On 11 December the Article 29 Working Party ('A29WP') published its draft Guidance on transparency under GDPR.
The A29WP is accepting comments on the guidance until 23 January.
Transparency has always been at the heart of EU data protection and the GDPR is no exception, with the A29WP noting its intrinsic link to fairness and the new principle of accountability.
1. When do the new transparency obligations apply?
For new and existing processing the transparency obligations apply from 25 May 2018. Controllers should be revisiting all privacy statements/notices prior to May 2018 to ensure they’re in line with the new obligations.
2. What do the new transparency obligations apply to?
The A29WP sees transparency as applying throughout the processing lifecycle and not just on collection of the data. For example transparency also applies when communicating with individuals about their rights and at specific points during the processing e.g. if there is a material change to processing, data breach etc.
3. What are the elements of transparency under the GDPR?
(i) 'Concise, transparent, intelligible and easily accessible'.
Controllers should present information efficiently in order to avoid 'information fatigue'. The information should be differentiated from non-privacy matters such as contractual terms.
An 'intelligible' notice is one that can be understood by an average member of the intended audience. Controllers should regularly check notices are tailored to the actual audience. For complex, technical or unexpected processing in addition to giving notice, it is best practice to also spell out the consequences of the specific processing to the individual.
Translations will also be required where the Controller targets individuals speaking other languages.
(ii) 'Easily accessible'
The individual shouldn’t have to work to find the information: this should be clearly flagged to them. E.G.:
- for apps, notice should be made available from the online store prior to download. Once the app is installed the A29WP state the privacy notice should never be more than 'two taps away'.
(iii) 'Clear and plain language'
Information should be provided in a simple manner. It shouldn’t be phrased in vague or abstract terms or leave room for different interpretations. Qualifications such as 'may', 'might', 'some', 'often' and 'possible' should be avoided.
WP29 says the following examples (all of which can be found in most privacy policies) fall foul of the clear and plain language requirement:
- 'We may use your information to develop new services' (as unclear what the services are and how the data will develop them).
- 'We may use your personal data for research purposes' (as unclear what type of research this refers to).
Language is especially important when processing children's data. Where relevant, Controllers should ensure that the vocabulary, tone and style of language is appropriate to and resonates with a children's audience.
(iv) 'In writing or by other means'
The default position is that notice be given in writing, but GDPR also allows notice to be given by 'other means'. Examples of ‘other means’ include: layered privacy statements, just-in-time pop-up notices, 3D touch or hover-over notices, privacy dashboards, infographics, videos and smartphone/IoT voice alerts. Even cartoons are cited for the more creative Controller.
(v) 'The information may be provided orally'.
Article 12 GDPR contemplates that information may be provided orally in certain circumstances. GDPR states that the individual's identity must be proven before information is provided orally – however, the A29WP notes that this condition only applies to exercise of individual rights outlined in Articles 15 to 22 and 34 (for example, access and correction). There is no need for an individual to prove their identity before a privacy notice is communicated orally.
(vi) 'Free of Charge'
Controllers can’t charge individuals for the provision of information.
4. What information must be provided?
Required Information (Article 13 and 14 GDPR)
The identity and contact details of the Controller and their representative (where applicable).
This should allow for easy identification of the Controller.
A29WP states the controller should also allow for different channels of communication (e.g. phone, email, postal address etc.).
Contact details for the data protection officer, where applicable.
The purposes and legal basis for the processing.
A29WP states that that the purposes should be set out together with the relevant lawful basis relied on.
The A29WP does not comment on the level of granularity required for documenting the lawful basis, therefore relatively high level descriptions might suffice as opposed to having to list the lawful basis for each data category.
Where legitimate interests is the legal basis, the legitimate interests pursued by the Controller or a third party.
This should include the specific legitimate interest on which the Controller or the third party are relying.
It is also best practice to provide the individual with details of the legitimate interest balancing test. In practice, this may not be the easiest information to summarise succinctly in policies.
The categories of personal data
Technically listing categories of data is only required under Article 14 GDPR where the data has not been obtained from the individual directly.
Recipients (or categories of recipients) of the personal data.
Default position is that a Controller should name the recipients of the data. In practice this could be labour intensive, detailed and likely to go out of date quickly.
The A29WP does allow recipients to be described generically in some circumstances, but the Controller must be able to demonstrate why it is fair to take this approach.
