Who? What? When? Where – and on what occasion? This sounds like an article from a gossip magazine. However, if you ask this question in relation to the GDPR, there is more to it than that: With the EU basic regulation on data protection, the duties you have to fulfil as the person responsible are multiplying. This also includes informing the persons whose data you are processing.
In this article, we will show you how to create your information duties and will point out what you have to pay attention to.
Please note, however, that this is not legal advice. If you are unsure about how to draw up your information obligations, seek professional assistance from a data protection officer or specialist lawyer.
Why the GDPR information obligation?
Put simply, everyone whose data is collected, processed or stored has a right to know. Or as the Federal Constitutional Court puts it, there must be transparency about “who knows what, when and on what occasion about you.”
Without this knowledge, data subjects will not be able to exercise their rights, such as the right to be forgotten or the right to rectify their data, at all.
What is new about the duty to inform under Art. 13 GDPR?
The information obligations of those who collect data were previously regulated in the Federal Data Protection Act (BSDG) and other laws. This is now done in Articles 13 and 14 of the General Data Protection Regulation (GDPR), and the Federal Data Protection Act (new). Overall, these regulations are more extensive than before.
Article 13 regulates the information obligations when personal data are collected directly from the data subject. In addition, Article 14 refers to the information obligations if the personal data have not been collected from the data subject. This applies if the data were collected by third parties. In addition to the articles, there are recitals which can be seen as the basis for the adoption of the Regulation. Recitals 60, 61 and 62 are appropriate.
Duty to inform vs. privacy policy
Question: What is the difference between the information obligation and the privacy statement on the website?
Answer: None!
Would you have known? The privacy statement serves the same purpose as the information obligation. It informs the website visitor which data is processed by the website. To ensure accuracy, the data protection declaration must have the same content as described in Art. 13 and Art. 14 GDPR.
Sometimes people also use the term privacy policy when they refer, for example, to the duty to inform at a medical practice or with an association. Although the choice of words is somewhat unusual, it is absolutely correct.
Let us move on to practice now: What information about the processing of data must you provide?
Your obligations under Article 13 and Article 14 GDPR
Article 13 – Explanation
If you or your company collect personal data directly from the person concerned, process or also store the data, you must inform the person of this at the time of collection. The content is binding and must be precise, transparent, easy to understand and available in an easily accessible form.
Article 14 – Explanation
Even if you or your company process or also store personal data that you have not collected directly from the person concerned, you are still subject to the duty to inform. The information to be provided is almost the same as for Article 13, but in addition you must provide information on the sources of the data and whether they are publicly available.
In this case, the information obligation under Article 14 does not have to be provided immediately. The person concerned must be informed within a reasonable period of time, but at the latest after one month. Alternatively, the time of first contact or the time of disclosure is decisive.
If both articles apply to you, it is common practice to provide the data subjects with combined information on the processing and use of their data.
Overview and comparison Art. 13 and Art. 14 GDPR
In detail you can find the legal text on the pages of the EU (verlinken!).
Grafik?
Overview and comparison of the compulsory data for the information obligation according to Article 13 and Article 14 GDPR
How do you create the documents for the information obligation?
As you can imagine, there isn’t just one way of doing it. We prefer the shorter and pragmatic approach. Therefore the following procedure is our recommendation from practice.
In Article 30, the GDPR requires that you provide an overview of all procedures in which personal data are processed in your company – the famous list of procedures. You can also find an article with a sample directory of procedures in the blog.
With a completed directory of procedures you already have a basis which you can use for creating the information obligations. You can extract from it all the information you need. All you have to do is transfer this data into a document and make it available to your target group.
Since you also have to name the groups of persons in the procedure directory, it is relatively easy to select according to them. A group of persons can be your own employees, while customers, interested parties, clients (…) can form further groups. The groups of persons are your target groups to whom you must make the information duties available. It is best to create one document per target group. Of course, you can also combine several target groups into one document where appropriate.
Plan how you can best offer the documents to the persons concerned before entering and processing their data. This should be a procedure that causes as little effort as possible for all the ones involved.
Structure of the information obligation
If the information obligations are properly described, they usually cover several pages. However, so that you do not always have to reproduce the above-mentioned contents individually, we recommend to divide the information duties into “two sections”.
Uniquely occurring information in the duty to inform
Section 1 can describe the “information that occurs once” (see also the diagram above). Then you do not need to mention this information again in section 2. You can use the following structure and sample formulations for section 1:
- Responsible in the sense of data protection: [name, representative, address, telephone number, e-mail] The person responsible is usually the owner / managing director (…).
