What does the right to information mean and how is applied to business practice?
The protection of personal data in the legal systems of the member states of the European Union has become imperative by implementing The General Data Protection Regulation. Therefore, at the point of its implementation there were certain changes that affected everyone, whether business entities that had to ensure compliance of their operations with GDPR requirements or natural persons who had, consequently, obtained greater rights related to the processing of their personal data. One of these rights is the right to be informed about the processing.
The right to information means that we basically have the right to know who collects and processes our data, for what purpose and on what legal basis (according to GDPR there are six legal basis) and its category.
We also have the right to know whether our data are going to be forwarded to other recipients, transferred to third countries and international organizations, the period of storage of our data and the criteria on the basis of which such a period has been determined, basic information about our rights, about the possibility of submitting complaints to the supervisory authority, that the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract or providing a service, information about the existence of automated decision-making, including the creation of profiles and other information depending on the processing that is carried out, for example, information about the right to withdraw consent if it is processed based on consent as a legal basis.
The information that must be provided in order to satisfy the requirement to be “informed” will depend primarily on the processing carried out and on the fact whether the information is collected directly from the person or is collected from other sources and publicly available sources and upon the facts regarding the information a person should have been or has been familiar with.
For example, during employment, the employee is obliged to provide certain personal data for the purpose of establisment of an employment relationship.
The collection and processing of this data is prescribed by legal norms (e.g. the Ordinance on the content and method of keeping records about workers). A person who establishes an employment relationship should be familiar with such processing, and in the vast majority of cases he or she will confirm the same in the employment contract (a clause in which the worker confirms that he or she is familiar with the acts regulating the rights and obligations from the employment relationship). In such a situation, the employer will not be obliged to provide all the above-mentioned information for the data it collects for the purpose of establishing and realizing the employment relationship, because the employee is already familiar with such information. Of course, the employer will always provide such information at the request of the person himself, but the employer will not be obliged to present it to him or her in advance.
By providing information about data that is not collected through the website (except for processing based on legitimate interest) the principles of processing transparency would be violated, as the Transparency Guidelines explicitly state that by doing so would lead to confusion and overload the reader by providing too much information that is not relevant for specific processing and with which the focus is diverted from the information that is important for the individual at that moment.
Consequently, in order to satisfy the request for information, it is necessary to consider what information about the processing should to be provided in the first place. Do not overload the person with information that should be known or information that is not relevant for specific processing (e.g. we do not provide information in a way in which it is possible to withdraw consent if the processing is not based on consent).
In particular, it is necessary to take into account that information is provided only for the specific processing that is carried out, to consider models of providing information (multiple layers) and to adapt the language and method of providing information to the group we are address.
Authors: Ines & Marko Krečak, Feralis Center