This Guide provides a general introduction to how controllers (website and app owners) can meet GDPR Articles 13 and 14 requirements with regard to:
We name the document in which this required information is provided a “Privacy Policy”.
Signatu helps you with your Privacy Policy.
Here are our “what to do steps”:
GDPR Articles 13 and 14 specify which information (content) must be provided to data subjects by controllers.
These provisions specifically give effect to the principle in GDPR Article 5.1(a) that says:
“personal data shall be processed … in a transparent manner in relation to the data subject (“transparency”)”.
The information that is required in a Privacy Policy differs to some extent:
This is indicated below by referencing either GDPR Article 13 or Article 14 or both Articles.
According to the GDPR and Guides from Data Protection Authorities, the following questions must be answered and provided in the Privacy Policy:
Must the information in the Privacy Policy be linked?
The GDPR indicates that at least some parts of the information in the Privacy Policy must be linked.
GDPR Article 13.1(c) says:
“the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;”
The wording of GDPR Article 13.1(c) indicates that the legal basis D1 for a specific purpose C1 must be linked to a specific processing activity B1 carried out on specific personal data A1.
Also, GDPR Article 13.2(a) says:
“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;”
The wording of GDPR Article 13.2(a) indicates that the specific personal data A1 must be linked to a specific processing activity B1 with a specific processing duration or the specific personal data A1 must be linked to a specific processing purpose C1 with a specific purpose duration.
This is supported by the principle in GDPR Article 5.1(b) that says:
“personal data shall be collected for specified … purposes”.
In its literal sense, “collected for specified purposes” means:
the controller has a duty to link the specific information in the Privacy Policy to enable the data subject to use that information to assess which specific personal data A1 is processed by a specific processing method and activity B1 (with a specific processing duration) for a specific processing purpose C1 (with a specific purpose duration) on a specific legal basis D1 by a specific controller E1. Controller’s duty to link the specific information enables the data subject to clearly comprehend, without any guesswork, that A1 is processed by activity B1 and not B2 for the specific purpose C1 and not C2 etc.
However, linking information is not sufficient to reduce or remove ambiguity and interpretation from the information. This is dealt with below.
Must the Privacy Policy provide separate processing purposes?
Yes, at least for consent requests.
The controller has a duty to provide one processing purpose only in a single consent request to enable the data subject freely give or refuse consent to separate data processing operation (GDPR Article 6.1(a), GDPR Recital 43).
It follows that the GDPR prohibits controllers to bundle several processing purposes in a single consent request.
Consent requests must time synchronically be provided in controller’s Consent Dialogue, Privacy Settings Dashboard (for consent withdrawal) and Privacy Policy.
Please see our GDPR Consent Guide.
Can a specific processing purpose be widened? without requiring a new Privacy Policy with a new specified processing purpose?
Yes, a specific processing purpose can be widened, but there are limitations.
Please see our GDPR Consent Guide.
If a specific processing purpose is widened, then that specific processing purpose must be declared in a new Privacy Policy version that is provided to data subjects (see below).
What are the information quality requirements for the Privacy Policy?
GDPR Article 12.1 says:
“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 … to the data subject in a(n) … intelligible … .”
This is supported by GDPR Recitals 39 and 58.
GDPR Recital 39 says:
“… The principle of transparency requires that any information and communication relating to the processing of those personal data be … easy to understand … .”
GDPR Recital 58 says:
“The principle of transparency requires that any information addressed to the public or to the data subject be … easy to understand … .”
In its literal sense, intelligible/understandable information (referred to in Articles 13 and 14) means:
the controller has a duty to provide the specific and linked information in the Privacy Policy to the data subject to enable the data subject to use that information to assess the effects of controller’s data processing operations without ambiguity and interpretation from the information.
Please see our GDPR Consent Guide.
Please see our GDPR Consent Guide.
Watch this space for guidance !
