The Article 29 Working Party (WP29), the representative group of data protection authorities across the EU, has issued guidance on the principle of transparency established in the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.
Transparency requirements oblige data controllers to provide information to data subjects on their rights, to be transparent in communications with data subjects, and to facilitate the exercise of data subjects’ rights under the GDPR.
The guidance sets out that the GDPR requires any information or communication relating to the processing of personal data to be provided:
- In a concise, transparent, intelligible and easily accessible form;
- Using clear and plain language;
- In writing, or by other means, including, where appropriate, by electronic means;
- Where requested by the data subject it may be provided orally; and
- It must be provided free of charge.
“Concise, transparent, intelligible and easily accessible” information
The GDPR requires information be presented in a manner clearly differentiated from other non-privacy related information. Controllers should provide unambiguous information on the most important consequences of the processing on the data subject. They should not have to seek it out.
“Clear and plain language”
Best practices for clear writing are preferred under the GDPR. Any language used must be concrete and definitive. Overly legalistic, technical or specialist language and terminology should not be presented to the data subject.
“In writing or by other means”
The default position for the provision of information under the GDPR is that the information is in written form.
“The information may be provided orally”
The provision of oral information does not necessarily require it to be done in person or by telephone. The WP29 has noted that automated oral information may be provided in addition to written means, such as in the context of persons who are visually impaired.
“Free of charge”
Under the GDPR, controllers cannot charge data subjects for the provision of information or for communications to data subjects.
Format of Information
The WP29 has given examples of the appropriate form the information should take:
- Layered Privacy Statements/Notices
- Privacy dashboards and pop-up notices
- Visualisation tools
- Other appropriate means of communication such as postal contracts, person-to-person interaction, or messages sent by email.
Data Subjects’ Rights
The GDPR also requires controllers to allow for data subjects’ to be “meaningfully” positioned to make data requests and that they should provide means to make the request electronically. Where the data subject and controller interact in different ways, a data controller should wish to provide different means for a data subject to exercise their rights.
Although the WP29’s guidance is non-binding, the guidelines are helpful to ensure that data controllers are GDPR-compliant in the run-up to 25 May. The concept of transparency in the GDPR is user-centric, so controllers must ensure that information and communications are understandable from the perspective of a data subject and are not jargon-heavy. Furthermore, controllers must make sure that data subjects’ rights under the GDPR are clearly communicated to them.