As a rule – yes. This obligation and the manner of its fulfilment arise from Articles 13 and 14 of the GDPR. However, there are certain situations in which this obligation is excluded, i.e. this applies where and to the extent that the person already possesses that information (this means that, for example, if a new purpose of processing arises, we must inform the data subject of this new purpose, but there is no obligation to re-issue the entire privacy notice if it has already been provided previously – it is sufficient merely to refer to its content in the remaining, unchanged scope). Additionally – where data are obtained from a source other than the data subject, the obligation need not be fulfilled in the situations referred to in Article 14(5) of the GDPR, namely:
- •providing such information proves impossible or would require a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article could render impossible or seriously impair the achievement of the purposes of such processing. In such cases the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available;
- •the obtaining or disclosure is expressly laid down by Union law or the law of the Member State to which the controller is subject, and which provides appropriate safeguards for the legitimate interests of the data subject;
- •personal data must remain confidential in compliance with a legal obligation of professional secrecy under Union law or Member State law, including a statutory obligation of secrecy.
Each time, however, before potentially refraining from fulfilling the information duty, an analysis of the specific case should be carried out to determine whether it falls within any of the above situations. For accountability purposes the controller should document such analysis so as to be able, if necessary, to demonstrate and justify its position to the supervisory authority. One should approach refraining from fulfilling the information duty very cautiously, as a penalty was imposed on a controller on this basis (decision UODO ZSPR.421.3.2018).