In addition, where the categories of recipients are described generically the description should be specific by reference to the activities it carries out, industry and location.
Details of transfers outside the EU: including how the data will be protected and how the individual can obtain a copy of the safeguards, or where such safeguards have been made available.
The notice should explicitly mention all third countries to which the data will be transferred.
Where possible, a link to the adequacy mechanism used or information on where the document may be accessed.
The retention period (or if not possible, criteria used to determine that period).
According to the A29WP it is not sufficient for the Controller to generically state data will be kept as long as necessary for the legitimate purpose.
Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. This will be one of the more difficult GDPR notice requirements, particularly for Controllers that don't currently have developed retention policies.
The rights of the data subject to access; rectification; erasure; restriction, objection and portability.
This information should include a summary of what the relevant right involves and how the individual can take steps to exercise it.
The right to object to processing must be explicitly brought to the individual's attention at the latest at the time of first communication and must be presented clearly and separately from other information.
More generally the A29WP stresses that the principle of transparency also applies when communicating with individuals in relation to their rights or facilitating these rights.
Where processing is based on consent the right to withdraw consent at any time.
The right to lodge a complaint with a supervisory authority.
Including that the individual can bring the complaint in their Member State of residence, place of work or of an alleged breach of GDPR.
Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure.
E.g. an employee may need to provide information to an employer pursuant to a contractual requirement (e.g. bank details to facilitate payment of wages).
Online forms should clearly identify which fields are 'required', which ones are not, and the consequences for failing to provide the information.
The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source.
Specific sources of data to be provided unless not possible. However, the A29WP does not (in contrast to recipients above) state that the data sources have to be named, therefore arguably generic descriptions of the source may suffice.
Details should include the nature of the sources (i.e. publicly/ privately held sources; the types of organisation/ industry/ sector; and where the information was held (EU or non-EU) etc.).
The existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject.
This rule captures solely automated decisions that have a significant or legal effect on individuals.
5. Timing for provision of information
Timings for Notice
Where the data is collected from the individual direct
Where the data is not obtained from the individual direct
At the time when the data was obtained.
Within a reasonable period and no later than one month, but potentially earlier in certain circumstances, e.g.:
if the data is used to communicate with the individual, at the time of communication
if the data is disclosed to another recipient, at the time of first disclosure.
While the GDPR is silent, A29WP states that the new information must be notified before starting the new processing activity. However, if the change is fundamental (e.g. enlargement of the categories of recipients or new transfers outside the EEA) or a change that would impact upon the individual, then that information should be provided well in advance of the change taking place.
7. How should the information be provided?
The Controller must take active steps to provide the notice. The individual should not, in contrast, have to take active steps to find the notice.
In line with previous guidance from regulators, the A29WP recommends layered notices in the digital context rather than displaying all information together on screen.
Similarly 'push' and 'pull' notices are recommended. A push notice is where information is made available via a just-in-time pop-up as and when it is relevant. Whereas 'pull' notices allow the individual to link to more information via permission management, transparency dashboards, and 'learn more' tutorials.
Information can also be provided through standardised icons. However, this is dependent on the development of a standardised set of icons recognised across the EU.
While electronic privacy policies will be appropriate for most Controllers will an online presence, for certain environments notice may have to be delivered via different channels e.g. by hard copy when entering into contracts by post, by public signage for CCTV, by oral explanation in a telephonic environment, by icons, voice alerts, or hard copy for certain types of screenless smart technology etc.
8. What about further processing?
GDPR requires a Controller inform the individual if it intends to further process their data for a compatible purpose other than that for which it was collected. An individual should not be taken by surprise by such further processing.
Controllers should also provide an explanation as to how the new processing activity is compatible with the original purpose in circumstances where the 'lawful basis is other than consent or compliance with a legal obligations'.
9. Are there exemptions?
Where the information has been collected from the individual directly, the only exemption is if the individual already has the information.
Where the information has not been collected from the individual, there are limited exemptions where (i) the provision of the information is impossible or would involve disproportionate effort; (ii) the Controller is subject to an EU or Member State law to process the data and the law provides for appropriate protections for the data subject's legitimate interests; or (iii) an obligation of professional secrecy under EU or Member State law means the personal data must remain confidential. WP29 interprets all of this conservatively.
A copy of the draft guidelines can be found here.