[GDPR II] Rights of the Data Subject: Transparent Information
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
The European Union has long established the right to transparency and protection of personal data as a fundamental right. The General Data Protection Regulation (GDPR) now lays down specific rules (and penalties) that may affect you as a FormAssembly customer.
As a reminder, the GDPR may apply to you even if you’re not established in the European Union. Refer to our previous post to learn more on this. You may also want to adopt our recommendations anyway to follow best practices and good stewardship of the data you collect.
Today we’ll examine how you can leverage FormAssembly to provide clear and easily accessible information about your data collection practices, in furtherance of the transparency requirements of the GDPR1.
Providing Transparency Information at the Point of Data Collection
There are a number pieces of information that must be provided to respondents2, such as your identity, contact information, purpose of processing and so on. The recommended best practice3 is to provide this information at the point of collection of the personal data, using:
- a link to a privacy notice,
- or, by making this information available on the same page.
Additionally, the GDPR EU Working Group recommends to provide information in layers, meaning that your form should contain at least an overview of the information required, with links to a separate page (such as a privacy notice or a contact information page) for further details.
“The design and layout of the first layer […] should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information […].”4
Your Identity and Contact Information.
Every form created with FormAssembly includes an easily accessible link to a contact information page.
This is the ideal place to provide, as required by the GDPR,
- Your identity, such as your name or the name of your organization (Article 13a).
- Your contact information (address, email and/or phone number) (Article 13a).
- If you have a designated Data Protection Officer, the name and contact information of the officer (Article 13b).
Purpose of Processing
The form title and an introduction paragraph at the beginning of the form is a great place to explain, using succinct, clear and plain language, how you will be using the collected data (Article 13c). You can link to a separate document or web page under your control if you need to provide more in-depth information.
Throughout the sign-up process, The BBC includes explanations of why specific pieces of information are needed. They also link to documents that explain in more detail why data is being collected.
Legal Basis for Processing
At the same time you explain the purpose of processing, you should address the question of its legal basis. In most cases you will be either asking for informed consent (Art. 6a) or you will require the data to fulfill or enter into a contractual relationship (Art 6b) with your respondent.
An example for content explaining legal basis used within the text of a form could be: “Our legal basis for processing the data you have entered is informed consent.”
If the above does not apply to your situation, you can refer to Article 6 for other criteria for lawful processing.
Recipient of Data
In addition to the contact information mentioned above, you should describe who (as individuals or category of individuals) will receive the data (e.g salesperson, recruitment staff, etc.) and any third-party organization the data may be shared with.
You may list FormAssembly as your Data Processor, and document that you’ve entered into a Data Processing Agreement that protects the rights of the Data Subjects under the GDPR.
This is an excerpt from a job application from the ICO, describing third party information access.
This example discloses a third-party, but it should be noted that the EU Working Party’s guidelines also recommend that “a data controller should provide information on the actual (named) recipients of the personal data” or at least use very specific categories. An example for text explaining the named recipient of data used within the text of a form could be: “This information will be shared with Director of HR, Jane Smith.”
Retention of Data
FormAssembly will retain the data for the duration of your agreement with us, unless you chose to delete such data. You should in any case disclose to your user how long you will keep the data (outside of FormAssembly).
Existence of Automated Decision Making
If you will be using automated decision making based on the data you’re collecting, Article 13.2.f requires you to disclose meaningful information about the logic involved and the significance of such processing. Such disclosure should be made on the form, with a link to a page under your control for further details, to keep with the layering of information best practice.
Additional Information Requirement
In the next few weeks, FormAssembly will provide standard language that you can use to inform respondents of the existence of the following rights:
- Right to Request Access, Rectification or Erasure of Data.
- Right to Withdraw consent.
- Right to Lodge a complaint to a supervisory authority.
All of this required information helps your customers better understand how you are using their data and why, and making sure that your forms include this information is an important step in becoming GDPR-ready
Learn more about GDPR and how it applies to you as a FormAssembly customer in this previous GDPR blog post or on our FAQ page.
1. Article 12, 13 and 14 with further guidance provided by the EU Working Party.
2. This addresses transparency requirements under Article 13, where the respondent filling out the form is entering information about themselves. Personal data about a third-party is covered by Article 14. and will be discussed in a following post.
3. Guidelines on transparency under Regulation 2016/679 – section 10.
4. Guidelines on transparency under Regulation 2016/679 – section 30.