- Contact details of the data protection officer: [name, phone, e-mail]
- The data processing gives rise to the following rights for the data subject:
— Right to information (Art. 15 GDPR)
— Correction (Art. 16 GDPR)
— Deletion (Art. 17 GDPR)
— Restriction of data (Art. 18 GDPR)
— Right of objection (Art. 21 GDPR)
— Data transferability (Art. 20 GDPR)
— Right of withdrawal. If the processing is based on your consent
according to Art. 6 para. 1 lit. a GDPR, you have the right to
revoke it at any time. Previously processed data remain
unaffected. - You have the right of appeal to the competent supervisory authority: [name, address, telephone number, e-mail]
Details per procedure in the information requirement
After you have given the general information in the first section, the next step is to go into the details of the individual procedures. You must enter the following information individually for each procedure:
- Purpose of the processing [brief description and justification why the processing is necessary].
- Legal basis of the processing under Article 6 of the GDPR
- Storage duration of the data or alternatively default for deletion
- Recipient of the data [name, address of the recipient, information on whether there is an audiovisual contract, if applicable] – may be omitted if the data are not passed on.
- Transfer to a third country – can also be omitted if there is no transfer to a third country.
- Note if automated decision making or profiling takes place – this point can also be omitted if not applicable.
- Indication of the categories of personal data. This is only mandatory if the processing involves data that you have not collected directly from the data subject (Art. 14 GDPR). However, we always recommend providing this information.
- Source of the data [name, address], if you have not collected the data directly from the data subject (Art. 14 GDPR)
Exemplary wording for the duty to inform according to Art. 13 and Art. 14 GDPR
Below you will find two examples of procedures from our general duty to inform. For better understanding, the left column points out the reference to Art. 13 / Art. 14.
The structure is not specified. You can also adapt the sentence formulation as you wish. Just make sure that all the building blocks are included and that the text is still easy to understand in the end.
Sometimes the content of several similar procedures can be combined in one text section.
Communication
| purpose | In order to get in contact with you, we will send you an e-mail if necessary. You will receive further information about the processing of your inquiry, your order or information in the framework of our general business relationship. |
| data categories | For this purpose we save your e-mail address, the content of the communication and the history of the communication. |
| legal basis | The processing of the data is based on the fulfilment of the contractual relationship or pre-contractual measures according to Art. 6 (1) lit. b GDPR. |
| data recipient | As collaboration tool we use Office 365 from Microsoft, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. We have a contract with Microsoft for order processing. Otherwise the data is only passed on as far as this is necessary within the scope of the contractual or pre-contractual measure. |
| storage period | Our data is stored within the scope of the legal obligation to preserve records. |
Applications
| purpose / categories of data | As part of the application procedure for new employees, we process the information you send us from your CV, cover letter and other documents and information about you. |
| legal basis | The data is processed on the basis of pre-contractual measures relating to the employment contract in accordance with Art. 6 (1) lit. b GDPR. |
| data recipients | Your application will be forwarded internally to the personnel department and the responsible department. |
| storage period | Documents relating to your application will be deleted after 6 months, unless you give us permission to retain them. |
What does this mean for a small or medium-sized company?
What does the duty to inform mean for you in practice? No matter whether you run a manufacturing company, a retail business, an online shop or blog, the duty to inform always concerns you in some way.
Employees
You process personal data of your employees for the processing of personnel management, for payroll accounting, for training courses and certainly in some other places. All these procedures must be described in your procedures directory. From the directory you can then derive the information letter. Present this letter to new employees before they are hired, perhaps together with their employment contract. Already existing employees could receive the letter once, for example, with their payroll or via the Intranet (if all employees have access to it). Alternatively, it can also be posted on the notice board.
Clients
Distinguish whether your customers are end users or business customers. With end consumers you usually have far more personal data than with business customers. You probably have information about address, account details, birthday and marital status, purchasing history and much more. Since business customers represent a company, you usually have data such as e-mail addresses, telephone numbers and communication history. If you already have general terms and conditions, then one option would be to offer the duty to inform in a similar form.
Website visitors
On websites, you can cover the obligation to inform in the data protection declaration for many procedures, as you can also see in our data protection declaration. We have created our data protection declaration with the help of the e-Recht24 generator. However, since this only covers part of it, we have added the rest ourselves.
