Article 29 Data Protection Working Party ("WP29") GDPR Guidelines on Transparency
Introduction
The WP29 provides guidance on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of "fair processing" information to data subjects (e.g. in a privacy notice); (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR.
Elements of transparency
The information or communication made available to data subjects must comply with the following rules:
- it must be concise, transparent, intelligible and easily accessible;
- clear and plain language must be used (particularly when providing information to children);
- it must be in writing or by electronic means, where appropriate, but it may be provided orally; and
- it generally must be provided free of charge.
The WP29 has explained that "intelligible" means that the information should be understood by an average member of the intended audience. A data controller will have knowledge about the people it collects information from and it can use this knowledge to determine what that audience would likely understand; for example, working professionals will have higher level of understanding than children.
A data subject should not be taken by surprise by the ways in which their personal data has been used; they should be aware at the outset of what the processing involves. The WP29's position is that for complicated, technical or unexpected data processing, a data controller should explain in unambiguous language the effect that such processing will have on the data subject.
Indefinite language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers use indefinite language, they should be able to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of the processing. The information should be clearly set out (using paragraphing, bullet points and indents) and should not contain overly technical or specialist terminology.
Exercise of data subjects rights
Transparency places a triple obligation upon data controllers insofar as the rights of data subjects under the GDPR are concerned. They must, not only provide information to data subjects on their rights and facilitate the exercise of those rights, but there is also the requirement to comply with the principle of transparency (i.e. relating to the quality of the communications).
According to the WP29, the GDPR requirements in relation to the exercise of a data subject's rights and the nature of the information required are designed to meaningfully position data subjects so that they can hold data controllers accountable for the processing of their personal data.
Privacy notices
All privacy information addressed to individuals should be available in one place, or one complete document, so that the individual should not have to work to find the information. However this can be presented using a layered approach (i.e. a shorter initial document which then links to a full policy).
When taking a layered approach, the WP29's guidance slightly differs depending on when information is deployed in a non-digital or in a digital environment. In a non-digital environment the WP29 recommends that the first layer of a layered notice should include the purposes of the processing, identity of the controller, and the existence of the individual’s rights together with other information that has most impact on the individual. In a digital environment the WP29 provides that there should also be a description of the individual’s rights. Additionally, in an online environment the first layer of information should be directly brought to the attention of a data subject at the time of collection of the personal data (e.g. as a pop up or displayed as a data subject fills in an online form).
The WP29 states that it is insufficient and unfair to state in a privacy notice that individuals should regularly check for updates to the notice. The onus is on the controller to communicate changes to the notice, and in a way that takes "all measures necessary" to bring the specific changes to the individual's attention (and, importantly, such communications should also be separate from direct marketing content).
The WP29 further recommends that any changes or additions made by controllers to notices to align them with the GDPR are actively brought to the individual's attention. They suggest that as a minimum, controllers make their updated notices publically available (for example via their website). Where the updates are material or substantive, active communication to individuals is required.
In line with the GDPR principle of accountability, controllers should consider whether, and at what intervals, it is appropriate to provide reminders to individuals of the privacy notice and where it can be found.
Information to be provided to the data subject
The GDPR lists the categories of information that must be provided to a data subject in relation to the processing of their personal data where it is collected from the data subject or obtained from another source.
The following table summarises the information that must be provided to data subjects:
Required Information (Article 13 and 14 GDPR) | WP29 Comments |
The identity and contact details of the Controller. | The controller should allow for different channels of communication (e.g. phone, email, postal address etc.). |
The purposes and legal basis for the processing. | Ideally the purposes should be set out together with the relevant lawful basis relied on for that purpose, including for special categories of personal data. Where criminal conviction and offence data are processed, the relevant EU or Member State law on which the processing is carried out should be noted. |
Where legitimate interests is the legal basis, the legitimate interests pursued by the Controller or a third party. | It is best practice to provide the individual with details of the legitimate interest balancing test that must have been carried out prior to collecting a data subject's personal data (i.e. legitimate interests must not be overridden by the interests or fundamental rights and freedoms of the data subject). In practice, this may not be the easiest information to summarise succinctly in policies and to avoid information fatigue the WP29 suggests that this could be included by way of layered notice. In any case, the WP29's position is that information provided to the data subject should make it clear that they can obtain information on the balancing test upon request. This is essential for effective transparency where data subjects have doubts as to whether the balancing test has been carried out fairly or they wish to file a complaint with a supervisory authority. |
The categories of personal data. | Listing categories of data is only required where the data has not been obtained from the individual directly. |
Recipients (or categories of recipients) of the personal data. | This will generally involve specifically naming recipients to be the most meaningful to data subjects. Recipients include controllers, joint controllers and processors. Where a controller chooses to name only categories of recipients, this should be as specific as possible indicating the type of recipient, the industry, sector and sub-sector and the recipients’ location. |
Details of transfers outside the EU: including how the data will be protected and how the individual can obtain a copy of the safeguards, or where such safeguards have been made available. | The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. an adequacy decision) should be specified. A link to the adequacy mechanism used or information on where the document may be accessed should be included where possible. The principle of fairness requires that the information provided on transfers to third countries should be as meaningful as possible to individuals; this will generally mean that third countries should be named. |
The storage period (or if not possible, criteria used to determine that period). | The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess what the retention period will be for specific data/ purposes. It is not sufficient for the controller to generically state data will be kept as long as necessary for the legitimate purpose. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. |
The rights of the data subject to:
| This information should include a summary of what the relevant right involves and how the individual can take steps to exercise it and any limitations. The right to object to processing must be explicitly brought to the individual's attention at the time of first communication and must be presented clearly and separately from other information. |
Where processing is based on consent the right to withdraw consent at any time. | This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it. |
The right to lodge a complaint with a supervisory authority. | This information should explain that the individual can bring the complaint in their Member State of residence, place of work or where an alleged breach of GDPR took place. |
Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure. | For example, an employee may need to provide information to an employer pursuant to a contractual requirement (e.g. bank details to facilitate payment of wages). Online forms should clearly identify which fields are 'required', which ones are not, and the consequences for failing to provide the information. |
The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source. | Specific sources of data should be provided unless not possible. However, the WP29 does not (in contrast to recipients above) state that the data sources have to be named, therefore arguably generic descriptions of the source may suffice. Details should include the nature of the sources (i.e. publicly/ privately held sources; the types of organisation/ industry/ sector; and where the information was held (EU or non-EU) etc.). |
The existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject. | It should be made clear when and if automated decision-making is used when processing data. This rule captures solely automated decisions that have a significant or legal effect on individuals. |
Please see here for the full WP29 guidelines on Transparency.