GDPR Article 12.1 says:
“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 … to the data subject in a(n) easily accessible form …”
This is supported by GDPR Recitals 39 and 58.
GDPR Recital 39 says:
“… The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible … .”
GDPR Recital 58 says:
“The principle of transparency requires that any information addressed to the public or to the data subject be … easily accessible … .”
WP29 (endorsed by EDPB) says that written information in Privacy Policies must be accessible for vision-impaired end users (if any), see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).
What makes information in a Privacy Policy accessible?
End user accessibility needs are needs that relate to:
Please see our GDPR Consent Guide.
Which format makes the Privacy Policy accessible?
The GDPR does not prescribe the format or modality by which the Privacy Policy information should be provided to the data subject, but makes it clear that controller has a duty to take “appropriate measures” in relation to the provision of the required information for transparency purposes. In a digital context, the controller must assess in which formats the Privacy Policy should be provided, including HTML, JSON, XML, PDF etc.
Can the information in writing be supplemented by icons etc?
Yes.
GDPR Article 121 says:
“… The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. …”
GDPR Article 12.7 says:
“The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.”
GDPR Recital 60 says:
“… That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.”
Must a change to the Privacy Policy be tracked and versioned?
Yes.
Must data subject be notified of changes to the Privacy Policy?
Yes, see below.
Is the Privacy Policy provided free of charge?
GDPR Article 12.5 says:
“Information provided under Articles 13 and 14 … shall be provided free of charge.”
Which degree of availability makes the Privacy Policy dialogue easily accessible?
In addition to the duty to make the content of a Privacy Policy easily accessible, controllers have a duty to make the Privacy Policy dialogue easily accessible.
Similar to consent requests, a Privacy Policy must be clearly distinguishable from other information, which means that a Privacy Policy must without doubt and effort be recognized or identified as a Privacy Policy with features that distinguish the Privacy Policy from other matters.
What distinguishes a Privacy Policy from other matters consist of where a Privacy Policy is provided and how a Privacy Policy differs with other information in the same context by design, areas, divisions, boundaries or edges that separates a Privacy Policy with the information near it.
The controller has a duty to enable the data subject to understand through which action the data subject grants or refuses permission to the controller to process the data subject’s personal data.
Similar to the requirements for the consent request itself, the controller has a duty to enable the data subject to have full knowledge of which actions that the data subject uses to grant or refuse consent (“informed” etc).
Hence, these actions must be presented in clear and plain language and in an easily accessible form (GDPR Article 7.2).
The design of the consent dialogue must not be abusive design, deceptive design (e.g. cookie loads before consent is given or loads when consent is refused), or dangerous design (e.g take it or leave it cookie wall, last minute consent in the final stages of an order).
Best in class design supports the action through which the data subject grants or refuses permission to the controller to process the data subject’s personal data with texts that state what the action of e.g. clicking a checkbox, button or switch means.
Watch this space for guidance !
Is the action to view specific parts of the Privacy Policy provided?
WP29 (endorsed by EDPB) says it should be possible to navigate directly to a named section of a Privacy Policy by way of clickable links, see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).
Hence, the name of the section should clearly indicate which information that is available in the section.
Who provides information in case controller (website operator) is joint controller with a third party (on a website)?
The controller has a duty to provide his/her Privacy Policy to the data subject.
In cases where a website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to provide end users with information that is relevant for consent:
The opinion of the Advocate General has equal relevance for Privacy Policies:
The website operator is in a position to provide data subjects with the essence (GDPR Article 26.2) of the arrangement between the joint controllers regarding their respective responsibilities to comply with the duties to provide the information under Articles 13 and 14 (GDPR Article 26.1). This information must make it completely clear to a data a subject as to which controller the data subject can approach to exercise one or more of their rights under the GDPR.
When must controller provide the data subject with the Privacy Policy?
GDPR Article 13 applies to the scenario where the controller collects the personal data directly from the data subject.
