On 11 December 2017, the Article 29 Working Party (Art 29 WP) published its draft guidance on transparency. The guidelines are open for consultation until 23 January 2018.

The Art 29 WP analyse the elements of transparency required by the General Data Protection Regulation (GDPR). They also provide further details on the information that data controllers must provide to data subjects, specifically in relation to Articles 12 and 13.

1. The concept of transparency

Transparency is a key concept of the GDPR. It is fundamentally linked to the GDPR’s central principles of fairness and accountability.

Under Article 4(2) of the GDPR, data controllers must be able to demonstrate that the personal data they process is processed transparently.

2. The elements of transparency

Article 12(1) requires that any information that is given to data subjects is provided:

  • in a concise, transparent, intelligible and easily accessible form;
  • using clear and plain language;
  • in writing, or by other means;
  • where requested by the data subject, orally; and
  • free of charge.

The Art 29 WP analyse each of these elements.
Continue Reading Article 29 Working Party releases guidelines on transparency under the GDPR

On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and demonstrating valid consent under the GDPR.

The concept of consent

Under GDPR, a data controller can only process personal data on the basis of one of six legal grounds. An individual’s consent to processing is one of these lawful grounds. The GDPR defines consent as a “freely given, specific, informed and unambiguous” indication of an individual’s wishes to signify agreement to the processing of their personal data.

Elements of valid consent

The guidelines analyse four areas relevant to free consent under GDPR:

  1. Imbalance of power: an imbalance exists wherever it is unlikely that an individual will be able to deny his/her consent to data processing without fear of detriment. For example, an imbalance of power is likely to exist in an employment context between employers and employees.
  2. Conditionality: requests for consent to the processing of personal data should not be “bundled up” with acceptance of other terms or conditions, unless necessary for the performance of a contract.
  3. Granular and specific: data controllers need to obtain separate consents from individuals for each specific purpose they intend to process individuals’ personal data. For example, separate consents should be obtained for direct marketing activities and sharing personal data with third parties.
  4. Detriment: individuals must be able to withdraw or refuse to grant consent to data processing without detriment. For example, such withdrawal or refusal should not lead to the individual incurring costs.

Continue Reading Article 29 Working Party releases guidelines on consent under the GDPR