The controller shall inform the data subject about the extent of the data processing (Art. 13 GDPR). But what measures are required to “provide“ this information to the data subject according to Art. 12 GDPR? Is it necessary to send a written statement to the data subject or is it sufficient to publish the information on the website? The European Court of Justice (ECJ) held a judgement regarding this aspect in 2017. The ECJ stated that the organisation, which is responsible to provide the information, “…must actively communicate that information.“1 This decision has a significant impact on cost and efforts of the GDPR-implementation projects.
In general the legal interpretation starts with the interpretation of the wording of the respective legal source – in our case the GDPR. But the term to “provide“ information is not defined in Art. 4 GDPR. An addtitional approach to get more clarity of the wording is to refer to the different language versions of the GDPR. The French version of Art. 12 GDPR uses the verb “fournier“ and the German version uses the wording “übermitteln“. In contrast to the English and French version the German term “übermitteln“ is defined as “transmission“ according to Art. 4 (2) GDPR, which is a sub-activity to data processing. In that context transmission means a transfer of personal data to a third party. All versions – the English “provide“, the French “fournier“ and the German “übermitteln“ – have in common that the sense of the wording requires an active behavior of the controller to transfer the information into the sphere of the data subject.
Recently the Art. 29 Working Party has published its Working Paper (WP 260) about transparency. The latest Working Papers are de facto a binding interpretation of the GDPR because at 25th of May the Working Party will be transformed into the European Data Protection Board. Since that date the European Data Protection Board has the competence to provide a binding interpretation of the GDPR according to Art. 70 (1) GDPR. In WP 260 the Working Party does not explicitly raise the issue how to interpret the term “provide“ information. While giving an example of the information requirements of the GDPR the Working Party is satisfied with a publishment of the information on the website of the controller.2
But the last and binding interpretation, which may overrule the interpretation of the European Data Protection Board, lies with the ECJ. And the ECJ gave his opinion about the term provision of information in a judgment of the payment services directive 2008/64/EC in 2017.3 The payment services directive regulates the way a contract between a payment service provider – e.g. a credit cart company – and a consumer shall be closed. One requirement is the provision of the relevant information by the service provider to the consumer. The information requirements of directive 2008/64/EC are stricter than the requirements of the GDPR. Art. 41 of directive 2008/64/EC states that a payment servicer provider shall provide the payment service user whith the relevant information on paper or another durable medium.4 In contrast to the directive the GDPR does not require the information to be given in a specific form like on paper or another durable medium. But providing the information to the consumer is required by both – the paymant services directive and the GDPR.
The ECJ held that
“…it is the provider who must actively communicate that information.“5
That means that a publishment of the relevant information only on the website of an enterprise is not sufficient to provide the information. On the other hand the ECJ states that it is not necessary to send the whole informtation the customer.
“If the payment service user is obliged to consult that website in order to become aware of that information, the transmission of that information must be accompanied by active behaviour on the part of the provider aimed at drowing the user´s attention to the existence and availability of that information on that website.“6
It follows that the data controller is obliged to inform the data subject in an active way that the information is available on the website. This active behaviour may be fulfilled by sending an e-mail to the customer.7 But it is not necessary to send the complete information to the data subject.
The decision of the EJC clarifies the requirements on how to provide the information according to Art. 12 GDPR. Allthough the case originally concerns the payment services directive it covers the way the information shall be provided to the data subject according to the GDPR at the same time.
1ECJ C-375/15, BAWAG PSK Bank vs Verein für Konsumenteninformation, 25.01.2017, paragraph 48
2Art. 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260, first example page 8
3ECJ C-375/15, BAWAG PSK Bank vs Verein für Konsumenteninformation, 25.01.2017
4This requirement is directed to the member states because the payment service directive is addressed – like all directives – to the member states which are bound to implement the directive in national law.
5ECJ C-375/15, BAWAG PSK Bank vs Verein für Konsumenteninformation, 25.01.2017, paragraph 48
6ECJ C-375/15, BAWAG PSK Bank vs Verein für Konsumenteninformation, 25.01.2017, paragraph 53
7But note that a consent may be necessary to use the e-mail of the customer to be in line wiht the e-priviacy directive.