On 11 December 2017, the Article 29 Working Party (Art 29 WP) published its draft guidance on transparency. The guidelines are open for consultation until 23 January 2018.
The Art 29 WP analyse the elements of transparency required by the General Data Protection Regulation (GDPR). They also provide further details on the information that data controllers must provide to data subjects, specifically in relation to Articles 12 and 13.
1. The concept of transparency
Transparency is a key concept of the GDPR. It is fundamentally linked to the GDPR’s central principles of fairness and accountability.
Under Article 4(2) of the GDPR, data controllers must be able to demonstrate that the personal data they process is processed transparently.
2. The elements of transparency
Article 12(1) requires that any information that is given to data subjects is provided:
- in a concise, transparent, intelligible and easily accessible form;
- using clear and plain language;
- in writing, or by other means;
- where requested by the data subject, orally; and
- free of charge.
The Art 29 WP analyse each of these elements.
“in a concise, transparent, intelligible and easily accessible form”
The Art 29 WP recommends that data controllers ensure that information is presented to data subjects efficiently and succinctly. This is to avoid information fatigue. In addition, it suggests that information is clearly distinguished from non-privacy-related information, such as contractual provisions.
To be considered intelligible, information should be able to be understood by an average member of the intended audience. Data controllers will need to identify their proposed audience and determine the average member’s level of understanding. This could involve the testing of the intelligibility of information through user panels.
The “easily accessible” element of transparency means that data subjects should not have to seek out the information they need. It should be immediately apparent to them where such information can be accessed. In the context of a website, for example, a link to the privacy notice should be clearly visible on each webpage. Equally, if using an app, privacy information should never be more than “two taps away”.
“clear and plain language”
Information should be provided as simply as possible using clear and plain language. The use of complex sentences and language structures should be avoided.
The guidance also notes that language qualifiers such as “may,” “might,” “some,” “often,“ and “possible” should be avoided.
“in writing, or by other means”
The default mode of communication between a data controller and data subjects will be in writing. However, the GDPR allows for other unspecified “means” to be used. The guidelines suggest that this could include “just-in-time” contextual pop-up notices, 3D touch, or hover-over notices, privacy dashboards, or IoT voice alerts.
“where requested by the data subject, orally”
Data controllers will be required to provide information to data subjects orally, where requested. However, the Art 29 WP notes that this does not need to be provided in person or by telephone. It could, instead, be automated. In these cases, data subjects should have the right to re-listen to any pre-recorded messages.
3. How should information be provided to data subjects?
The Art 29 WP provides details about how the information required by Articles 13 and 14 of the GDPR should be communicated to data subjects. These include the following key points:
- Format: When determining the appropriate mode to communicate with data subjects, data controllers will need to consider issues such as the nature of the user’s interactions with the controller. For example, it may be appropriate for controllers who maintain a digital/online presence to provide the information through an electronic privacy statement/notice. However, providing additional formats may need to be considered.
- Changes to privacy policies/notices: Transparency applies throughout the processing lifecycle, not just at the point of collection. As a result, data controllers should ensure that they adhere to the same transparency principles when communicating any changes or amendments to privacy policies and/or notices as they did when the information was initially provided to the data subject.
- Notification of changes: Data subjects should be informed well in advance of a change to information which is indicative of a fundamental change to the processing of their processing data.
These guidelines demonstrate the strict approach that the Art 29 WP is adopting in its interpretation of the GDPR. It will be interesting to see what, if any, changes are made to the final guidance.
In the meantime, data controllers should review their existing communications with data subjects and identify any areas that may be a concern.