Applying the right to information in practice

Jul 8, 2022

What does the right to information mean and how is applied to business practice?

The protection of personal data in the legal systems of the member states of the European Union has become imperative by implementing The General Data Protection Regulation. Therefore, at the point of its implementation there were certain changes that affected everyone, whether business entities that had to ensure compliance of their operations with GDPR requirements or natural persons who had, consequently, obtained greater rights related to the processing of their personal data. One of these rights is the right to be informed about the processing.

The right to information means that we basically have the right to know who collects and processes our data, for what purpose and on what legal basis (according to GDPR there are six legal basis) and its category.

We also have the right to know whether our data are going to be forwarded to other recipients, transferred to third countries and international organizations, the period of storage of our data and the criteria on the basis of which such a period has been determined, basic information about our rights, about the possibility of submitting complaints to the supervisory authority, that the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract or providing a service, information about the existence of automated decision-making, including the creation of profiles and other information depending on the processing that is carried out, for example, information about the right to withdraw consent if it is processed based on consent as a legal basis.

The information that must be provided in order to satisfy the requirement to be “informed” will depend primarily on the processing carried out and on the fact whether the information is collected directly from the person or is collected from other sources and publicly available sources and upon the facts regarding the information a person should have been or has been familiar with.

EXAMPLE 1

For example, during employment, the employee is obliged to provide certain personal data for the purpose of establisment of an employment relationship.

The collection and processing of this data is prescribed by legal norms (e.g. the Ordinance on the content and method of keeping records about workers). A person who establishes an employment relationship should be familiar with such processing, and in the vast majority of cases he or she will confirm the same in the employment contract (a clause in which the worker confirms that he or she  is familiar with the acts regulating the rights and obligations from the employment relationship). In such a situation, the employer will not be obliged to provide all the above-mentioned information for the data it collects for the purpose of establishing and realizing the employment relationship, because the employee is already familiar with such information.  Of course, the employer will always provide such information at the request of the person himself, but the employer will not be obliged to present it to him or her in advance.

EXAMPLE II

However, if we store the applications of unselected candidates for a certain period of time (e.g. until the probationary period of the selected candidate) then all information about such processing should be provided. Namely, the purpose of processing the candidate’s CV for the competition ended with the selection of the candidate. Although unselected candidates can realistically expect that their data will be processed for some time, they are not reliably familiar with such processing, nor with other data about that processing (eg with the exact storage period). Therefore, it is necessary to provide information about such processing in a clear and simple way, and which way it will be will depend on the situation. In certain situations, it will be sufficient to state the necessary information about the “resumé database” on the company’s website in the privacy policy in the “legitimate interests” section, while in situations where the company does not have its own website, does not receive open requests or open applications through it, it will not be applicable and the controller will need to find another appropriate way to provide information about the processing.

At the same time, it should be undelined that the privacy policy of the website only provides information about the processing of personal data collected through that website, and about the legitimate interests of the data controller (e.g. video surveillance, CV database, processing for marketing purposes, etc.) .

By providing information about data that is not collected through the website (except for processing based on legitimate interest) the principles of processing transparency would be violated, as the Transparency Guidelines explicitly state that by doing so would lead to confusion and overload the reader by providing too much information that is not relevant for specific processing and with which the focus is diverted from the information that is important for the individual at that moment.

Consequently, in order to satisfy the request for information, it is necessary to consider what information about the processing should to be provided in the first place. Do not overload the person with information that should be known or information that is not relevant for specific processing (e.g. we do not provide information in a way in which it is possible to withdraw consent if the processing is not based on consent).

In particular, it is necessary to take into account that information is provided only for the specific processing that is carried out, to consider models of providing information (multiple layers) and to adapt the language and method of providing information to the group we are address.

Authors: Ines & Marko Krečak, Feralis Center

Recent news

Clouds outside of the scope of GDPR? (identifiability test)

Clouds outside of the scope of GDPR? (identifiability test)

In 2016 Court of Justice of the European Union (“CJEU”) issued a landmark ruling in Breyer case (C-582/14) where upon the request of the German Federal Court of Justice for an interpretation, CJEU ruled that even a dynamic IP address registered by an online media...

read more
5th meeting of Czech DPOs in the healthcare sector

5th meeting of Czech DPOs in the healthcare sector

On 22 June 2023, the 5th meeting of Data Protection Officers in the healthcare sector, organised by the Czech Data Protection Association, took place in Jindřichův Hradec.  The event focused on the current interpretation of widely discussed topics in the field of...

read more