Legal References

Regulation EU 2016/679: art. 6

Recitals 42-50

Overview

Informing the data subject of who and how his/her data are processed, is part of the broader right to self-determination of the data subject.

The underlying idea is that our data belong to us because they represent our digital identity: so we have the full right to decide on them (just as we have the right to decide about our physical body - Article 5 Civil Code). This concept is well expressed in Recital 7 of the new Regulation when "data control" is mentioned.

TYPES OF PRIVACY NOTICES

The new Regulation regulates two types of privacy notice:

  • direct privacy notice: when the data subject provides the data
  • indirect privacy notice: when the data are not provided by the data subject, but are collected from another data controller. (e.g. publicly available website, public registry, etc.)

In both cases, where the data already collected are processed for other purposes than the original ones, there is an obligation to provide a further privacy notice.

CONTENT OF THE PRIVACY NOTICE

The contents of the privacy notices are listed in the tables below.

DIRECT PRIVACY NOTICE – when the data subject provides the data

The written form is not mandatory (but advisable for the purposes of evidence). This should be done at the time of collection of the data.

INDIRECT PRIVACY NOTICE

When the data are collected by another controller (not directly provided by the data subject).

The written form is not mandatory (but advisable for the purposes of evidence). Within a month, and in any event before the notification to the data subject.

EXEMPTIONS FROM THE OBLIGATION TO PROVIDE PRIVACY NOTICES

The direct and indirect privacy notice is not mandatory in the following cases:

  • use of data for purely personal activities (Art. 2, par. 2)
  • manual and unstructured processing (Art. 2, par. 1)
  • if the data subject already has the necessary information (Art. 13. Par. 4, Art. 14, par. 5)
  • all cases of public interest referred to in Art. 23 (national security, defence, public security ecc.)

A “further” privacy notice is not mandatory in cases of (Art. 14, par. 5)

  • impossibility or disproportionate effort
  • privacy notice is expressly laid down by Union or Member State law
  • obligation of professional secrecy

SANCTIONS

The sanctions are provided for in Article 83, par. 5, lett. B) and are very high.

Up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover, whichever is higher.

The criteria for determining the sanction are those set out in Article 83.