General Data Protection Regulation (GDPR) – Transparency obligations for companies
The GDPR introduced new and in some cases deviating regulations with regard to data protection information obligations. In particular, companies should review their data protection declarations and consent procedures in order to avoid fines and official objections. Becoming GDPR compliant can certainly be seen as an opportunity to eliminate previous flaws with regard to transparency in data processing and ensuring the effectiveness of existing declarations of consent.
Transparency in the handling of personal data is an integral part of data protection. Data subjects should always have the opportunity to understand who is processing which data, when and for what purpose. Accordingly, data protection law contains a large number of transparency obligations designed to ensure transparency in data processing.
Duty to provide information when collecting data
The GDPR contains an extensive catalogue of provisions requiring the controller to inform potential data subjects on the scope of data processing, which are reflected in Articles 13 and 14 of the GDPR. In addition, Article 12 GDPR contains specific provisions on the form in which the information must be provided, namely in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
Art. 13 and Art. 14 GDPR list obligatory information, which must be communicated to the data subject. It is of particular relevance that according to Art. 14 GDPR, the data subject must also be informed if the data is not collected directly from the data subject but from another source, e.g. from the Internet or via a lead provider. Although Art. 14 allows for a number of narrow exceptions to this principle, these will normally not be relevant, in particular for the collection of personal data for commercial purposes.
Further information and disclosure obligations
In addition to Art. 13 and Art. 14 GDPR, the GDPR contains further transparency obligations, some of which go beyond the previously applicable obligations. According to Art. 15 GDPR, for example, the data controller must provide the data subject with comprehensive information on the data stored and processed in relation to this data subject. Insofar as a controller invokes a legitimate interest, the data subject must be informed of his right to object pursuant to Art. 21 para. 4 GDPR.
Consent under the GDPR
Of particular importance is the transparency of data processing also in connection with obtaining consent for data processing, which is often overlooked by the responsible controller. Compliance with the transparency rules and information obligations is particularly important in this context, as a lack of transparency can, in case of doubt, lead to the ineffectiveness of the consent and thus to the illegitimacy of the data processing carried out on the basis of the consent as a whole.
Particularly when obtaining consent through pre-formulated texts, it must be ensured that the type, purpose and scope of data processing is made clear from the text of the consent in plain, intelligible and simple language in order to ensure that the consent is “informed” and therefore valid. In addition, the data subject must be made aware of his or her right to revoke consent at any time. Finally, consent must be given actively so that implicit acceptance of the declaration is not an option.
Of practical relevance is the question of the extent to which consents obtained in the past, i.e. before 25 May 2018, continue to be valid under the GDPR. It follows from recital 171 of the GDPR that existing consents remain effective provided that their nature corresponds to the conditions of the GDPR. Accordingly, the association of the German supervisory authorities for data protection (Düsseldorfer Kreis) also regards previously effective consents as still valid, at least in principle, if they were obtained in accordance with the requirements of the old version of the German Data Protection Act (“BDSG”). However, this does not apply to the consent of minors who had not yet reached the age of sixteen when the consent was granted, because under the GDPR, minors under the age of sixteen cannot grant consent without the consent of their legal guardians.
Against the background of the increased liability for data protection violations under the GDPR, we recommend, that existing consents be critically re-examined in any case as to their compatibility with the requirements of the GDPR. In this respect, it should also be borne in mind that the willingness of affected customers to give their consent in connection with the conversion to the GDPR is likely to be significantly increased. Accordingly, the switch to the GDPR should also be seen as an opportunity to “improve” the data protection consents and to avoid legal risks for the future.
Conclusion
The GDPR introduces new and in some cases deviating requirements with regard to transparency obligations. In particular, companies should review their privacy policies and consent procedures in order to prevent future fines and official objections. In this context, the conversion to the GDPR can well be seen as an opportunity to eliminate previous flaws with regard to transparency in data processing and ensuring the effectiveness of existing declarations of consent.