Skip to main content
Report to the GDPR

The duty to report to the GDPR: the first layer of information

It has been a year since the General Data Protection Regulation (“GDPR”) was fully enforced and the low degree of compliance regarding the duty to report when personal data is collected in a web environment remains surprising, particularly the first layer of information required by the regulation, as discussed below.

Conversations with clients and web developers often take place in which they show their surprise when you talk about information on “two layers”. “I’ve never heard of it” or “That’s the first I’ve heard” are very commonplace answers.

The duty to report on two layers is an obligation that the Spanish Data Protection Agency (AEPD) left patently clear even before that fateful 25th May 2018, and it did so in its Guide on the Duty to Report.

The duty to report to the GDPR: What does information on two layers mean?

In essence, what it means is that the owners of websites or other digital environments where data is collected must provide users with the minimum amount of information in two different formats. As we’ve said, we’ll discuss the first-layer information or basic information, as this is where a lower degree of compliance is observed.

protecció de dades

Basic information (First Layer):

This is the point where we lawyers have most “scuffles” with web designers, as the guide requires this minimum information be in the “same visual field” as the place where the data is collected. Therefore, the information indicated below must be in the same visual location as the place where the data is requested (normally a form). The following should be displayed in this location:

  • The basic details of the website owner. Full company name, if the website owner is a company, or full name if he or she is an individual.
  • The purpose of the data. The purpose of the data must really be correctly analysed. In other words, if you collect data on a form in order to solve any queries that may arise, then that is the purpose. However, if you want to use the data to inform contacts of future sales promotions, then this is a second purpose.
  • What enables us to process the data. The GDPR foresees six cases in which the processing of data is legitimate. Consent is merely one of the six. Consent is normally included here by default, although the following must be considered: if you say that you process the data because you have consent: (1) it must be expressly obtained, and (2) consent can, by definition, be revoked and, therefore, you should ask yourself what would happen if consent were withdrawn once it had been given? Therefore, the six cases should be analysed properly, and you should be thorough with the option chosen. The most commonplace used are: compliance with an agreement between the website owner and the data subject, or compliance with a legal obligation.
  • The data recipients. The service providers are not the recipients, nor are the departments of a given company. A recipient should be considered any third party accessing the data to use it in an independent manner. Also think about whether the data collected is also transferred to the Public Authorities.
  • Data subject rights. This is not very complicated. The rights essentially remain the same.
  • A link to the full Privacy Policy. Even less complicated. A link to the full text or second layer of information, which will be discussed in the next post.

We’ll end with an example of the penalty proceedings filed by the AEPD against the Royal Spanish Football Federation for not including the minimum amount of information in the data collection process. In this case, the case was filed because the Federation modified the terms and contents of its Privacy Policy while the proceedings were underway.

If you want more information about this issue, please don’t hesitate to contact us!

    Information on data protection

    Company name
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.

    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.

    Further information
    See the Privacy Policy.