Similarly to the previous legislation, Regulation (EU) 2016/679 of the European Parliament and of the Council, referred to as the GDPR (hereinafter “the Regulation”), establishes information obligations of the controller of personal data towards data subjects (natural persons whose personal data are being processed). In this legal circular, we shall therefore address the new form of this regulation, specifically for those cases where personal data are obtained by a trader directly from the data subject (for example, when registering a customer on a website or when entering information into an order). These situations must be distinguished from cases where personal data are obtained by the controller from third parties (providers of user databases or so-called leads, etc.).
General requirements regarding the fulfilment of information obligations by the controller are established in Article 12(1) of the Regulation, which provides that “the controller shall take appropriate measures to provide any information” referred to in Article 13 of the Regulation “to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. However, the requirement that information be provided in a concise, transparent, intelligible and easily accessible form is to a certain extent in contradiction with the required scope of information that must be provided to customers pursuant to Article 13 of the Regulation.
Article 13(1) of the Regulation specifically provides that “where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; …; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller intends to transfer personal data to a third country …” Further information that is to be provided to the data subject, where it is “necessary to ensure fair and transparent processing”, is then enumerated in Article 13(2) of the Regulation. Such information includes, inter alia, “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”, “the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability…” and “the existence of the right to lodge a complaint with a supervisory authority”.
If the processing of personal data by a trader is based on the consent of the data subject, proper fulfilment of information obligations (complying with the Regulation) may have consequences for whether it will be necessary, after the entry into force of the Regulation, to request a new expression of consent from the data subject. The Regulation does not contain any so-called transitional provisions in its normative text. However, the preamble (recital) of the Regulation states in point 171 that where processing “is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation…” If it were therefore to transpire that the transitional provisions actually function in this manner (which unfortunately is not entirely clear at this time), proper fulfilment of information obligations by the trader will presumably be considered one of the necessary prerequisites for the manner in which the consent was given to be in line with the conditions of the Regulation.
Josef Aujezdský, advocate
Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory services
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 8/2017 intended for members of this association.
This text was translated from Czech to English using an AI translator.