The basis of fair handling of personal data is the data subject’s knowledge of what is happening with his or her data. Especially when the data processing depends on the consent of the data subject, it is essential that the data subject is informed. A free and autonomous decision can only be made if all information relevant to the decision-making process is available.
For the collection of personal data, Art. 13 f. GDPR therefore oblige the controller to provide certain information to the data subject. What you have to consider and what the information obligations include in detail can be found in the following overview.
“Controller” is whoever determines the purposes and means of the processing of personal data. Any natural or legal person, public authority, agency or other body can be a controller.
Contact information should include at least the name, an address and a practical means of communication (e.g.: email address, PO box address).
In the case of scientific research, a distinction must be made as to whether the researcher him/herself (e.g.: students, professors, scientific staff) or a higher-level institution (e.g.: university, chair) decides on the purposes and means of the processing. This depends in particular on the existence of a specific right to issue instructions. If the researcher is bound by instructions due to his or her employment relationship, the person issuing the instructions has the final authority to decide on the data processing and is thus the controller.
If you belong to an institution that has appointed a data protection officer, their contact details (e.g.: email address, PO box) must be provided.
Example:
Data protection officer of the University of Mannheim
L1,1
68131 Mannheim
Jan Morgenstern
Lawyer and IT law specialist, Data protection officer of the University of Mannheim
E-Mail: datenschutzbeauftragter@uni-mannheim.de
The data subject must be informed of the data being processed, the manner in which it is processed and the purpose of the processing. From this, the data subject must be able to sufficiently identify the scope and extent of the processing.
The data subject must be able to form a concrete picture of how the data concerning him or her will be used in a specific case on the basis of the information provided.
The data subject must be given a clear, comprehensible and complete explanation of what personal data are being processed.
Examples:
Address or contact data for data collection such as email address, IP address, name or telephone number, data on socio-demographic background such as occupation, age, origin, place of residence or substantive survey data such as preferences, interests, assessments, evaluations or behaviours.
The data subject must be able to assess from the information provided what actions will be taken with the data based on consent.
The description of the manner of processing can be guided by the forms of processing set out in the GDPR: Collection, recording, organising, organising, storing, adapting, modifying, retrieving, consulting, using, disclosing, transmitting, disseminating, making available, comparing, linking, restricting, erasing, destroying.
On the basis of the information provided, the data subject must be able to identify the specific purpose of the data processing in order to be able to make his or her consent dependent on it.
For data processing for scientific research purposes, it is possible to grant the so-called “broad consent”. This means that the requirements for information regarding the purpose for scientific research purposes are already met if a sufficiently specific area of research is named.
The legal basis on which the data processing is based must be stated. The specific norm, eg. Art. 6 I lit. a) DSGVO, must at least be designated.
If you base the processing on legitimate interests within the meaning of Art. 6 I lit. f) DSGVO, you must also describe these legitimate interests of the controller or a third party in addition to the legal basis.
You must refer to the voluntary nature of the provision of data by the data subject.
If there is an obligation to provide data or if the data subject will suffer disadvantages if the data is not provided, you must also point this out.
If you base the processing on legitimate interests within the meaning of Art. 6 I lit. f) DSGVO, you must also describe these legitimate interests of the controller or a third party in addition to the legal basis.
If the purpose of the processing requires the disclosure of the data to third parties, they must identify them. Recipients may be any natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not they are third parties.
The term is to be understood comprehensively and also includes commissioned data processors, employees and sub-organisations.
An abstract description of the categories of recipients is sufficient for the information obligation. As a result, the data subject must be able to assess who has access to the data concerning him or her.
If you intend to transfer the data to a state outside the European Union or to an international organisation, you must inform the data subject about this. You should also seek the advice of the relevant data protection officer.
If the duration of the data storage is already known at the time the information is provided, this must be communicated. If this is not yet foreseeable, the criteria for deciding on the storage period must be communicated.
In the area of scientific research, the requirements of good scientific practice regularly demand the archiving of research data, which can result in an exceptionally long storage period. In this case, it is advisable to anonymize any personal data as soon as possible.
The data subject must be informed of his or her rights under Articles 15-21 of the GDPR. In principle, they are entitled to the following rights:
A standardised legal notice is sufficient.
If you base the processing on the granting of consent, you must inform the data subject that consent given can be withdrawn at any time without affecting the lawfulness of the processing until the time of withdrawal.
In addition to the provision of the withdrawal information, the actual possibility of withdrawal must also be given. The withdrawal must be as simple as giving consent. Accordingly, a communication channel for the withdrawal must be provided which corresponds to that of the granting of consent.
If you wish to base further processing on another legal basis in the event of a withdrawal of consent, you should also inform the data subject of this, naming the specific legal basis.
Example wording: “We would like to inform you that in the event of a withdrawal, the further processing of your data may be legitimised by the legal basis of the [name specific legal basis], so that the data will continue to be processed on the basis of this legal basis despite your withdrawal.”
For further questions on the subject of data protection, please feel free to use our iVA and contact the responsible data protection officers for individual advice.