The GDPR introduces a wide-reaching transparency principle with which data processors must comply. In the context of this transparency principle, their obligation to provide information will be considerably extended and more attention will be paid to the way in which information must be provided. The Article 29 Working Party, (‘WP29’), an advisory and consultation body of European Data Protection Supervisors, published its final advice on this notion of ‘transparency’ on 11 April 2018.
The GDPR extends the obligation to provide information imposed on organisations that process the personal data of individuals. In addition to the information that must be provided at present, the organisation will also have to provide further information including:
The transparency principle means that this more extensive information has to be provided in an intelligible and easily accessible form, using clear and plain language.
In its provisional opinion, the WP29 gave a first interpretation of organisations’ obligations relating to the transparency principle. In its final opinion of 11 April 2018, the WP29 gives its final position on this matter. The key elements of this final recommendation are set out below.
How must the information be provided?
WP29 emphasises that the notification must be as transparent as possible, taking into account form, language and accessibility:
The WP29 recommends written notification. The data controller should decide on the appropriate form of notification, taking into account all the circumstances of each particular case.
The requirement for clear, plain language means that information should be provided in as simple a manner as possible, avoiding complex sentences and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. WP29 gives a few examples of ‘do’s’ and ‘don’ts’.
The ‘easily accessible’ requirement means that the data subject should not have to seek out the information. WP29 recommends that the data controller should ensure that it is immediately apparent where this information can be accessed, for example by providing it directly to the data subject, by linking them to it or by clearly signposting it.
WP29 recommends the use of layered privacy statements and notices, especially in a digital context. Every organisation that maintains a website should publish a broad privacy statement or notice on its website. The statement or notice should allow the data subject to find the relevant specific privacy statement or notice, or when the information is given electronically, to click on the relevant privacy statement or notice.
The first ‘layer’ of the privacy statement or notice (the first thing that is brought to one’s attention) should contain the details of the purpose for which the data is processed, the identity of the controller, a description of the data subject’s rights and where appropriate, the information that would have the biggest impact on the data subject. Such layered privacy statements or notices can cover occasional processing activities (such as the processing of customer or supplier contact details). Similar principles apply if the information is delivered orally.
How detailed should the notification be?
WP29 goes on to interpret the extended information obligation imposed on the company towards the individuals whose data is being processed.
In particular, according to the Working Party, the information that needs to be given under the GDPR should be made concrete as set out below:
Required Information Type
Advice of the WP29
The identity and contact details of the organisation and, where applicable, its representative.
This information should allow for easy identification of the organisation and preferably allow for different forms of communications (e.g. phone number, email, postal address etc.)
Contact details for the data protection officer, where applicable.
The Working Party refers to its previous Guidelines on Data Protection Officers.
The purposes and legal basis for the processing.
The purpose for which the personal data is processed, as well as the relevant legal basis, must be specified. Special personal data that will be processed must also be specified.
Legitimate interests of the organisation or of any relevant third party if this is the basis of the processing.
The legitimate interest must be identified.
The GDPR states that legitimate interest can only be invoked if it does not outweigh the right to privacy and the fundamental rights of the data subject.
In other words, there must be an assessment that weighs the data subject’s right to privacy against the legitimate interest that can be invoked (the ‘balancing test’).
As a matter of best practice, the company should also provide the data subject with the information used in applying the balancing test, or at least ensure that the data subject can receive this information on demand.
In this way, there will be no doubt about the fact that an assessment was conducted; this could prove essential for data subjects wishing to lodge a complaint with the Data Protection Authority.
WP29 has amended its previous position of November 2017, where it stated that the providing of information concerning the balancing test was obligatory.
Categories of personal data concerned.
As reflected in the GDPR, WP29 confirms that this information is only required if the personal data has not been obtained from the data subject personally.
Recipients (or categories of recipients) of the personal data.
The Working Group emphasises that the recipient does not have to be a third party.
It further states that the recipients should be described in detail.
The information must be ‘meaningful’ for data subjects, which means that the recipients should be addressed by their names so that data subjects know who has their data.
Where a data controller opts only to provide the categories of recipients, the information on the categories of recipients should be as specific as possible.
The intention of the company in transferring data to third countries, the details of the relevant safeguards (including the existence or absence of a Commission adequacy decision) and the means to obtain a copy of them or where they have been made available.
The information provided about transfers to third countries must also be ‘meaningful’, according to WP29, what means that it should explicitly mention all third countries to which the data will be transferred.
The Working Group has refined its opinion of November 2017, where it stated that it was obligatory that third countries be listed.
The relevant GDPR article permitting the transfer and the corresponding mechanism should be specified. Where possible, a link to the mechanism used or information on where and how the relevant document may be accessed or obtained should also be provided.
The storage period (or if not possible, the criteria used to determine that period).
The information should be phrased in a way that allows the data subject to assess what the retention period will be for specific data or purposes. It is not sufficient to state that personal data will be kept as long as necessary. This opinion of WP29 goes against the previous opinion of the Belgian Privacy Commission.
The rights of the data subject to access, rectification, erasure, restriction on processing, objection to processing and portability.
This information should include a summary of what the right involves and how the data subject can take steps to exercise it. In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of the first communication with the data subject and must be presented clearly and separately from any other information.
Where processing is based on consent (or explicit consent), the right to withdraw consent at any time.
This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.
The right to lodge a complaint with a supervisory authority.
This information should explain that if a data subjects believes that his privacy rights under the GDPR have been violated, he has the right to lodge a complaint with a supervisory authority, in the Member State of his habitual residence, place of work or of an alleged infringement of the GDPR. In Belgium, this is the Data Protection Authority, the new name for the Privacy Commission.
Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract; whether there is an obligation to provide the information and the possible consequences of failure to do so.
This information is only required if personal data has been obtained from the data subject.
For example, in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer. Online forms should clearly identify which fields are ‘required’, which are not, and what the consequences of not filling in the required fields will be.
The source from which the personal data originates, and if applicable, whether it came from a publicly accessible source.
This information is only required if the personal data has not been obtained from the data subject.
The specific source of the data should be provided unless it is not possible to do so, or a certain sort of information needs to be given.
The existence of automated decision making
The Working Group refers to its previous Guidelines on automated individual decision making and profiling.
The question arises as to how detailed the notification needs to be. WP29 states that there exists a tension between the obligation to provide extensive information to the data subjects on the one hand and the requirement to do this in a brief, transparent, understandable and easily accessible way on the other hand. The Working Group specifies that the data controller needs to analyse the nature, circumstances, scope and context of the processed data. The organisation can decide, based on these factors, how detailed the information to be given needs to be, what information is given priority, and also the way in which the information needs to be given (subject to the legal provisions in the GDPR and the recommendations of WP29). The level of detail is to a certain extent based on a risk analysis by the company.
Other points to note
WP29 also draws attention to the following points:
Changes to the notification
If the notification given to the data subjects is changed, WP29 states that these changes need to be communicated by the company, especially when the changes are substantial or material. As a minimum, this information should be publicly accessible. The potential impact of the changes should also be clearly stated. If there is a fundamental change or one that is relevant to, or impacts on, the data subject, it should be announced in advance, according to the Working Group. The period of time between the notification and the time of the change must be capable of being justified.
Processing for another purpose
The Working Group states what information should be given when the data controller wants to process personal data for a purpose other than the purpose for which the data was provided, and within what period of time this needs to be done.
Exception to the obligatory notification requirement
Finally, WP29 examines cases where no notification is required, in particular:
WP29 explains how it interprets these exceptions with a few examples and best practice notes, which show that it seems to apply a restrictive interpretation.