To ensure that you meet the requirements in an easily understandable and accessible manner, please refer to your data protection declaration at every point where visitors enter data on the website.
Are exceptions to the obligation to provide information possible?
An exception to Article 13 GDPR is only permissible if it can be proven that all the information of the data subject is already available. In practice, this is probably hard to verify.
The following applies to Article 14 GDPR: If it is impossible or disproportionately costly to inform the data subject, this may be waived. The same applies to cases where the collection or transmission is required by law or where there is an obligation of secrecy in the form of statutes or professional secrecy.
What happens if the duty to inform is breached?
As the European legislator considers the protection of personal data and the guarantee of fair and transparent data processing to be absolutely fundamental, high fines may be imposed in the event of infringements.
These figures are, for the time being, dissuasive. It is still uncertain where the threshold will eventually level off. What is certain in any case is that the fines must be “effective”.
Conclusion
In order to be able to create a complete duty to provide information, you will need an index of procedures.
On the basis of this, it is no longer difficult to draw up the information obligations under Art. 13 and Art. 14.
DSK paper number 10 also provides an overview of the information obligation.
FAQs on information requirements
Who must be informed as a result of the information obligation under Art. 13 and Art. 14?
Generally, only those persons (customers, employees…) who have been “newly” added since 25.05.2018 are to be informed.
However, it is advisable that you also inform the existing customers and employees.
What is the content of the information obligation?
The information obligation under Art. 13 and Art. 14 can generally be divided into two sections. In the general part, the following information must be provided:
- Responsible person in terms of data protection
- Contact details of the data protection officer
- Reference to the rights of data subjects
- Reference to the right of appeal to the supervisory authority
In the detailed part, the following must be specified for each procedure (if applicable):
- Purpose of the processing
- Legal basis of the processing under Article 6 of the GDPR
- Data storage duration
- Recipient of the data
- Transfer to a third country
- Notice when automated decision making or profiling takes place
- Specification of the categories of personal data. This is only mandatory if it concerns the processing of data that you have not collected directly from the data subject (Art. 14 GDPR). However, we always recommend this information.
- Source of the data [name, address], if you have not collected the data directly from the data subject (Art. 14 GDPR)
What is the difference between information obligation and privacy policy?
None! The privacy policy is also a duty to inform. It is just that for the website only the term privacy statement has become established.
How do I inform my customers according to the GDPR?
You can make the information obligations available in physical form, e.g. notice in the waiting room, annex to the contract etc., or in digital form, e.g. on the homepage in the data protection declaration.
For example, in the second variant, refer to all outgoing documents and e-mails with a sentence “You can find further information on data protection under Art. 13 and Art. 14 GDPR under: [link of the data protection declaration] to the data protection declaration.
Are the information obligations to be signed by the customers or employees?
No, the information requirements do not need to be signed. However, if you need proof of delivery yourself, you can have it confirmed.
At what point in time must those concerned be informed?
The GDPR stipulates that the data subject must be informed at the time of data collection. This means, for example, that the information must be read out when a telephone call is made. However, this is anything but practical.
The Bavarian State Office for Data Protection Supervision addresses this issue in its 8th activity report. The supervisory authority allows the obligation to provide information to be provided in a graduated form.
This means that in the first step (by telephone) the data subjects must at least be provided with the contact information of the data controller, the purpose of the processing (e.g. contacting) and, if applicable, information on data subject rights.
In the second step (e.g. downstream communication by e-mail after the telephone call) the data subject must then be provided with all other information in accordance with Art. 13 GDPR (contact data DPO, legal basis in accordance with Art. 6 GDPR, recipient of the data, storage period, etc.).
What about the obligation to provide information about photos at public events?
In this case, the data protection commissioner of Baden-Württemberg allows the information to be provided in a graduated form. Particularly if an unmanageable mass of people attend the event, it cannot be demanded that everyone accepts it.
Already point out at the entrance that photos of the event will be taken and published on the website, for example. Note on the notice where further information on data protection can be found (e.g. cloakroom, cash desk).
Does the obligation to inform always have to be handed out as a printout?
No! Easily accessible must be adapted to the individual case at this point. In a doctor’s practice, it is a good idea to present the obligation to inform patients as a printout in the waiting area. In the online shop, the paper form makes little sense. For this reason, the duty to inform is very often integrated into the privacy policy of the website.
Do you have any questions or need help with the implementation? Then write a comment or contact us directly. We look forward to re