This includes personal data that:
Article 13.1 says the information must be provided:
“at the time when personal data are obtained”.
When must controller provide the data subject with the Privacy Policy?
Article 14 applies in the scenario where the controller does not obtain the personal data from the data subject.
This includes personal data which a controller has obtained from sources such as:
WP29 (endorsed by EDPB) says the following, see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).
Under Article 14, the time frames within which the required information must be provided to the data subject are set out in GDPR Article 14.3 (a) to (c) as follows:
Therefore, in any case, the maximum time limit within which GDPR Article 14 information must be provided to a data subject is one month.
Controllers have a duty to be able to justify why the information was provided at the time it was.
WP29’s position is that data controllers should provide the information to data subjects well in advance of the stipulated time limits.
When must controller provide the data subject with the Privacy Policy where further processing for a new purpose is intended?
GDPR Article 13.3 says:
“where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.”
GDPR Article 14.4 says:
“where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.”
These provisions specifically give effect to the principle in GDPR Article 5.1(b) that says:
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”
Where personal data are further processed for purposes that are compatible with the original purposes (GDPR Article 6.4 informs this issue), GDPR Articles 13.3 and 14.4 apply.
Information in relation to further processing must be provided “prior to that further processing”.
These articles promote the position in the GDPR that data subjects should reasonably expect that at the time and in the context of the collection of personal data processing for a particular purpose may take place.
In other words, a data subject should not be taken by surprise at the purpose of processing of their personal data.
The principle of transparency, accountability and fairness under the GDPR require that controllers provide data subjects with further information on the compatibility analysis carried out under Article 6.4 where a legal basis other than consent or national/ EU law is relied on for the new processing purpose.
What to do? Explain how the processing for the other purpose(s) is compatible with the original purpose. This will allow data subjects the opportunity to consider the compatibility of the further processing and the safeguards provided and to decide whether to exercise their rights e.g. the right to restriction of processing or the right to object to processing amongst others.
Inform how much time ahead of further processing?
WP29 (endorsed by EDPB) says in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01):
A reasonable period should occur between the notification and the processing commencing rather than an immediate start to the processing upon notification being received by the data subject.
This gives data subjects a meaningful opportunity to consider (and potentially exercise their rights in relation to) the further processing.
What is a reasonable period will depend on the particular circumstances.
The principle of fairness requires that the more intrusive (or less expected) the further processing, the longer the period should be.
The principle of accountability requires that controllers are able to demonstrate how the timeframe between notification of the changes and the change taking effect satisfies the principle of fairness to the data subject.
When must controller provide the data subject with the Privacy Policy where changes are made to the Privacy Policy information that has previously been provided to a data subject and that does not concern further processing purposes?
The GDPR is silent on the timing requirements that apply for notifications if changes are made to the Privacy Policy information that has previously been provided to a data subject and that does not concern further processing purposes.
The principle of fairness and accountability require that controllers inform data subjects about what data subjects should reasonably expect including the potential impact of those changes upon the data subjects.
WP29 (endorsed by EDPB) says in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01):
If the change to the information is indicative of 1) a fundamental change to the nature of the processing, e.g. new recipients or transfers to a third country, 2) a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon the data subject, then that information should be provided to the data subjects well in advance of the change actually taking effect, and the method used to bring the changes to the data subject’s attention should be explicit and effective.
This is to ensure the data subject 1) does not “miss” the change, and 2) is given a reasonable timeframe to consider the nature and impact of the change and to exercise their rights under the GDPR in relation to the change (e.g. to withdraw consent or to object to the processing).
The principle of accountability requires that controllers are able to demonstrate how the timeframe between notification of the changes and the change taking effect satisfies the principle of fairness to the data subject.
The controller should explain what will be the likely impact of the changes on data subjects.
The controller should remind data subjects of the Privacy Policy at appropriate intervals.
Contact us if you need help.