Privacy Notices and Information Provision

Privacy Notices and Information Provision – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Privacy notices and the obligation to provide information to data subjects are fundamental pillars of European data protection law. They sit at the heart of the transparency principle enshrined in the General Data Protection Regulation (GDPR) and are a topic frequently tested in the CIPP/E examination. This guide provides a thorough exploration of what privacy notices are, why they matter, how they work in practice, and how to approach exam questions on this topic with confidence.

Why Privacy Notices and Information Provision Are Important

Privacy notices serve several critical functions in the European data protection framework:

1. Upholding Transparency: Article 5(1)(a) of the GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner. Privacy notices are the primary mechanism through which transparency is achieved. Without them, data subjects would have no way of knowing what happens to their personal data.

2. Empowering Data Subjects: Information provision enables individuals to exercise their rights effectively. A data subject cannot request erasure, rectification, or portability if they do not know who is processing their data, for what purposes, or on what legal basis. Privacy notices therefore act as a gateway to the exercise of data subject rights under Articles 15–22 GDPR.

3. Building Trust: Organisations that provide clear, accessible, and honest privacy notices demonstrate accountability and build trust with customers, employees, and other stakeholders. This is increasingly important in a digital economy where data is a critical asset.

4. Legal Compliance: Failure to provide adequate privacy notices can result in enforcement action by supervisory authorities, including significant administrative fines. Under Article 83(5)(b) GDPR, infringements of data subjects' rights (including the right to information) can attract fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher.

5. Accountability: Privacy notices form part of an organisation's accountability obligations under Article 5(2) GDPR. They provide documentary evidence that the controller has considered and communicated the key aspects of its processing activities.

What Are Privacy Notices?

A privacy notice (sometimes called a privacy statement, privacy policy, or fair processing notice) is a communication from a data controller to a data subject that explains how their personal data will be collected, used, stored, shared, and otherwise processed. It is the primary tool for fulfilling the information obligations set out in Articles 13 and 14 of the GDPR.

It is important to distinguish between:

- Privacy notices (external): Directed at data subjects to inform them about processing activities.
- Privacy policies (internal): Internal documents that set out an organisation's data protection procedures and governance frameworks.

For CIPP/E purposes, the focus is on the external-facing privacy notice and the legal requirements for information provision.

The Legal Framework: Articles 13 and 14 GDPR

The GDPR distinguishes between two scenarios for information provision:

Article 13 – Information to be provided where personal data are collected from the data subject (direct collection)

When personal data are obtained directly from the data subject, the controller must provide the following information at the time of collection:

- The identity and contact details of the controller (and, where applicable, the controller's representative)
- Contact details of the Data Protection Officer (DPO), where applicable
- The purposes of processing and the legal basis under Article 6 (and, for special categories, Article 9)
- Where processing is based on legitimate interests (Article 6(1)(f)), the legitimate interests pursued by the controller or a third party
- The recipients or categories of recipients of the personal data
- Details of any transfers to third countries or international organisations, including the safeguards in place (e.g., adequacy decisions, standard contractual clauses, binding corporate rules)
- The retention period, or the criteria used to determine it
- The existence of data subject rights: access, rectification, erasure, restriction, portability, and the right to object
- Where processing is based on consent (Article 6(1)(a) or Article 9(2)(a)), the right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Whether provision of data is a statutory or contractual requirement, and the consequences of failure to provide data
- The existence of automated decision-making, including profiling under Article 22, with meaningful information about the logic involved and the significance and envisaged consequences

Article 14 – Information to be provided where personal data have not been obtained from the data subject (indirect collection)

When data are obtained from a source other than the data subject (e.g., from a third party, publicly available sources, or data brokers), the controller must provide essentially the same information as under Article 13, plus:

- The categories of personal data concerned (since the data subject may not know what data the controller holds)
- The source from which the personal data originate, and whether it came from publicly accessible sources

The key difference in timing is that under Article 14, the information must be provided:

- Within a reasonable period after obtaining the data, but at the latest within one month
- If the data are to be used for communication with the data subject, at the latest at the time of the first communication
- If disclosure to another recipient is envisaged, at the latest when the data are first disclosed

Exemptions under Article 14(5)

There are specific exemptions from the obligation to provide information under Article 14. These apply where:

(a) The data subject already has the information
(b) The provision of such information proves impossible or would involve a disproportionate effort (particularly for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards under Article 89(1))
(c) Obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject, and which provides appropriate measures to protect the data subject's legitimate interests
(d) The personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law

Note: There is no equivalent general exemption for disproportionate effort under Article 13 (direct collection). This is a commonly tested distinction in the CIPP/E exam.

