On the grounds of Article 12 GDPR, controllers are obliged to inform data subjects about their intended processing. The right to information is therefore intertwined with the transparency principle described in Recital 39 GDPR (see the “Lawfulness, fairness and transparency” subsection in the Principles section of the General Part of these Guidelines).
The right to information does not require any action from the data subject; instead, it must be proactively fulfilled by the controller.What should this information look like? In this respect,as already mentioned, any information must be concise, transparent, intelligible and easily accessible, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including electronically where appropriate, and it may even be provided orally at the data subject’s request and if his or her identity is proven beyond doubt. The information shall be provided without excessive delay or expense(Article 12, GDPR).
Information should be provided efficiently and shortly, so that the data subject is not overwhelmed with it and can foresee the scope and the consequences of the processing.To reach such goals, certain aspects need to be considered. First, the information should be firsttailor-made for ‘the average member of the intended audience’, which in the case of a research would be the average participant.When in doubt about what the average individual looks like, Data Protection Authorities or otherrelevant stakeholders (e.g., advocacy groups)could provide feedback. Alternatively, draft informative texts can be validated before test subjects prior to launching a research project and data collection activities take place.
Second, as no active effort is required from the data subject, the information should be immediately available for the data subject.The controller can thus provide them as it best suits the context: directly, through a link or a signpost or as a response to a natural language question.
Third, the language used by the controller should be as simple as possible. To this end, the EU Commission’spublication Claire’s Clear Writing Tips and How to Write Clearlycould provide tools to simplify the message to be conveyed. Among the things to avoid when drafting any information notice are:
- complex sentences,
- the passive forms,
- any technical jargon,
- modal verbs, and
- abstract notions that could all lead to divergent interpretations.
Children and other vulnerable groups require additional consideration. Here again, much have been written to address this thorny issue.Article 12 states that the information due to the data subject has to be particularly tailored for children– as an example of a vulnerable group – if the data processing activities are targeted towards them. Language is fundamental when it comes to vulnerable individuals, as the Spanish supervisory authority points out, since the vulnerability could be exacerbated if the individual lacks the knowledge to understand the information.
Fourth, in order to be more accessible, any written information should be provided in one single place or one complete document (whether in digital or paper format). In addition to the paper format, the data controller can make use of other electronic and non-electronic means that will be addressed below, such as a layered data protectionstatement, pop-up notices, infographics, flowcharts, videos, voice alerts, animations and so on. By contrast, information might bealso provided orally, either person-to-person basis and through automated means, on the condition that the data subject’s identity is proven through other means.
Articles 13 and 14GDPR specify the information to be provided, depending on whether personal data were collected directly from the data subject or not.
When personal data are directly collected from the data subject(Article 13, GDPR), the controller must provide at the time they are collected the following information:
- The controller’s identity and contact details (namely, the research institution) and the contacts of its data protection officer;
- The purposes and the legal basis for the processing, including the legitimate interest if applicable;
- The identity of recipients(or categories of recipients) of personal data, if any;
- Whether the data will be transferred outside the EU, as well as the details about the legal basis and the safeguards for the processing abroad;
- The data retention period. If establishing such period is not feasible, the criteria used to determine it must be laid down;
- All the data subject’s rights, including the right to lodge a complaint with a supervisory authority. Additionally, if the processing is based on the data subject’s consent, the right to withdraw consent must be included;
- Whether the provision of personal data is provided by law or contract and whether the data subject must provide the personal data, together with the potential consequences arising from the failure not to provide them;
- The existence of automated decision-making;namely, decisions taken using personal data processed solely by automatic means without human intervention.
Additionally, in its Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR focusing on health research (2021), the European Data Protection Board recommends that if a controller intends to use data obtained from data subjects also for other purposes, this controller should at the time of collection of the data take appropriate measures in order to be able to meet the information obligations pertaining to such further processing.
Article 13 GDPR exempts the controllers from their obligation when the data subject has already this information. Whilst the data controller must prove these circumstances (relating, for instance, to how and when such information was provided, as well as to what extent they have not changed in the meanwhile), there is still an obligation to potentially completethe data subject’s knowledge.
When personal data are not directly collected from the data subject(Article 14, GDPR), the controller must also inform the individual about the source of the personal data and the specific categories of data it plans to process. All the information must be provided within a reasonable period [of time] after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed.
