The Article 29 Working Party (WP29) has published eagerly awaited guidelines on the obligation of transparency in relation to the processing of personal data under the GDPR. The principle requires that it be transparent to natural persons that their personal data will be processed and to what extent. The guidelines are especially welcome given that transparency is not actually defined in the GDPR. The obligation applies in three central areas:
- the provision of information related to fair processing to individuals;
- communicating with individuals in relation to their rights under the GDPR; and
- facilitating the exercise by individuals of their rights.
According to the guidelines, to comply with the obligation of transparency businesses should:
- present information about data processing efficiently and succinctly in order to avoid ‘information fatigue’ on the part of individuals;
- make the information intelligible, in that it should be “understood by an average member of the intended audience”. To this end organisations should first identify the intended or likely audience, ascertain the average audience member’s level of understanding and draft the information accordingly;
- when processing the data of children or vulnerable persons, ensure that the “vocabulary, tone and style of the language used” is appropriate to that audience;
- spell out not just the scope, but also the consequences of processing, in unambiguous language – ie not just what the processing entails, but also the likely effects such processing will have;
- make information “easily accessible”, in that it should be immediately apparent where the information can be obtained; and
- provide information in “clear and plain language”, meaning in as simple a manner as possible, avoiding complex sentence and language structure.
The WP29 addresses the difficulty inherent in transmitting information on complex data processing operations clearly and succinctly. In the online context the use of ‘layered’ privacy statements on websites is recommended. The first ‘layer’ should “always contain information on the processing which has the most impact on the data subject and processing which could surprise the data subject”, from which point an individual can navigate directly to the section they need. Beyond the online context the guidelines also address “different personal data environments”, such as use of notices to notify data subjects where CCTV is in use, using QR codes that link to the information for screenless smart technology and providing oral explanations for data processing conducted by telephone.
For a more detailed analysis and expert insights on the incoming GDPR, we invite you to register here for PrivacySource, William Fry’s dedicated GDPR website.
Contributed by: John Magee