Imagine a software-as-a-service (SaaS) company looking to grow its clientele by purchasing leads from a specialized lead generation firm. These leads come complete with contact details and demographic information of prospective customers. In a similar scenario, envision a real estate agency building a database of potential homebuyers through publicly accessible sources such as property listings and social media profiles. Both situations pose a crucial question:What are the obligations of these companies under the General Data Protection Regulation (GDPR)? Can they freely utilize the obtained data, or are there specific responsibilities they must adhere to?
Let’s delve into the key considerations and responsibilities mandated by GDPR when handling such data acquisition practices.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how businesses handle personal data of individuals within the European Union (EU). One of the key aspects of this regulation is Article 14, which outlines the information that must be provided when personal data is obtained from a source other than the data subject.
Personal data has emerged as a valuable asset, continuously amassed, utilized, and processed by diverse entities, spanning from online consumer behavior to social media engagements.
The GDPR serves as a guiding light of transparency, ensuring that individuals are informed about the processing of their personal data. At the heart of this regulation lies the right to be informed, a fundamental aspect of data protection and a main obligation of the companies that are processing personal data of individuals. Data subjects have the right to know who is collecting their data, why they’re collecting it, and what they intend to do with it. This transparency is not merely a formality; it’s a legal obligation under Articles 13 and 14 of the GDPR.
Transparency doesn’t stop at mere disclosure. It’s about making information accessible and understandable. Whether companies are making an announcement to a tech-savvy adult or a curious child, they must communicate their data practices in clear, plain language. This includes detailing the purposes of data processing, the lawful basis for such processing, and any potential risks or rights associated with it.
But what if the data wasn’t obtained directly from the data subject?
For instance, if a company acquires information from a third party, they are still obligated to furnish essential details to the data subject. In such cases, they’re still obligated to provide the data subject with essential details about their data, including who they are, why they have their data, and who else might access it.
Article 14 of GDPR pertains to situations where personal data has not been obtained directly from the data subject. In such cases, the data controller (the entity processing the data) is required to provide the data subject with certain information.
When personal data is obtained from sources other than the individual – data subject, certain information must be provided to ensure transparency.
According to Article 14, the following information must be provided to the data subject:
1. The identity and contact details of the data controller and, where applicable, of the controller’s representative.
2. The contact details of the data protection officer, where applicable.
3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
4. The categories of personal data concerned.
5. The recipients or categories of recipients of the personal data, if any.
6. Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
In addition to the above, the controller must provide the following information necessary to ensure fair and transparent processing:
1. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
2. Where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party.
3. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.
4. Where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5. The right to lodge a complaint with a supervisory authority.
6. From which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
7. The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Here is an ISO guidance outlining the type of information that a company should provide in any scenario when operating under Article 14:
What information do we need to provide? | What information do we need to provide? | When is this required? |
The name and contact details of your organisation | Say who you are and how can individuals contact you. | Always |
The purposes of the processing | Explain why you use people’s personal data. Be clear about each different purpose. There are many different reasons for using personal data, you will know best the particular reasons why you use data. Typical purposes could include marketing, order processing and staff administration. | Always |
The lawful basis for the processing | Explain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data. This is one or more of the bases laid out under Article 6(1) of the UK GDPR. | Always |
The categories of personal data obtained | Tell people what types of information you are collecting of them. | Always |
The retention periods for the personal data | Say how long you will keep the personal data for. If you don’t have a specific retention period then you need to tell people the criteria you use to decide how long you will keep their information. | Always |
The rights available to individuals in respect of the processing | Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability. The rights will differ depending on the lawful basis for processing – make sure what you tell people accurately reflects this. The right to object must be explicitly brought to people’s attention clearly and separately from any other information. | Always |
The right to lodge a complaint with a supervisory authority | Tell people that they can complain to a supervisory authority. Each EU Member State has a designated data protection supervisory authority. Individuals have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place. It is good practice to provide the name and contact details of the supervisory authority that individuals are most likely to complain to if they have a problem. In practice, if you are based in the UK, or you regularly collect the personal data of people that live in the UK, you should inform people that they can complain to the ICO and provide our contact details. | Always |