Ultimately, Article 14.5(b) GDPR lays downthreeexemptionsfor research institutions from the controller’s obligation to inform the data subjects about the processing of personal data that were not collected from them:
- such provision proves impossible;
- or would involve a disproportionate effort;
- […] or insofar as the obligation […] is likely to render impossible or seriously impair the achievement of the objectives of that processing.
This first means that the controllers must show what has prevented them from providing the information, considering also that, whenever any obstacle is temporary, the provision of information must be done as soon as possible. For example, researchers obtain data from a social network through anapplication programming interface and, before they can comply with Article 14 GDPR, the social network suffers a denial of service that renders impossible any communication with data subjects.
As regards the disproportionate effort, Recital 62 GDPR refers to the amount of data subjects, the age of the data,and the existence of safeguards measures. Here again, the disproportionate effort must be evaluated and proved, by balancing the costs and benefits at stake. In any event, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. Public availability can stem, for instance, from the upload of the information on a website and/or its publication on a newspaper. Other appropriate measures range over the performance of an impact assessment, the pseudonymization and anonymization of the personal data, the adoption of organizational and technical measures able to improve the level of security and so on.
Ultimately, the serious impairment of the objectives of such processing requires the proof that the provision of information enshrined in Article 14.1 GDPR would nullify these objectives. For example, a research conducted regarding how human interaction in social networks is affected during a lockdown scenario resulting from a global pandemic may demand that researchers perform their analysis as secretly as possible in order not to disturb those interactions. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly availableaccording to Article 14.5 (b) GDPR.
Notwithstanding the source of personal data, the data controllers must inform the data subject about theirintention of further processing the personal data for a purpose other than the one for which they were collected, prior to that further processing.All in all, the principle of purpose limitation(see the “Purpose limitation” subsection in the Principles section of the General Part of these Guidelines) provides that personal data must be processed forspecified, explicit and legitimate purposes, so that any further processing which is incompatible with them must be prohibited.Yet, according to Article 5.1(b) GDPR, any further processing for archiving purposes in the public interest, scientific or historical research purposesor for statistical purposes shall not be regarded as incompatible with the original purpose. In any case, the controller’s obligation to inform the data subject about the further processing involves the compatibility test carried out on grounds of Article 6.4 GDPR, in order to explain why the processing for additional purposes is consistent with the original ones (see “Data protection and scientific research” subsection in the “Main concepts” section of these Guidelines).
As stressed by the Article 29 Working Party (2013), the performance of the compatibility test is of the utmost importance to ensure transparency and purpose limitation. But, when relying on the presumption of compatibility enshrined in Article 5(1)(b) GDPR for further processing personal data for scientific research purposes, it should be taken into account that thispresumption can only be used under the condition that the further processing respects adequate safeguards as required by Article 89(1) GDPR.
Building on such provisions, research institutions can adopt all the measures they consider appropriate to comply with thisobligation. The GDPR, indeed, does not prescribe any form as to how information shall be given. Generally, the right to information is fulfilled by adopting a data protection policy, a privacy statement or a fair processing notice; their effectiveness, however, haveled to a polarized debate amongst scholars and policy makers. Accordingly, new methods have been developed and could be used to provide information to data subjects in a clear and accessible way, such as:
- A layered approach: rather than showing all the required information in a single notice and so riskingoverwhelming the data subject, a first privacy notice can link to the other categories of information, so that the level of details increases progressively. In this context, the first layer should include the identity of the controller, the purpose of the processing and the data subject’s rights, together with the potential consequences arising from the processing. It is important to stress that the layered approach can be adopted both in the online and offline scenarios. As regards the latter, the first layer could be provided orally, while later sending a copy of the data protectionpolicy and/or sharing a link to the layered online privacy statement.
- A privacy dashboard:this user interface allows the data subjects tomanually manage their preferences for the processing of the personal data;
- Icons, pop-ups, QR codes and voice alerts, indicating the existence of a particular kind of personal data processing;
- Information sheets, infographics, flowcharts, information embedded in contracts.
In addition to the Guidelines on transparency under Regulation no. 2016/679 adopted by the Article 29 Working Party, several research projects are currently exploring how to make information more accessible to the data subjects, such asthe GDPR by Legal Design Project and the PROTECT ITN.