How Privacy Notices Work in Practice

1. Format and Accessibility

Article 12 GDPR sets out overarching requirements for how information must be provided. It must be:

- In a concise, transparent, intelligible, and easily accessible form
- Using clear and plain language, particularly when addressed to a child
- Provided in writing, or by other means including, where appropriate, by electronic means
- When requested by the data subject, the information may be provided orally, provided the identity of the data subject is proven by other means
- Provided free of charge

2. Layered Approach

The Article 29 Working Party (now the European Data Protection Board, or EDPB) has recommended a layered approach to privacy notices. This means providing:

- A short-form notice (first layer) that contains the most essential information at the point of data collection (e.g., identity of the controller, purposes, and key rights)
- A full notice (second layer) that contains all the detailed information required under Articles 13 or 14, accessible via a link or on request

This approach helps balance the competing demands of completeness and comprehensibility.

3. Timing

- Under Article 13: Information must be provided at the time when personal data are obtained
- Under Article 14: Within a reasonable period (maximum one month), at the time of first communication, or at the time of first disclosure to a third party

4. Changes to Processing

If a controller intends to further process personal data for a purpose other than that for which the data were collected, the controller must provide the data subject with information on that other purpose and any relevant further information prior to that further processing (Article 13(3) and Article 14(4)).

5. Children

Where information society services are offered directly to a child, the privacy notice must be written in language that is clear and plain enough for a child to understand. Recital 58 GDPR specifically addresses this.

6. Icons and Standardised Information

Article 12(7) GDPR envisages the use of standardised icons in combination with privacy notices to give a meaningful overview of processing in an easily visible, intelligible, and clearly legible manner. Article 12(8) empowers the European Commission to adopt delegated acts to determine the information to be presented by such icons.

The Role of the EDPB and WP29 Guidelines

The Article 29 Working Party issued Guidelines on Transparency (WP260 rev.01), which have been endorsed by the EDPB. These guidelines provide detailed practical guidance on:

- The meaning of 'concise, transparent, intelligible and easily accessible'
- The use of layered notices, dashboards, and just-in-time notices
- What constitutes 'clear and plain language'
- How to present information about automated decision-making
- The application of the 'disproportionate effort' exemption under Article 14(5)(b)

These guidelines are an important reference for the CIPP/E exam.

Practical Challenges and Common Issues

- Information overload: Striking the balance between legal compliance (providing all required information) and user-friendliness (keeping notices readable)
- Multi-channel collection: Ensuring consistent information provision across websites, apps, paper forms, phone calls, and in-person interactions
- Third-party data: Fulfilling Article 14 obligations when data are obtained indirectly, particularly in complex data supply chains
- Frequent updates: Managing changes to processing activities and ensuring data subjects are informed of material changes
- Multilingual requirements: Providing notices in languages accessible to the relevant data subjects

Relationship with Other GDPR Provisions

Privacy notices interact with several other GDPR provisions:

- Consent (Article 7): Where consent is the legal basis, the privacy notice must clearly inform the data subject of the right to withdraw consent. Consent must be informed, meaning adequate information must have been provided.
- Data subject rights (Articles 15–22): The notice must inform data subjects of their rights and how to exercise them.
- Data Protection Impact Assessments (Article 35): The outcomes of a DPIA may inform the content of a privacy notice, particularly regarding risks to data subjects.
- Records of processing activities (Article 30): The information recorded under Article 30 often mirrors the content required in privacy notices.
- International transfers (Articles 44–49): Privacy notices must disclose international transfers and the applicable safeguards.

Key Case Law and Enforcement

Supervisory authorities across Europe have issued significant fines for failures related to privacy notices and transparency. Notable examples include:

- Google LLC (CNIL, 2019): A €50 million fine was imposed partly because Google's privacy notice was found to be insufficiently transparent—information was excessively scattered across multiple documents, and the legal basis for processing was not clearly communicated.
- Various national supervisory authorities have taken action where privacy notices were missing, incomplete, or not provided in a timely manner.

