In more detail:
Are there any exceptions or exemptions?
There are a small number of built in exceptions from the right to be informed in the GDPR. The Data Protection Act 2018 (DPA 2018) also provides some other exemptions from this obligation. These are detailed below.
There is no automatic exception from the right to be informed just because the personal data is in the public domain. You should still provide privacy information to individuals, unless you can rely on a specific exception or exemption. Please see ‘What common issues might come up in practice?’ for more details.
What are the exceptions in the GDPR?
The exceptions available in the GDPR depend on how you have obtained an individual’s personal data.
When you collect personal data directly from the individual it relates to, you do not need to provide them with privacy information if:
- The individual already has the information – If you know, or it’s obvious, that an individual already has some of the necessary information, you do not need to provide it to them. However, you must still provide them with anything that they don’t already have. In practice, you may not know what information an individual already has. If you are unsure, it is best to provide individuals with all the relevant privacy information.
When you obtain personal data from a source other than the individual it relates to, you do not need to provide them with privacy information if:
- The individual already has the information – You must be able to demonstrate that the individual already has the information. You may need to conduct due diligence checks on the source from which you obtained the personal data to verify what information the individual has been provided with. If you are unsure what information an individual already has, you should provide them with all the relevant privacy information. Further guidance on what to do when personal data is sold or bought is provided in the section ‘What common issues might come up in practice?’
- Providing the information to the individual would be impossible – You need to be able to show that it is impossible, not just inconvenient. See ‘When can we rely on impossibility?’ below for more details.
- Providing the information to the individual would involve a disproportionate effort – You must be able to show that the effort involved in providing the information is not warranted by the impact on individuals. See ‘When can we rely on disproportionate effort?’ below for more details.
- Providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing – You must justify why providing an individual with privacy information would make it impossible, or impair your ability, to achieve what you want to by using that particular individual’s personal data. This is most likely to occur in an investigatory context.
A local authority obtains information about an individual’s working hours and pay from their employer for the purposes of a benefit fraud investigation. The local authority decides that telling the individual about the collection of their personal data would seriously impair the progress of the investigation because the individual might destroy further evidence necessary to prove an offence. As such, the local authority documents its justification for this decision and does not provide the individual with any privacy information in this instance.
- You are required by law to obtain or disclose the personal data – You need to satisfy yourself that the law in question actually imposes a requirement on you (or your organisation) to obtain or disclose an individual’s personal data. Remember that this exception can only apply to personal data you obtain from a source other than the individual it relates to, and not to personal data you collect from the individual themselves.
- You are subject to an obligation of professional secrecy regulated by law that covers the personal data – In practice, this exception is most likely to apply to personal data processed by professionals in sectors such as tax, health, social work, law and HR.
An individual provides information to their social worker in confidence about a family member. If providing privacy information to that family member would result in a breach of confidence, the social worker is exempt from the requirement to provide the information.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
WP29 guidelines on Transparency, which have been endorsed by the EDPB.
When can we rely on impossibility?
Situations in which it is impossible to provide privacy information to individuals are few and far between. This is most likely to occur if you do not have any contact details for individuals and have no reasonable means to obtain them.
If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA. See ‘What else should we consider if we want to rely on an exception?'.
A public library is engaged in a project to collect, organise and archive information on defunct clubs and societies that operated in the local area over the past 100 years. Amongst other things, the records in question contain membership details including people’s titles and names, but not any address or contact information. It is impossible for the library to provide the individuals with any information about what it is doing because it does not have any contact details. As such, it publishes the relevant privacy information on its website. The library also carries out a DPIA and as a result it decides to publicise the project in a local newspaper in order to direct people to the privacy information on its website.
When can we rely on disproportionate effort?
To rely on this exception, you must make (and document) an assessment of whether there is a proportionate balance between the effort involved for you to provide individuals with privacy information and the effect that your use of their personal data will have on them. The more significant the effect, the less likely you will be able to rely on this exception.
This is an exception to the general obligation of transparency, and should be treated as the exception, not the rule. You should not use it to routinely escape your obligations to inform individuals about your use of their data. If you want to rely on disproportionate effort, you need to be confident you can justify why contacting individuals is genuinely disproportionate in the particular circumstances.
The GDPR says (particularly if you use personal data for archiving or research purposes) you should take into account:
- the number of individuals involved;
- the age of the personal data; and
- any appropriate safeguards you have adopted.
If you determine that providing privacy information to individuals does involve a disproportionate effort, you must still publish the privacy information (eg on your website), and you should carry out a DPIA. See ‘What else should we consider if we want to rely on an exception?'
At the start of each academic year, a school obtains the name and contact details of individuals when it collects emergency contact information from the parents or guardians of children that have enrolled that year. The school assesses that the effort involved for it to write to every emergency contact to provide them with privacy information is disproportionate in relation to the effect that the use of their personal data will have on them (contacting them in the event of an emergency). As such, the school does not actively provide privacy information to each emergency contact, however it does publish information on the use of emergency contact details on its website. It also carries out a DPIA and decides that to further mitigate any risks, it will put a policy in place to specify the strict limited use of emergency contact details, and places restrictions on its computer system so that only authorised members of staff have access to these details.
What else should we consider if we want to rely on an exception?
You need to consider the effect on the overall lawfulness, fairness and transparency of your processing, and whether you need to put in place additional safeguards.
Even if you are justified in relying on an exception, if you don’t actively provide an individual with privacy information this can cause ‘invisible processing’. The processing is ‘invisible’ because the individual won’t be aware that you are collecting and using their personal data.
Invisible processing results in a risk to the individual’s interests as they cannot exercise any control over your use of their data. In particular, they are unable to use their data protection rights if they are unaware of the processing. This is true even if the processing itself is unlikely to have any negative effect.
Given these risks, if you intend to rely on the exceptions for impossibility or disproportionate effort, you must still publish your privacy information, and you should carry out a DPIA. A DPIA will help you to assess and demonstrate whether you are taking a proportionate approach. It will help you consider how best to mitigate the impact on individuals’ ability to exercise their rights. It will also help you demonstrate how you comply with fairness and transparency requirements. For more details, read our guidance on data protection impact assessments.
You should also consider the impact on your lawful basis for processing. In particular, you may find it difficult to rely on legitimate interests if you process personal data in ways the individual does not reasonably expect and you do not provide privacy information. The GDPR is clear that the interests of the individual are more likely to override your interests in these circumstances. You would need to be confident that you have a compelling reason to justify the unexpected nature of the processing, and can mitigate the impact on individual rights. For more information, see our separate detailed guidance on legitimate interests and the impact of reasonable expectations.
What other exceptions are there in the DPA 2018?
The DPA 2018 provides several other potential exemptions from the right to be informed.
Depending on what you do with personal data, a number of these exemptions may be familiar to you, covering areas such as national security, crime and taxation, and legal proceedings. Others may be less familiar such as the exemption relating to the use of personal data for immigration control.
Please see our separate guidance on the exemptions for more details.