Insufficient data management information is a growing source of data protection penalties. Below we take into account the 2016/679. In light of the General Data Protection Regulation (GDPR) and official practice, in the areas where it is recommended to provide data management information.
How information is presented is not specified in the list
In one case, the complainant “reported” his auditor to the National Authority for Data Protection and Freedom of Information (NAIH) due to a lack of data management information available on its website. In the context of the case, the Authority rightly indicated that it is not possible to infer any requirement from the General Data Protection Regulation that a data management bulletin must be placed on a website. The data controller may provide his information in any form, for example in the contract appendix, in the data management information sent via e-mail, or in the data management information published on customer service.
However, there are two things that should be taken into consideration in this context. One of the requirements is that the data controller should be able to access the data management information at the same time that the personal data is being recorded. It is therefore not sufficient that the data management information be available somewhere when the contract is signed. Based on the accountability requirements, the key aspect is that even though the data controller decides the method of compliance, it is his / her duty to prove it (the occurrence and form of the information).
Read on to learn the most common mistake compiling a privacy statement and how this commitment can be properly fulfilled!