Following a two-year implementation phase, the new General Data Protection Regulation ("GDPR") will become directly applicable in the member states of the European Union on May 25, 2018. The comprehensive duties to inform under Articles 12, 13 and 14 GDPR are an essential constituent of the GDPR. The following is intended to give an overview of the main requirements and possible problems related to compliance with and implementation of these information duties.
The principle of transparency is a cornerstone of the GDPR. This principle requires that each data subject should know which company processes what personal data and in what manner. Particularly in times of increasing commercialization of personal data, the need for data subjects to receive transparent information on the processing of their data is also rising. On top of this is the fact that, without corresponding knowledge, the data subjects would not be in a position to effectively exercise their rights, for example the right of access to personal data. It is for this reason that the GDPR regulates which specific information must be communicated (Articles 13 and 14 GDPR), and in what form this information is to be provided (Article 12 GDPR).
Note: the information duties apply to all processing of personal data, i.e. both online and “offline” processing, including therefore personal data collected from paper records as well.
Articles 13 and 14 GDPR contain a list of regulations setting out which specific information has to be provided, although the scope of the required information varies between the two rules. If personal data are "collected from the data subject" (so-called direct collection), Article 13 GDPR is applicable. By contrast, if a company processes personal data that have not been "obtained from the data subject," the duties to inform are based on Article 14 GDPR. This can be the case for example if a company receives personal data from a third party which it then processes for own purposes. As the data subject frequently has no knowledge of any such processing in cases of this type, the company is required to inform the data subject accordingly. In particular, it must also provide information on the origin of the data received (see Article 14 (2) point f) GDPR).
Note: in practice, it is likely that "combined” data protection information will frequently be provided, as companies regularly process both personal data collected directly from the data subject, as well as data received from third parties. A specific example of this is the processing of personal data in the banking sector for the purpose of concluding financing agreements. This is an area in which personal data are regularly collected directly from the (potential) customer in the context of the application, with simultaneous processing of financial data, provided by credit agencies, for the purpose of checking creditworthiness. In such cases it is practical to merge the duties to inform under Articles 13 and 14 GDPR into "combined" data protection information.
The current regulations of the German Federal Data Protection Act ("BDSG-old") and the German Telemedia Act ("TMG") already oblige controllers to provide their contact data, together with information on the purpose of the processing and the recipients of the personal data. Under the new requirements of the GDPR, provision of the Data Protection Officer's contact data is now also mandatory. Furthermore, the legal basis of the processing must be stated in addition to the purpose of the processing and the controller must also advise the duration of the storage. If it is not possible to state the specific storage period, a minimum requirement is to set out at least the criteria for determining the periods of storage. The data subject must also be informed of his/her rights. This includes above all the powers regulated in Articles 15 et seq. GDPR, for example the right of access to personal data (Article 15 GDPR) as well as the new right to lodge a complaint with a supervisory authority (Article 77 GDPR). If the personal data are the subject matter of fully automated decision-making (including profiling) as per Article 22 GDPR, the controller must explain the logic involved as well as the scope and effects for the data subject of such automated decision-making.
Both the GDPR as well as the new German Federal Data Protection Act ("BDSG-new"), adopted for the purpose of implementing the requirements of the GDPR, contain exemptions from the duty to inform, for example if the data subject already has all information. However, precisely such a situation will frequently be impossible to demonstrate by the data controlling company, thus it is necessary for data controllers to check very precisely on whether an exemption applies.
Note: the information duties under the GDPR go well beyond the current data protection requirements of the BDSG and TMG. Existing data protection information (also including privacy policies on websites) should therefore be adapted in sufficient time, since significant changes may have to be made to existing data protection statements, depending on the scope of the processing by a company.
The requirements in Article 12 GDPR on the manner of the arrangement and provision of the data protection information must be complied with. These requirements stipulate that the information must be communicated to the data subject "in a concise, transparent, intelligible and easily accessible form using clear and plain language," see Article 12 (1) Sentence 1 GDPR. Data controllers have conflicting priorities here, as they are required to formulate the information concisely, yet in a transparent and intelligible manner using clear and plain language. The more extensive the data protection information, the more difficult it will be for the data subject to gain a clear picture of the processing. To solve this conflict of interests, it may sometimes be advisable to classify the individual items of information in terms of importance, and to communicate them to the data subject in individual steps.
Likewise of relevance is the question of when the data protection information has to be provided to the data subject.
In this respect, Article 12 (1) Sentence 2 GDPR stipulates certainly that the data protection information can be provided in writing or by other means, including electronically where appropriate. However, at least in cases of direct collection, Article 13 (1) GDPR stipulates that the data protection information must be communicated to the data subject at the time of collection.
Note: leading on from this, it can currently be assumed that mere reference to data protection information available on the Internet is not admissible, at least in cases of direct collection of personal data in the "offline area", and that the respective data subject should therefore be informed accordingly on site. At the same time, companies should arrange suitable measures and processes to document noting of the data protection information by the data subject.
The GDPR makes no explicit ruling on whether and to what extent companies are also required, in the period up until the GDPR becomes directly applicable on May 25, 2018, to provide information retroactively on processing that is already under way and will still be ongoing on the said date. One indication in this respect could be recital 171 GDPR, according to which processing that is already under way should be adapted to the new legal situation.
With regard to online data processing, this is generally unlikely to create any major workload, as existing privacy policies available on a website can simply be adapted as at the changeover date, and customers can be informed of the respective changes by email. The question is however of particular relevance to data processing in the "offline area". If one affirms a retroactive duty to inform, the question arises of whether it is then also sufficient if the adapted data protection information is simply made available in the Internet and users informed of this via mailing, or whether there is a need to send the entire updated data protection information by post due to the creation of a media disruption (see above). Depending on the scope of the data protection information as well as on the size of the circle of data subjects involved, sending by post can create significant expense for a company. As far as it can be seen, this problem has thus far either not been tackled or tackled only very generally. Until such time as clarification is provided by the data protection supervisory authorities or through case law, it may be advisable to consult the responsible data protection supervisory authority concerning this matter.
In conclusion it can be stated that the information duties under the GDPR go far beyond the current requirements of the BDSG and the TMG. As a result, companies need to adapt their data protection information before the GDPR comes into effect on May 25, 2018. One major challenge will be arranging the data protection information such that the data subject is fully informed, yet in an intelligible and clear manner. Against the background of the extended fines laid down in Art. 83 of the GDPR that also apply in cases of missing or incorrect data protection information, companies must prepare sufficiently quickly for the new legal situation.