EU model for proper privacy notification

By EDRi · December 15, 2004

The Article 29 Working Party of data protection authorities in the EU has developed an interesting and useful model for a standard EU privacy notice, consisting of a short, a condensed and a full legal notice.

Under the European Data Protection Directive 95/46/EC data subjects must be informed of their rights to data protection. The Directive distinguishes between essential and further information. Essential is information about the identity of the controller and of his representative, if any, as well as the purpose of the data processing. ‘Further information’ includes the recipient of the data, the response obligation and the existence of access and rectification rights, having regard to the specific circumstances in which the data are collected. Going beyond this, there is also a third category of information which is nationally required and goes beyond the Directive’s requirements. This includes information such as the name or address of the data protection commissioner, details of the database and reference to local laws.

The Working Party concludes from several Eurobarometer surveys that a minority of businesses complies with privacy legislation and only 42% of European citizens is aware they should be informed about the identity and purpose of data collection. To help further acceptance, the WP now gives 3 concrete models and examples for the most common processing tasks carried out both on-line and of-line.

The short notice must contain the identity of the controller and the purposes of processing. The Working Party suggests sometimes even pictograms can provide the necessary notice to the concerned persons, for example to indicate hidden RFID-tags or the installation of video-cameras. The second, condensed notice, must contain all the relevant information to ensure people are well-informed about their rights and choices, and must be made available on-line as well as in hard copy via written or phone request. Finally, the third national layer must include all national legal requirements and specificities, and may include a full privacy statement.

Opinion on More Harmonised Information Provisions (25.11.2004)