The source of the personal data | Tell people where you obtained their information from. If it was publicly accessible source, you must say this. Be as specific as possible and name the individual source(s) the personal data was obtained from. If you can’t do this because you don’t know the specific source, you should provide more general information. | Always |
This ICO guidance specifies the information that a company should provide when operating under Article 14, particularly when certain criteria are met:
What information do we need to provide? | What should we tell people? | When is this requested? |
The name and contact details of your representative | Say who your representative is and how to contact them. A representative is an organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU. | If applicable |
The contact details of your data protection officer | Say how to contact your data protection officer (DPO). Certain organisations are required to appoint a DPO. This is a person designated to assist with UK GDPR compliance. | If applicable |
The recipients, or categories of recipients of the personal data | Say who you share people’s personal data with. This includes anyone that processes the personal data on your behalf, as well all other organisations. You can tell people the names of the organisations or the categories that they fall within. Be as specific as possible if you only tell people the categories of organisations. | If applicable |
The details of transfers of the personal data to any third countries or international organisations | Tell people if you transfer their personal data to any countries or organisations outside the EU. Say whether the transfer is made on the basis of an adequacy decision by the European Commission under Article 45 of the UK GDPR. If the transfer is not made on the basis of an adequacy decision, give people brief information on the safeguards put in place in accordance with Article 46, 47 or 49 of the UK GDPR. You must also tell people how to get a copy of the safeguards. | If applicable |
The right to withdraw consent | Let people know that they can withdraw their consent for your processing of their personal data at any time. Consent must be as easy to withdraw as it is to give. Tell people how they can do this. | If applicable |
The details of the existence of automated decision-making, including profiling | Say whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences. Whilst this type of processing may be complex, you should use simple, understandable terms to explain the rationale behind your decisions and how they might affect individuals. Tell people what information you use, why it is relevant and what the likely impact is going to be. | If applicable |
The controller should provide this information within a reasonable timeframe from obtaining the data, ensuring individuals are informed from the outset. The timeline for providing this information is crucial. Whether it’s upon data collection, the first communication with the individual, or when data is acquired from another party, organizations have a maximum of one month to fulfil this obligation.
In instances where data controllers intend to process personal data for purposes other than originally collected, individuals must be informed in advance. This proactive approach ensures transparency and allows individuals to make informed decisions about their data.
While transparency is paramount, there may be situations where providing information is impractical or legally restricted. However, companies should strive to maintain transparency to the greatest extent possible, prioritizing privacy and security.
Article 14 of the GDPR does provide certain exemptions from the obligation to inform the data subject about the processing of their personal data. These exemptions apply under the following circumstances:
– If the provision of such information proves impossible or would involve disproportionate effort.
– If the notification requirement is likely to render impossible or seriously impair the achievement of the objectives of that processing.
It’s crucial to emphasize that routinely applying these exemptions is not advisable; instead, they should be carefully considered on a case-by-case basis. The data controller should justify and document their reasons for relying on an exemption. If no exemption applies, the data controller must comply with the GDPR as normal.
Example:
A research institution conducting a study on historical trends in public health. They obtain anonymized data from hospital records dating back several decades. The data subjects are individuals who were patients at those hospitals during that time.
In this case, it might be impossible for the research institution (the data controller) to provide information to the data subjects under Article 14 of the GDPR. The reasons could be:
1. Impossibility: The data subjects might not be reachable due to the passage of time, changes in contact information, or even death. Therefore, it would be impossible to provide the required information to the data subjects.
2. Disproportionate effort: Given the potentially large number of data subjects and the age of the data, it might require a disproportionate effort to track down each data subject and provide them with the information required under Article 14
The actual application of the exemption would depend on the specific circumstances and local data protection laws. It’s always recommended to seek legal advice when dealing with such matters.
Transparency is not merely a compliance requirement but a fundamental aspect of ethical data management. By prioritizing transparency, companies can build stronger relationships with their customers and demonstrate a commitment to responsible data handling practices.
Stay tuned to our blog for more insights on navigating the complex landscape of data protection and privacy compliance. Together, we can ensure that transparency remains at the forefront of our data management efforts.