Privacy & Information Security Law Blog

On December 12, 2017, the Article 29 Working Party (“Working Party”) published its guidelines on transparency under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance and clarification on the transparency obligations introduced by the EU General Data Protection Regulation (“GDPR”). The transparency obligations require controllers to provide certain information to data subjects regarding the processing of their personal data. Key takeaways from the Guidelines include:

• “Concise, transparent, intelligible and easily accessible” information notices: In order to be compliant, the information provided to data subjects regarding the processing of their personal data must be clearly distinguished from other information. This means controllers that attempt to hide processing information in the middle of wider terms and conditions will be in breach of the GDPR. The Working Party recommends processing information be provided in a “layered” structure that allows data subjects to navigate easily through the information. The Guidelines suggest that the first layer provide a clear overview of processing where they can find more detailed information, as well as information for data subjects on processing that has the greatest impact on them and processing that may come as a surprise to them. It is further recommended that a hyperlink to the privacy policy is provided at the point of data collection.
• “Clear and plain language” must be used: Information should be provided in a manner that is easy to understand and avoids complex sentences and language structures. Language must also be unambiguous, and avoid abstract terminology or equivocal language (e.g., conditional tenses and qualifying terms, such as “may,” “might” or “some”). In particular, where information is provided to children or other vulnerable people, the vocabulary, style and tone of the language must be adapted appropriately.
• Information must be “in writing or by other means”: Where a controller maintains a website, the Working Party recommends using electronically layered privacy notices. Other electronic means can be used to provide information to data subjects, including “just-in-time” contextual pop-up notices, 3D touch or “hover-over” notices and privacy dashboards. The chosen method must be appropriate for the circumstances.
• Information “may be provided orally”: Controllers may provide information orally if the identity of the data subject is clear. This does not apply to the provision of general privacy information to prospective customers or users whose identity currently cannot be verified. Oral information may be provided on a person-by-person basis or by automated means. Where automated means are adopted, the Working Party recommends the implementation of measures that allow data subjects to re-listen to the information, for example, through pre-recorded messages that can be replayed. In this context, controllers must maintain records and be able to demonstrate that (1) the data subject requested that information is provided orally, (2) where necessary, the identity of the data subject was verified, and (3) information was in fact provided to the data subject.
• Information must be provided free of charge: Controllers are prohibited from charging fees for the provision of processing information to data subjects. The provision of information also cannot be made conditional upon entry into a financial transaction.
• Content of the notice: With respect to the content of information to be provided to data subjects, the Guidelines refer to Articles 13 and 14 of the GDPR and the Annex to the Guidelines, which list the categories of information that must be included in the notices. The Working Party also clarifies that all categories of information to be provided pursuant to Articles 13 and 14 of the GDPR are of equal importance. The Working Party recommends that controllers provide data subjects with an overview of the consequences of the processing as it affects them, in addition to the information prescribed by the Articles.
• Changes to the notice: The Guidelines emphasize that the transparency requirements apply throughout the processing process. Any subsequent changes to a privacy notice must be communicated to data subjects. In this respect, the Guidelines recommend controllers explain to data subjects any likely impact that the changes may have on them. Where processing occurs on an ongoing basis, controllers are recommended to inform and periodically remind data subjects of the scope of the data processing.
• Timing: Information must be provided to data subjects at the commencement phase of the processing cycle when personal data is obtained and, in the case of personal data that is obtained indirectly, within a reasonable period (and no later than one month) following the receipt of the personal data. Where personal data is obtained indirectly and is to be used for communications with data subjects, information must be provided, at the latest, at the time of the first communication, but in any event within one month of receipt.
• Exceptions to the obligation to provide information: The Guidelines explain that exceptions to the obligation to provide information to data subjects about the processing of their personal data must be interpreted and applied narrowly. In addition, it stresses the importance of accountability for controllers. Where controllers seek to rely on exceptions, then as a general rule they must be able to demonstrate the circumstances or reasons that justify reliance on those exemptions (e.g., demonstrate the reasons why providing the information would prove impossible or involve disproportionate efforts).

The Guidelines state that controllers must review all information provided to data subjects regarding the processing of their personal data prior to May 25, 2018. The Working Party is accepting comments on the Guidelines until January 23, 2018.