Once the GDPR enters into force, personal data must be processed in a transparent manner. But what does that mean? Our Belgian firm provides details of recent guidance on the topic published by the Article 29 Working Party.

By: Annabelle Truyers

Firm: Claeys & Engels

The GDPR introduces a wide-reaching transparency principle with which data processors must comply. In the context of this transparency principle, their obligation to provide information will be considerably extended and more attention will be paid to the way in which information must be provided. The Article 29 Working Party, (‘WP29’), an advisory and consultation body of European Data Protection Supervisors, published its final advice on this notion of ‘transparency’ on 11 April 2018.

The GDPR extends the obligation to provide information imposed on organisations that process the personal data of individuals. In addition to the information that must be provided at present, the organisation will also have to provide further information including:

  • the legal ground for data processing;
  • if they intend to transfer data outside the European Union;
  • the period for which the data will be stored;
  • the right to lodge a complaint with the supervisory authority;
  • the right to withdraw consent;
  • the identity of the ‘Data Protection Officer’.

The transparency principle means that this more extensive information has to be provided in an intelligible and easily accessible form, using clear and plain language.

In its provisional opinion, the WP29 gave a first interpretation of organisations’ obligations relating to the transparency principle. In its final opinion of 11 April 2018, the WP29 gives its final position on this matter. The key elements of this final recommendation are set out below.

How must the information be provided?

WP29 emphasises that the notification must be as transparent as possible, taking into account form, language and accessibility:

Form

The WP29 recommends written notification. The data controller should decide on the appropriate form of notification, taking into account all the circumstances of each particular case.

Language

The requirement for clear, plain language means that information should be provided in as simple a manner as possible, avoiding complex sentences and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. WP29 gives a few examples of ‘do’s’ and ‘don’ts’.

Accessibility

The ‘easily accessible’ requirement means that the data subject should not have to seek out the information. WP29 recommends that the data controller should ensure that it is immediately apparent where this information can be accessed, for example by providing it directly to the data subject, by linking them to it or by clearly signposting it.

WP29 recommends the use of layered privacy statements and notices, especially in a digital context. Every organisation that maintains a website should publish a broad privacy statement or notice on its website. The statement or notice should allow the data subject to find the relevant specific privacy statement or notice, or when the information is given electronically, to click on the relevant privacy statement or notice.

The first ‘layer’ of the privacy statement or notice (the first thing that is brought to one’s attention) should contain the details of the purpose for which the data is processed, the identity of the controller, a description of the data subject’s rights and where appropriate, the information that would have the biggest impact on the data subject. Such layered privacy statements or notices can cover occasional processing activities (such as the processing of customer or supplier contact details). Similar principles apply if the information is delivered orally.

How detailed should the notification be?

WP29 goes on to interpret the extended information obligation imposed on the company towards the individuals whose data is being processed.

In particular, according to the Working Party, the information that needs to be given under the GDPR should be made concrete as set out below:

Click here to view the table.

The question arises as to how detailed the notification needs to be. WP29 states that there exists a tension between the obligation to provide extensive information to the data subjects on the one hand and the requirement to do this in a brief, transparent, understandable and easily accessible way on the other hand. The Working Group specifies that the data controller needs to analyse the nature, circumstances, scope and context of the processed data. The organisation can decide, based on these factors, how detailed the information to be given needs to be, what information is given priority, and also the way in which the information needs to be given (subject to the legal provisions in the GDPR and the recommendations of WP29). The level of detail is to a certain extent based on a risk analysis by the company.

Other points to note

WP29 also draws attention to the following points:

Changes to the notification

If the notification given to the data subjects is changed, WP29 states that these changes need to be communicated by the company, especially when the changes are substantial or material. As a minimum, this information should be publicly accessible. The potential impact of the changes should also be clearly stated. If there is a fundamental change or one that is relevant to, or impacts on, the data subject, it should be announced in advance, according to the Working Group. The period of time between the notification and the time of the change must be capable of being justified.

Processing for another purpose

The Working Group states what information should be given when the data controller wants to process personal data for a purpose other than the purpose for which the data was provided, and within what period of time this needs to be done.

Exception to the obligatory notification requirement

Finally, WP29 examines cases where no notification is required, in particular:

  • where the data controller already possesses the information;
  • where the data is not obtained from the data subject and it is impossible to provide information or it would require too much effort;
  • where it is legally forbidden to obtain information;
  • where the personal data must stay confidential.

WP29 explains how it interprets these exceptions with a few examples and best practice notes, which show that it seems to apply a restrictive interpretation.