As mentioned in the previous blog, the right to information (Articles 13 and 14 of the GDPR) requires the controller to provide to the individual certain information when personal data are collected from the individual and are obtained from other sources. The documents, either printed or electronic, by which this information is provided can be broken down into three types:
- Individual
- Third-party
- Website
This breakdown is determined either by the source of the personal data (from the individual or a third-party) or how the privacy notice is provided to the individual (directly or by means of a website).
Article 13 of the GDPR sets forth what information is to be provided to the individual at the time the personal data relating to the individual are obtained. This is called an “individual” privacy notice. What needs to be in an “individual” privacy notice will be in the next blog.
Article 14 of the GDPR sets forth what information is to be provided to the individual where the personal data have not been obtained from the individual. This is called a “third-party” privacy notice, and it should be provided to the individual:
- within a reasonable period after obtaining the personal data but no longer than within one month,
- if the personal data are to be used for communication with the individual, no later than the time of the first communication with the individual,
- if the personal data are to be disclosed to another recipient, no later than when the personal data are first disclosed.
If providing the “third-party” privacy notice proves impossible or would involve disproportionate effort, then it does not have to be provided. What needs to be in a “third-party” privacy notice will be in a future blog.
If there is further processing (link) of the personal data that is different from the purpose for which the personal data originally were obtained, then a new privacy notice, either an “individual” or a “third-party” privacy notice, with information on that further processing needs to be provided to the individual prior to that further processing. If the individual already has the information to be provided in an “individual” or a “third-party” privacy notice, then the “individual” or “third-party” privacy notice does not need to be provided.
In general, a “website” privacy notice is an amalgam of “individual” and “third-party” privacy notices, and it is posted by an organization on its website so interested individuals can ascertain what an organization’s privacy practices are and so visitors to the website can determine what personal data are collected when individuals visit the website.
GDPRsimple contains templates that help SMEs generate each of these three types of privacy notices. Each template contains the standard information that needs to be in each type of privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers. By using the template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects its business practices. More detail about each template is provided in the blogs on “individual,” “third party” and “website” privacy notices.
This blog is the second in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: The right of information – What information should be in an “individual” privacy notice?