The duty to report to the GDPR: the first layer of information
It has been a year since the General Data Protection Regulation (“GDPR”) was fully enforced and the low degree of compliance regarding the duty to report when personal data is collected in a web environment remains surprising, particularly the first layer of information required by the regulation, as discussed below. Conversations with clients and web developers often take place in which they show their surprise when you talk about information on “two layers”. “I’ve never heard of it” or “That’s the first I’ve heard” are very commonplace answers.
The duty to report on two layers is an obligation that the Spanish Data Protection Agency (AEPD) left patently clear even before that fateful 25th May 2018, and it did so in its Guide on the Duty to Report.
What does information on two layers mean?
In essence, what it means is that the owners of websites or other digital environments where data is collected must provide users with the minimum amount of information in two different formats. As we’ve said, we’ll discuss the first-layer information or basic information, as this is where a lower degree of compliance is observed.
Basic information (First Layer):
This is the point where we lawyers have most “scuffles” with web designers, as the guide requires this minimum information be in the “same visual field” as the place where the data is collected. Therefore, the information indicated below must be in the same visual location as the place where the data is requested (normally a form). The following should be displayed in this location:
- The basic details of the website owner. Full company name, if the website owner is a company, or full name if he or she is an individual.
- The purpose of the data. The purpose of the data must really be correctly analysed. In other words, if you collect data on a form in order to solve any queries that may arise, then that is the purpose. However, if you want to use the data to inform contacts of future sales promotions, then this is a second purpose.
- What enables us to process the data. The GDPR foresees six cases in which the processing of data is legitimate. Consent is merely one of the six. Consent is normally included here by default, although the following must be considered: if you say that you process the data because you have consent: (1) it must be expressly obtained, and (2) consent can, by definition, be revoked and, therefore, you should ask yourself what would happen if consent were withdrawn once it had been given? Therefore, the six cases should be analysed properly, and you should be thorough with the option chosen. The most commonplace used are: compliance with an agreement between the website owner and the data subject, or compliance with a legal obligation.
- The data recipients. The service providers are not the recipients, nor are the departments of a given company. A recipient should be considered any third party accessing the data to use it in an independent manner. Also think about whether the data collected is also transferred to the Public Authorities.
- Data subject rights. This is not very complicated. The rights essentially remain the same.