Article 13 of the GDPR sets out the basics of what information needs to be provided when personal data is collected from a data subject in order to fulfil the principles of fairness, transparency and the right to be informed. Fines issued by the Spanish DPA in four recent cases in relation to Article 13 are a timely reminder of the importance of compliance in this area.

Many organisations are aware of shortfalls in relation to their GDPR compliance, especially with regard to the accuracy and clarity of privacy notices but, in taking a risk-based approach, many have chosen not to prioritise remediating these issues.

In its rationale for enforcement and the issuing of fines, the Spanish DPA identified key deficiencies in relation to transparency information provided by data controllers on websites under their control. Scanning through the criticisms highlighted by the Spanish DPA it is possible to see simple and recurring issues arising that can easily be addressed to mitigate risk, including ensuring a privacy notice is available on the website; ensuring contact information is accurate and up to date; carrying out regular reviews and updates to ensure the correct legislation is referenced and all requirements of Article 13 are met.

Although the fines may not appear to be material, the highest being €9,000, the fact that they were issued at all is an indication that DPAs are beginning to focus on this area of compliance and see it as something that is totally within the control of an organisation.

For their website, most organisations seek to comply with Article 13 by ensuring a simple privacy notice is published or linked to on the site, however Article 13 sets out specific requirements of the elements of information to be provided to users, including:

  • Who …the data controller must be identified and full contact details should be provided, along with contact details, if applicable, for the organisation’s representative (Art. 13(1)(a)) and the organisation’s Data Protection Officer (Art. 13(1)(b));
  • Who… if the personal data will be shared by the data controller with third parties then these recipients must be identified too, either specifically or by class, for example “the organisation's IT and HR / payroll service providers(Art. 13(1)(e));
  • What …it is critical to describe the personal data that the controller is collecting and processing; what the purpose of the processing is; and what the legal basis for processing is (Art. 13(1)(c)). If the legal basis is legitimate interests, the controller must also explain what these are (Art. 13(1)(d)).  It is also worth noting that if the controller further processes the personal data for a different purpose to that specified in the notice it will be required to notify the user of this (Art. 13(3));
  • Where… if the data controller plans to transfer personal data to a third country (for example somewhere without an adequacy decision from the UK Government, EU Commission or other relevant authority) it will need to provide details both of the transfer and of any suitable safeguard the organisation is using for this transfer. If standard contractual clauses are being used then there must also be detail on how the user can get a copy of these (Art. 13(1)(f));
  • How long… the notice should also specify how long data will be retained, or what criteria the controller will use to determine the duration (Art. 13(2)(a));
  • Rights… it is critical that the user is given clear information setting out the rights they have in relation to personal data held by the organisation (although some of these may not apply, depending on the legal basis for the processing), including:
    • the user’s right to access, rectification, erasure, restriction, data portability or objection to processing of their personal data (Art. 13(2)(b));
    • the user’s right to withdraw consent to processing where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a));
    • the right for the user to lodge a complaint with a supervisory authority(Art. 13(2)(d));
    • details of whether providing the personal data is a statutory or contractual requirement, and what happens if the individual fails to provide the personal data (Art. 13(2)(e)); and
    • the user’s right to know if automated decision-making is being used, to what extent and what the consequences of this processing could be for them (Art. 13(2)(f)).

Clearly, there is great deal of specific information that needs to be included in a privacy notice. However, it is not enough just to include words on the page. For a privacy notice to be effective communication is critical and so it is important that the language and tone of the drafting are also given due consideration to ensure that the notice is actually accessible by the target audience for the website.

Organisations should keep in mind the age and languages of the target audience, as solid English legalese is unlikely to be much help on a website whose audience is made up mainly of those for whom English is not their first language, or who may be too young to really understand the notice. This does provide an opportunity to be creative using different styles of communication including bullet listings, videos and animations to convey the required information.

As we approach the fourth anniversary of the GDPR we are seeing a trend for the simplification of notices and a greater use of layering which allows the user to choose what information they want to see, so organisations should consider these alternatives when revising their current notices. Any GDPR compliance programme should include a regular review of the organisation’s website and privacy notice. We generally recommend such a review on an annual basis or where a change arises, either operationally for the business or in relation to legislation.