controllers in any kind of data processing. Art 5 UK GDPR sets out the following principles:

  • Lawfulness
  • Fairness
  • Transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity
  • Confidentiality
  • Accountability

First and foremost, a upholds the principle of transparency if the information is provided in an appropriately open, clear and easily accessible manner. However, fairness is also respected in this way, as honest processing can only take place if the data subject has been informed in advance. However, the other principles are also anchored in the data subject’s right to information. For example, data may only be processed for previously defined purposes. Only if you think about and determine the purposes in advance, and inform about them, will you contribute sufficiently to compliance with this principle.

This shows that it is essential to provide the information required by the UK GDPR, not only to comply with Articles 13 and 14 of the UK GDPR, which define the scope of information, but also to sufficiently recognise the general principles and take them into account in data processing.

Content of information under the UK GDPR

The rationale for providing the information is therefore clear. The question now is which information is to be provided under what circumstances. Here the law is very clear and provides clear guidelines for two scenarios. The first scenario is that you receive the data directly from the data subjects themselves, Art. 13 UK GDPR. Here, the following information must be provided per processing.

Always inform about:

  • The name and contact details of your organisation
  • Purposes of the processing
  • Legal basis of the processing
  • Retention period(s) of the processing
  • Data Subject Rights available
  • Right to lodge a complaint with a supervisory authority (the ICO)

Inform about only, when applicable to the processing:

  • The name and contact details of your UK or EU representative
  • The name and contact details of your data protection officer
  • The legitimate interests for the processing
  • The recipients, or categories of recipients of the personal data
  • The details of transfers of the personal data to any third countries or international organisations
  • The right to withdraw consent
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data
  • The details of the existence of automated decision-making, including profiling

Whenever you receive personal data from another source than the data subjects themselves (Art. 14 UK GDPR) you need to provide the following information to the data subject as soon as possible.

Always inform about:

  • The name and contact details of your organisation
  • Purposes of the processing
  • Legal basis of the processing
  • The categories of personal data obtained
  • Retention period(s) of the processing
  • Data Subject Rights available
  • Right to lodge a complaint with a supervisory authority (the ICO)
  • The source of the personal data

Inform about only, when applicable to the processing:

  • The name and contact details of your representative
  • The name and contact details of your data protection officer
  • The legitimate interests for the processing
  • The recipients, or categories of recipients of the personal data
  • The details of transfers of the personal data to any third countries or international organisations
  • The right to withdraw consent
  • The details of the existence of automated decision-making, including profiling.

Both lists show that some information must always be provided, others only in certain cases. Also, the information requirements according to Art. 13 and 14 UK GDPR only differ in a few points. The contents of the information requirements are therefore, as shown, very extensive.

In order to compile all information sufficiently, it is recommended to map the data flows and to provide a comprehensive, always up-to-date presentation of your processing activities in your record of processing activities (ROPA).

How to comply with right to be informed

After determining the content, the question now arises as to when and how you provide the information to those affected. The first question is when. Here, too, the law provides clear rules:

  • At the time of data collection,
  • If this is not possible, subsequently and without undue delay.

This in turn means that before you collect the data, you must disclose the data processing to the data subjects according to the specified content and communicate it in an understandable manner. If it is not possible for you to provide the information in advance, you must do so without undue delay.

An example: You receive a speculative application by e-mail. Since you have neither posted a job advertisement nor are you actively seeking applicants by other means, you have little opportunity to inform the applicants in advance how you will process the data in the application process. Thus, after receiving the application documents, you should include the information notice according to Art. 13 UK GDPR in your response. In this way, you will also sufficiently comply with your legal obligations in this case.

Another fundamental point is how the information is provided. Here, the UK GDPR provides less guidance and allows a certain amount of leeway for data controllers. However, information according to Art. 13 UK GDPR should ideally be communicated in writing in order to be able to prove oneself in the event of a dispute. The simplest variant with regard to processing activities online is the presentation of the processing operations on your website’s privacy policy. With appropriate links and references, you can also easily draw the attention of your customers and users to the privacy policy and provide the information.

In any case, make sure that the language and presentation is appropriate for your clientele. For example, the ICO highlights in its guidance that if you are processing children’s data, you must adapt the language level and presentation accordingly so that children can understand and process the information.

Steps to take for your business

The right to information of data subjects not only protects them, but also ensures that companies deal with their data processing to the appropriate extent and implement and take into account the principles of the UK GDPR. Therefore companies should not take the right to information lightly.

Companies are advised to conduct regular audits and checks, primarily via their records of processing activities (ROPA), to ensure that all processing activities are recorded and that the relevant data subjects are informed about each processing. According to the ICO, it is also advisable to map your data flows both internally and externally in order to determine which departments and external service providers are involved. This way, you can easily collate information on recipients and third country transfers and see whether you are complying with all the requirements of the UK GDPR. Also, this information can save you time when providing information to data subjects in case of their access rights and give you the benchmark of information.

Regular audits of your websites, the privacy policies, and cookie explanations contained therein can also help to ensure that you only present the relevant topics here and enables you to present yourself to the outside world in compliance with data protection law, which in turn strengthens users’ trust in you.

If you are unsure whether you comply with your privacy and information obligations, contact our experts any time.