When can you waive the requirement of information obligation commonly known as a GDPR clause?
One of the principal obligations of the controller is to provide information on the processing of personal data to these data subjects. It stems from article 13 and 14 of the GDPR, and its non-compliance constitutes a serious violation of the provisions of the GDPR, subject to an administrative penalty of up to EUR 20 million, and in the case of an enterprise up to 4{e1a10198ea0642a831f069ae58b4ef421c118aed50a41558a8156b14a84f0489} of its total annual global turnover from the previous financial year. This is the strictest financial penalty provided for in the GDPR.
The regulation’s purpose is to provide persons whose data is processed with the possibility of verifying who is processing their personal data, for what purpose and on what legal basis as well as obtaining information about the rights related to the processing of data. However, the obligation to provide information is not absolute and in some cases it is possible to exclude it.
1.The possibility to exclude the obligation to implement the information obligation towards persons from whom personal data has been collected directly – article 13 GDPR
If the administrator obtains personal data directly, e.g. an employer from his employee, then he/she can easily fulfill the information obligation at the very moment of collecting the data.
Therefore, the exclusion of the information obligation will only take place if the data subject already has this information (in some cases also when the information obligation has been excluded by law, e.g. for the reasons of public security).
The fact that the controller has information about the processing of data cannot be presumed and the exemption applies only to the scope of information that is already known to the data subject.
For example, if the employer decides to introduce video monitoring of employees to whom he has already fulfilled the information obligation due to the conclusion of an employment contract, information concerning the monitoring clause will be able to be depleted for this information, which were included in the previous clause and remain valid
2.The possibility to exclude the obligation to implement the information obligation towards persons from whom personal data has been collected indirectly – article 14 GDPR
If the controller obtains personal data indirectly, e.g. through other persons or from publicly available registers (CEIDG, KRS), he/she is also obliged to fulfill the information obligation, except when:
• the data subject already has this information – as in the case of persons whose data the controller has obtained directly, however, although it will be more difficult to determine what information is already in the possession of data subjects, the application of this exception in practice will probably be negligible,
• providing such information proves impossible or would involve a disproportionate effort – e.g. when the administrator does not have the contact details of these persons to provide them with an information clause (address, telephone number, e-mail), in such cases the administrator takes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making information available to the public, e.g. by posting the content of an information clause on its website; according to the current practice of the President of the Personal Data Protection Office, the high cost of fulfilling the information obligation or organizational considerations may be considered as insufficient grounds for resignation from providing information on data processing,
• obtaining or disclosing is expressly regulated by law, which provides for appropriate measures to protect the legitimate interests of the data subject – recently, the Personal Data Protection Office indicated that this exception may be invoked by the administrator in the case of collecting data on family members of an employee using the Company Social Benefit Fund (ZFŚS) – obtaining this data is regulated by article 8 of the Act on the Company Social Benefits Fund,
• personal data must remain confidential following the obligation of professional secrecy – for example, it concerns legal secrets, attorneys or medical professionals.