The Article 29 Working Party (WP29) has published its draft guidelines on transparency under the General Data Protection Regulation (GDPR). The guidelines cover (amongst other issues) the following areas:
The WP29 explains the elements of transparency stated in Chapter III of the GDPR. In particular, Article 12 of the GDPR sets out the requirements applying to: the information provided to data subjects (under Articles 13 and 14 of the GDPR); communications with data subjects concerning the exercise of their rights under the GDPR; and communications with data subjects in relation to data breaches.
Article 12(1) requires that the information or communication in question must be "concise, transparent, intelligible and easily accessible", meaning that information must be presented efficiently and succinctly in a way that is clearly differentiated from non-privacy information. The "easily accessible" element means that the data subject should immediately become aware of where the relevant information can be found. For example, once an app is installed, the necessary information must never be more than "two taps away" (i.e. for many apps this would mean that the information must be included in the app menu).
The guidelines explain that "clear and plain" language must be used while avoiding the use of complex, ambivalent or technical sentences. The guidelines state that language qualifiers such as "may", "might" and "some" as well as writing in the active instead of the passive form should be avoided. The WP29 also explains that the provision of information should be "free of charge" and should not be conditional upon financial transactions (such as the purchase of goods).
Article 12(1) provides that the necessary information or communication should be in writing but also allows for "other means" (including electronic means) to be used. Where a data controller maintains a website, the WP29 recommends the use of layered privacy notices / statements to enable data subjects to navigate to particular sections that are of interest to them. With regards to information provided orally upon an individual's request, the WP29's position is that the data controller should enable the individual concerned to re-listen to pre-recorded messages. In terms of providing oral information to data subjects in relation to their exercise of their rights (under Articles 15 to 22 and 34 of the GDPR), data controllers are required to verify the identity of data subjects before providing such information.
The guidelines state (among other things) that changes to privacy notices / statements are communicated by way of an appropriate modality (e.g. email) specifically devoted to those changes (i.e. not together with direct marketing communications). With respect to exceptions to the obligation to provide information, the WP29 notes (among other exceptions) the exception indicated in Article 13(4) of the GDPR. Under this Article, the obligation to provide information does not apply "where and insofar as, the data subject already has the information". The guidelines consider, however, that as a matter of best practice all of the information which data subjects already have should be provided to them again to ensure that they remain well informed about their rights and how their data is used.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.