Notice and Consent
Transparency
As in Directive 95/46/EC, also in Regulation 2016/679, the transparency of the processing activities of the Controller constitutes a major element of the general protection system (Articles 12 to 14).
The data subjects must be made aware in particular of the processing operations and their purposes, the obligation or not to provide the data and the consequences in case of refusal, the duration of the data retention, the presence of access rights, rectification or cancellation and the possibility of lodge a complaint to the supervisory authority or a direct action to the judicial authority.
In order to carry out its functions, transparency must be met prior to processing, that is to say, when collecting data, except for specific exceptions.
Notice:Contents
Similarly to the provisions of Directive 95/46/EC (Articles 10 and 11), Regulation 2016/679 requires the notice to provide an exhaustive content.
Therefore, according to the Regulation, the notice must contain:
• contact data of the Controller and, if present, of his representative as well as the DPO
• indication of the purpose pursued and of its legal basis
• specification of the legitimate interest of the Controller when the processing is based on that assumption
• recipients or categories of recipients of the data
• the intention of the Controller to carry out cross-border data flows beyond EU borders, the reference to a decision on the adequacy of the data protection scheme of the foreign country to which the personal data may or may not be transferred (or an indication of its absence), and any measures to safeguard such data flow (such as SCC and BCR) as well as the means to obtain a copy of the data or the place where they are available.
In compliance with the principles of transparency and fairness it is also necessary to provide these additional information to the data subjects:
• specification of the data retention time or of the criteria used to determine it;
• specifying the right of access and other data subjects' rights;
• clarification of the revocability of the consent at any time without any retroactive effect;
• the right of the data subject to lodge a complaint with the supervisory authority;
• the existence of the obligation to provide the data and the consequences in case of refusal, if the supply of the data results from a legal or contractual obligation;
• the existence of an automated decision, including profiling, as well as information on the underlying logic and the consequences for the data subjects (Article 13).
Notice:New Rules
The amendments introduced by Regulation 2016/679 with respect to the mandatory information that the notice must contain under Directive 95/46/EC are as follows:
• the contact details of the DPO, if present
• the legitimate interest of the Controller, when that element constitutes the basis for the validity of the processing
• the level of protection provided by the foreign country to which the Controller intends to transfer the personal data
• the data retention period or the criteria for determining it
• the revocability of consent at any time
• the right to lodge a complaint with the supervisory authority.
If the data are collected directly from the data subject, it will be necessary to specify whether the data supply is compulsory or optional and what are the consequences of the refusal [art. 14.2.e)].
Finally, when the data collection does not happen in presence of the data subject, the latter must also be informed about the source of the acquisition of the information (Article 14.3).
Sanctions for omitted notice
Violation of the obligation to provide the notice or the usage of inappropriate notices is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).
Notice:Exceptions
Exceptions to the obligation to provide the notice under Regulation 2016/679 (Articles 13.4 and 14.5) are essentially those already contained in Directive 95/46/EC.
Personal data collected from data subject
In the case of personal data directly collected from the data subject, paragraph 4 of art. 13 recognizes the possibility of omitting the notice if the data subject has already been informed.
Personal data not obtained from the data subject
If, on the other hand, the information was collected by other means, paragraph 5 of art. 14, reads:
“Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.“
Notice:When to be Issued
The notice must be provided to the data subject in different moments, based on whether the personal data are collected directly from the data subject or from third parties.
In case of direct collection, the notice must be given:
• when collecting data, (Article 13.1).
In case of collection from third parties, the notice to the data subject must be given:
• within a reasonable period of time after collection, but not more than one month, taking into account the circumstances of the case [art. 14.3, lett. to)]
• when it is expected that the data will be communicated to the data subject, not later than the first communication [art. 14.3, lett. b)]
• in case of foreseen communication to third parties, not later than the first communication [art. 14.3, lett. c)].
Consent
One of the main sources of legitimacy in the processing of personal data is the explicit consent of the data subject [art. 6.1, lett. to)].
It must be unambiguous and informed [art. 4.11)]. The criterion of unambiguity reproduces the former wording of Directive 95/46/EC [Art. 7, lett. a)]. This formulation was the subject of the opinion wp187, expressed by Art29WP.
Sanctions for consent violations
Violation of the obligations regarding consent and its requirements as a prerequisite of lawfulness (Articles 6, 7 and 9) is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).
Consent Lawfulness Conditions
Concerning data subjects consent, the following aspects should be considered:
• The Controllers has the burden of proving that he has received the consent for the processing (Article 7.1)
• If consent is issued in the context of a written statement on a different matter, it must have separate evidence from the rest of the document (Article 7.2)
• The revocation of the consent may take place at any time without prejudice to the legitimacy of the previous processing (Article 7.3).
In those circumstances in which there is no free choice by the data subject, in providing or revoking the consent, this is understood as not free; in such cases the consent loses its function as a prerequisite of lawfulness [Recital 42 and Article 7.4].