Article 29 Data Protection Working Party provides useful guidance for the implementation and interpretation of the GDPR transparency requirement via its recently published guidelines. Transparency is one of the fundamental obligations to fulfil as part of GDPR compliance, since it is linked to the principles of fairness and accountability.
GDPR transparency requirement contributes significantly to the understanding of the data subjects about the data processing, its effects as well as the available rights to them according to the new EU regulation. In this article, I analyse the main elements of the transparency obligation, as presented by the WP29, with a focus on the content, style, timing and means of the privacy notice.
What information should be provided?
Articles 13 and 14 of the GDPR stipulate the content of the information that should be communicated to the data subject. Specifically, the information should include the following:
- The identity and contact details of the data controller and the data protection officer,
- The purposes and legal basis for the data processing,
- The categories of personal data concerned,
- Details of transfers to third countries,
- The storage period or the criteria used to determine the length of the data storage,
- The rights of the data subjects to access, correct, erase, restrict, object, withdraw their consent and file a complaint with the supervisory authority,
- The source from where the data originate,
- The existence of automated decision making including profiling, if any.
Form of the information concerned
The information needs to be easily accessible by avoiding information fatigue and confusion among other legal information, such as terms and conditions. At the same time, it should be intelligible, namely easy for the average member of both the intended audience and the actual audience to understand. Specifically, when the services or goods of a data controller are particularly used by children, it is important that the language used is such that they recognise that the information is directed to them.
Additionally, in any case the language needs to be kept clear and plain, without legalistic expressions and complicated structures. If the targeted audience speak one or more foreign languages, the information should be translated to the respective languages accurately and with the correct syntax.
The information must also be provided free of charge and it cannot be conditional upon financial transactions, such as the purchase of services or goods.
When should the information be given?
The provision of information should be conducted in three stages throughout the data processing cycle. In more detail, it must be provided: before or at the beginning of data processing, such as at the time of the data collection; throughout the processing period for example when communicating with data subjects about their rights; and at specific points during the ongoing processing, for instance in data breach incidents or in case of crucial changes to the processing.
As a general rule of transparency the information should be provided within a reasonable period taking into consideration the particular circumstances of the processing. In any case, the provision of information should not happen later than within a month from the triggering incident, e.g. obtaining of data, request by data subject.
Notifications regarding changes of the information previously provided should be given reasonably in advance. Especially when the changes are fundamental or entail important consequences to the data subjects the notification should be provided early enough to enable the individuals to consider the impact of the changes and the possibility to exercise their rights.
What means should be used?
The information can be provided in a written form, for example on the packaging of goods or online, as well as orally, such as over automated phone messages. It is essential for the selection o the most suitable means of conveying information to take into account the particular circumstances, such as the way that the data is collected or the way that the data controller and data subject interact. According to this rule, if the data is collected through an a IoT device without a screen, only an online privacy notice may prove insufficient. On the contrary, the data controller would comply with the transparency obligation if the website address of the online privacy notice is provided on hard copy or packaging of the device.
If the data controller maintains a website, WP29 highly recommends the use of layered privacy notices, that enable the users to navigate through the parts of the information that they are more interested in avoiding that way information fatigue. The layered privacy notices include at a first level an overview of the most significant points and at a second level they provide more detailed information. In addition to layered privacy notices data controllers could use videos and smartphone or IoT voice alerts.
Alternative acceptable ways of delivering information are also “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards.