The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Do I always have to provide a privacy notice if I collect information about someone from a third party?
Answer: No. As an initial matter a processor is not required to provide a privacy notice to individuals about whom it possesses information.
If you are a controller there are at least five situations where you also are not required to provide a privacy notice if you collect information about someone from a third party:
They already know your privacy practices. As with situations in which you collect information directly from a person, where and insofar as a “data subject already has the information” that would be contained within a privacy notice you are not required to provide one to them.1
If providing a privacy notice is “impossible” a company is relieved of the requirement. That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”2
Disproportionate effort. If providing a privacy notice “would involve a disproportionate effort” a company is not required to provide the notice.3 That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”4
Information must be collected by European Union law. If an European Union member state requires that a company collect personal information about an individual, and that requirement includes “appropriate measures to protect the data subject’s legitimate interests” then a company is not required to also provide a privacy notice to the individual.5
Collection cannot be disclosed pursuant to European Union law. If an European Union member state imposes an obligation of secrecy on a company that would prohibit the company from disclosing the fact that it collected an individual’s information, the company is not required to provide the individual with a privacy notice.6
The GDPR does not contain much detail about what might be considered “disproportionate effort,” but indicates that (in the case of research or archiving) the number of data subjects, the age of the data, and other appropriate safeguards that were put in place to protect the data may be relevant.7