These enforcement actions underscore the importance of getting privacy notices right.

Exam Tips: Answering Questions on Privacy Notices and Information Provision

1. Know the Difference Between Article 13 and Article 14
This is one of the most frequently tested distinctions. Remember:
- Article 13 = data collected directly from the data subject
- Article 14 = data collected indirectly (from a third party or other source)
Key differences include timing, the requirement to disclose categories of data and sources under Article 14, and the availability of exemptions under Article 14(5).

2. Memorise the Core Information Requirements
Know the list of information that must be provided under both Articles 13 and 14. A useful mnemonic approach: think about who (controller identity, DPO), what (purposes, legal basis, categories of data), where (transfers, recipients), how long (retention), what rights (access, erasure, etc.), and special situations (automated decision-making, consent withdrawal).

3. Understand the Timing Rules
- Article 13: At the time of collection
- Article 14: Within one month, at first communication, or at first disclosure
Be prepared for scenario-based questions that test whether information was provided at the correct time.

4. Know the Exemptions—Especially Article 14(5)
The exemptions under Article 14(5) are commonly tested. Remember the four grounds: data subject already has the information, impossible/disproportionate effort, required by law, or professional secrecy. Note that the 'disproportionate effort' exemption does not apply under Article 13.

5. Understand Article 12 Requirements
Questions may test your knowledge of the manner in which information must be provided—concise, transparent, intelligible, easily accessible, clear and plain language, free of charge, and in writing or electronic means.

6. Apply the Layered Notice Concept
If a question asks about best practices for providing privacy notices, reference the layered approach recommended by the EDPB/WP29. This demonstrates practical understanding beyond mere legal knowledge.

7. Watch for Scenario-Based Questions
The CIPP/E exam frequently presents scenarios. When you see a privacy notice question:
- First identify whether data collection is direct (Article 13) or indirect (Article 14)
- Then assess whether all required information has been provided
- Check the timing of the notice
- Consider whether any exemptions apply
- Evaluate the format and accessibility of the notice

8. Link Transparency to Other Principles
If asked about the importance of privacy notices, connect them to the broader principles of transparency (Article 5(1)(a)), accountability (Article 5(2)), and lawfulness and fairness. This shows a holistic understanding of the GDPR.

9. Remember the Enforcement Context
Be aware that failures in transparency and information provision can lead to the highest tier of fines under Article 83(5)(b). This is a useful point for any question about the consequences of non-compliance.

10. Do Not Confuse Privacy Notices with Consent
A common exam trap: providing a privacy notice is not the same as obtaining consent. A privacy notice is required regardless of the legal basis for processing. Even where the legal basis is legitimate interest, contractual necessity, or legal obligation, a privacy notice must still be provided. Consent is one legal basis; transparency is an overarching obligation.

11. Consider Special Categories and Children
If a scenario involves special category data or children, remember the additional considerations—such as specifying the Article 9 condition for processing special categories, or using age-appropriate language for children.

12. Practice with Sample Questions
Work through practice questions that test:
- Which article applies (13 or 14)?
- What information is missing from a given privacy notice?
- When must the information be provided?
- Does an exemption apply?
- Is the format of the notice compliant with Article 12?

Summary Table: Article 13 vs. Article 14

Article 13 (Direct Collection)
- Data obtained from the data subject
- Information provided at the time of collection
- Must state whether providing data is obligatory and consequences of not providing it
- No general 'disproportionate effort' exemption

Article 14 (Indirect Collection)
- Data obtained from a source other than the data subject
- Information provided within one month, at first communication, or at first disclosure
- Must state the categories of data and the source
- Disproportionate effort exemption available (with conditions)

Conclusion

Privacy notices and information provision are not just a compliance checkbox—they are the foundation of the transparency principle that runs through the entire GDPR. For the CIPP/E exam, a deep understanding of Articles 12, 13, and 14, along with the ability to apply them in practical scenarios, is essential. Focus on the distinctions between direct and indirect collection, the specific information requirements, the timing rules, and the available exemptions. Combine this with knowledge of the EDPB's transparency guidelines and real-world enforcement actions, and you will be well-prepared to tackle any question on this critical topic.