The Office of the Data Protection Commissioner (DPC) recently announced an online consultation on certain aspects of the GDPR. This consultation, which will run until 13 October 2017, is focused on the key topics of transparency and international data transfers under the GDPR.
The consultation comes ahead of an Article 29 Working Party (WP29) ‘Fablab’ workshop to be held in Brussels on 18 October 2017. WP29 intends to consult with various stakeholders on these topics to inform its preparation of new and updated GDPR guidelines.
The DPC is seeking to capture the views of stakeholders on these topics, and share those views with WP29 at the upcoming Fablab. The DPC will also use submissions to inform GDPR guidance materials which the DPC may produce in the future.
Transparency is key
The concept of transparency is an intrinsic element of the GDPR and one of the core principles which must be borne in mind when processing personal data. Processing data can only be fair if it is done in a transparent manner. This is outlined in Article 5(1)(a) GDPR, whereby personal data must be processed in a “transparent manner”, in addition to the other requirements.
Transparency is also linked to accountability under GPDR. It can only serve its purpose if it is meaningful. Under the GDPR, transparency underpins the provision of information to data subjects related to fair processing; how data controllers communicate with data subjects in relation to their rights under the GDPR; and how data controllers facilitate the exercise by data subjects of their rights.
The DPC has identified key areas for which it is seeking the views of stakeholders. These include:
- how to define “transparency" - the “appropriate measures” a data controller should take to provide the information required relating to processing
- the tools and methodologies to adhere to transparency requirements
The DPC is also seeking stakeholder views on the higher level of transparency required when addressing child data subjects and how that might be achieved.
In this consultation, the DPC also addresses another key aspect of the GDPR: the situation where a data controller intends to further process the personal data for a purpose other than that for which it was collected. In that instance, the data controller is required to provide the data subject with information on that additional or new purpose “prior to that further processing”. The DPC wants to understand from stakeholders how they envisage this being achieved.
Information ‘fatigue’ can undermine the positive benefits of transparency for a data subject, and should therefore be avoided. However, data controllers must ensure compliance with all of the transparency requirements in the GDPR. Stakeholders also have the opportunity to address this challenge in their submissions.
Hop, skip and a transfer
Chapter V of the GDPR sets out legal bases for transfers of personal data to countries or organisations located outside the EEA. The general principle is that a transfer shall take place only if, subject to the other provisions of the GDPR, the conditions laid down in Chapter V are complied with. In addition, the provisions in Chapter V must be applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.
The DPC is seeking submissions from stakeholders on what they perceive will be the most likely or most commonly relied upon legal bases/mechanisms in relation to data transfers.
Views sought on this aspect of the consultation include considerations of the challenges to conducting personal data transfers under each of the available legal bases/mechanisms set out in the GDPR and what specific actions might be taken to help address or alleviate those challenges.
Stakeholders will have the opportunity to identify which aspects of Chapter V should be prioritised for the purposes of guidelines which may be produced by WP29 and/or national data protection authorities.