Last but not least, in its 2020 Preliminary Opinion, the European Data Protection Supervisor examines the intersection amongst deception, informed consent and the right to information. Generally speaking, deception may include withholding information in the instructions to research participants, providing only limited information as to the purpose of the research or even misleading participants by providing a ‘cover story’ for the study to mask the actual topic of the study. In some psychology experiments known as covered research, subjects are misled about what is being tested, and this is cited as a key success factor because awareness of the exact nature of the research would alter people’s behaviour. […][D]ebriefing of the research participants and retrospective informed consent along with specific ethics approval before thestart of the research are among the measures to ensure ethics compliance.It is nonetheless the case that such practices apparently clash with the right to information, whenever the data arecollected directly from the data subject pursuant to Article 13 GDPR.
|Checklist for complying with the right to information
What to provide:
☐ If the personal data were directly provided by the data subject, provide all the information enlisted in Article 13.1 GDPR;
☐ If the personal data were not provided by the data subject, provide all the information enlisted in Article 14.1 – 2 GDPR;
☐ If the information was already fully provided to the data subject, no need to comply with this obligation anymore.
When to provide:
☐ At the time the information was collected from the data subject;
☐ When the data are not collected from the data subject:
☐ within a reasonable period after obtaining the personal data, but at the latest within one month;
☐ if the personal data are to be used for communication with the datasubject, at the latest at the time of the first communication to that data subject;
☐ if a disclosure to someone else is envisaged, at the latest when the personal data are first disclosed.
How to provide:
☐ Easily accessible;
☐ In a clear and plain language.
☐ When the data subject already has all the relevant information;
☐ If the personal data were notprovided by the data subject:
☐ When the provision of information is impossible or disproportionate.
2Article 29 Data Protection Working Party (ed.), ‘Guidelines on Transparency under Regulation no. 2016/679’, 2018, WP260 rev.01, p. 7 ↑
4As the title suggests, both documents provide the reader with some tips to write more clearly. They are available at: https://ec.europa.eu/info/sites/info/files/clear_writing_tips_en.pdf; https://op.europa.eu/en/publication-detail/-/publication/725b7eb0-d92e-11e5-8fea-01aa75ed71a1/language-en [last access: 30.10.2020] ↑
5See for instance, I. Milkaite& E. Lievens, ‘Child-Friendly Transparency of Data Processing in the EU: From Legal Requirements to Platform Policies’, Journal of Children and Media, 2020, Vol. 14, No. 1, pp. 5-21. ↑
6Agencia Española de Protección de Datos Personales, El deber de informar y otras medidas de responsabilidad proactiva en apps para dispositivos móviles, p. 2. At: https://www.aepd.es/sites/default/files/2019-11/nota-tecnica-apps-moviles.pdf(accessed Nov. 6, 2020) ↑
7European Data Protection Board, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR focusing on health research, adopted on 2 February 2021, p. 9, available at:
https://edpb.europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf [last access: 28.06.2021] ↑
8Article 29 Data Protection Working Party, ‘Guidelines on Transparency under Regulation no. 2016/679’, op. cit., p. 29 ↑
9For further details on the compatibility test, see Article 29 Data Protection Working Party (ed.),‘Opinion 03/2013 on Purpose Limitation’, 2013, p. 13 WP 203 00569/13/EN ↑
10European Data Protection Board, op. cit., p. 6 ↑
11M. Arcand, J. Nantel, M. Arles‐Dufour &A. Vincent, ‘The Impact of Reading a Web Site’s Privacy Statement on Perceived Control over Privacy and Perceived Trust,Online Information Review, 2007, Vol. 31, No. 5, pp. 661–681; J. A. Obar&A. Oeldorf-Hirsch, ‘The Clickwrap: A Political Economic Mechanism for Manufacturing Consent on Social Media’,Social Media + Society, 2018, Vol. 4, No. 3, pp. 1-14; Y. Pan&G. M. Zinkhan, ‘Exploring the Impact of Online Privacy Disclosures on Consumer Trust,Journal of Retailing, 2006, Vol. 82, No. 4, pp. 331–338; B. Custers, S. van der Hof &B. Schermer, ‘Privacy Expectations of Social Media Users: The Role of Informed Consent in Privacy Policies: Privacy Expectations of Social Media Users’, Policy & Internet, 2014, Vol. 6, No. 3, pp. 268–295 ↑
12Recital 39, GDPR ↑
13Article 29 Data Protection Working Party (ed.), ‘Guidelines on Transparency under Regulation no. 2016/679’, op. cit., p. 19 ↑
14Ibid., p. 20 ↑
15For further information: http://gdprbydesign.cirsfid.unibo.it/ ↑
16For further information: https://protect-network.eu/research/ ↑
17European Data Protection Supervisor, ‘A Preliminary Opinion on Data Protection and Scientific Research’, 2020 available at: https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf [last access: 30.10.2020] ↑