On 28th April 2021, European Data Protection Supervisor (EDPS) published the results of a remote audit of how European institutions, bodies and agencies (EUIs) process the personal data of individuals and inform them of such processing in the provision of newsletter and similar subscription offerings. EUIs are subject to Regulation (EU) 2018/1725 (EUDPR) which is aligned with the General Data Protection Regulation (GDPR). While this audit was directed at EUIs, its findings are applicable to many organisations who use electronic communications as a means to keep their client base up to date.
In this article, we will explore the scope and findings of the EDPS audit and offer a number of recommendations for organisations to bring their newsletter processing activities into compliance.
Audit Scope and Methodology
The EDPS selected 27 EUIs operating under ‘.EU’ domain names and assessed the level of compliance of those EUIs with the information, transparency and consent requirements of the EUDPR. In order to carry out the remote audit, the EDPS’ assessors subscribed to each EUI’s newsletter to observe their compliance with notice and transparency requirements. After a period of time, the assessors subsequently unsubscribed from the newsletters, to validate that consent requirements were being met. In assessing compliance, the EDPS took account of their own 2017 Transparency Rights and Obligations Guidance Note, as well as the European Data Protection Board’s (EDPB) 2020 Guidelines on Consent under the GDPR.
While the audit established that most EUIs were in broad compliance, several findings related to the EUIs providing insufficient notice and transparency to individuals.
- Four EUIs had no data statement in place at the time of being assessed;
- A number of EUIs had generic data protection statements in place which did not address the processing at hand (i.e., the provision of newsletter subscription service);
- Two EUIs referred individuals to the data protection statement of their newsletter provider, rather than their own.
- One EUI referenced outdated regulation; and
- One EUI argued that the data protection statement and record of processing activities (ROPA) could be merged into the same document.
On the latter point, the EDPS underlined that the data protection statement and ROPA do not necessarily encompass the same information (e.g. the ROPA may contain additional internal-facing information) and should not be merged with the data protection statement as they serve different purposes. The EDPS observed that the ROPA serves the purpose of transparency for the general public, helping to strengthen public trust and making knowledge sharing between EUIs less complex. In contrast, the EDPS remarked that the purpose of data protection statements are to inform individuals about a specific data processing operation and should be transparent, clear, concise and targeted at the data subjects concerned.
Transparency – Clicking less is more
The EDPS concluded that several EUIs were lacking in meeting transparency requirements. The principle of transparency requires, as noted in the EDPS’ Guidance Paper on the topic, that communication relating to the processing of personal data should be easily accessible – the less clicks the better to get to the information. In this respect, a layered approach to the provision of information is recommended, allowing individuals to get in-context information at the point of processing and to request further information regarding processing should they require it.
Interestingly, it was noted in the report that some EUIs relied upon referring to the data protection statement of their newsletter service provider to inform data subjects of their rights.
Recipients and Data Transfers
The EDPS established that there was a lack of clarity for individuals regarding the communication of any additional recipients of their personal data for the purposes of providing them with the requested subscription service. Individuals should be made aware of this fact and provided details of any third-party recipients.
Specific recommendations in the audit report include that the distinction should be clear between categories of recipients that refer to internal employees of the organisation and those of external organisations. Where external organisations are concerned, individuals should be aware who those organisations are (e.g. US-based email service providers).
In the context of data transfer to third countries (e.g., US data transfers), the safeguards that are in place to facilitate such transfers should be clearly stated. This is of particular importance given the Schrems II judgement and the recently published updated Standard Contractual Clauses.
The EDPS found that there were opportunities for the EUIs to make it clearer to individuals that they have the right to withdraw consent at any time (for example, not just when they receive a new communication via unsubscribe links). It should also be noted that the EDPB recommends in its Guidelines on Consent that the method of withdrawal of consent should be as easy, but does not have to be the same method as how consent was first gained.
An additional point to note in the EDPS’ audit report is that a number of EUIs failed to clearly define the initial purpose for collecting individuals’ email addresses, which would hinder those EUIs from determining whether or not any further intended and separate processing of those email addresses in the future would be for a compatible purpose. This underscores the importance of fully complying with the data protection principles, in particular lawfulness, fairness, transparency and purpose limitation.
We recommend that all organisations take necessary and straight-forward steps to ensure that their data processing activities related to the provision of newsletter services are in line with data protection obligations. Given the general accessibility of newsletter offerings, compliance with relevant data protection obligations can be assessed by supervisory authorities with relative ease, as demonstrated by the remote EDPS audit.
We recommend that organisations review their data processing practices concerning the provision of newsletter services to ensure that:
- their data protection statement adequately covers all data protection provisions (including lawfulness, fairness, transparency and data subject rights) and includes relevant details as applicable (e.g. identity and contact details of the data controller, purpose for processing, legal basis, data retention periods, data subject rights and how to exercise them, contact details of the DPO etc.), in accordance with ICO Guidance;
- transparency information is prominently located on their website. Such information can be communicated to individuals in the data protection statement. Additionally, it can be provided in-context, at the point of data collection. Access to such information should be given prominent placement and not be buried deep within the navigation menu or via a small hyperlink the websites footer;
- third-party providers’ data protection statements should not be presented as their own, or in lieu of their own data protection statement;
- the purpose for data collection and type of communications that individuals can expect to receive by signing up to the newsletter is clear;
- the method of consent withdrawal is clearly communicated and always available to subscribers; and
- appropriate data protection due diligence is performed of any third-party newsletter service providers that they engage, particularly in light of the Schrems II judgement and the publication of updated Standard Contractual Clauses for appropriate data transfer mechanisms.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of meeting their data protection obligations, including assessing the data protection considerations of data transfers to third countries. We offer a range of data governance services, including gap analysis, audit and assessment, and compliance support services. For more information please feel free to contact our advisors, who would be more than happy to help.