Outside construction of the RPC building.

Article 29 Working Party publishes draft guidelines on transparency under the GDPR

Published on 11 April 2018

In accordance with the GDPR's new obligation of transparency, what do the WP29 draft guidelines suggest you put in your organisation's privacy policy and other privacy notices?

The background

The WP29 has adopted draft guidelines aimed at providing practical guidance and interpretive assistance on the new obligation of transparency concerning the processing of personal data under the GDPR.  The draft guidelines describe transparency as an overarching obligation that applies to three central areas: 

  • the provision of information to individuals relating to fair processing;
  • how data controllers communicate with individuals in relation to their rights: and
  • how data controllers facilitate the exercise by data subjects of their rights.  The guidelines are particularly relevant in the context of drafting privacy policies and notices.  

The development

The transparency requirements, which derive from Articles 12-14 of the GDPR, apply from the point that personal data is collected or obtained, throughout the whole processing period and at specific points in the processing cycle.  

Article 12 sets out the general rules which apply to the provision of information to individuals under Articles 13 and 14.  Articles 13 and 14 prescribe the information to be provided when data has been collected from the individual or obtained from elsewhere, respectively.  

Article 12 requires that the information or communication in question must comply with the following rules: 

  • it must be concise, transparent, intelligible and easily accessible;
  • clear and plain language must be used; 
  • the requirement for clear and plain language is of particular importance when providing information to children; 
  • it must be in writing "or by other means, including where appropriate, by electronic means"; 
  • where requested by the data subject it may be provided orally; and 
  • it must be provided free of charge.  

Under Articles 13 and 14, information is to be provided where personal data is collected from the data subject (Article 13), or where it is not (Article 14).  

While the GDPR does not prescribe the format or modality by which information under Articles 13 and 14 should be provided, it does make clear the data controller’s responsibility to take “appropriate measures” in relation to the provision of required information for transparency purposes.  

As regards the timing for provision of information under Articles 13 and 14, the WP29 notes that while information must be provided under Article 13(1) “at the time when personal data are obtained”, the general requirement under Article 14 is that the information must be provided within a “reasonable period” after obtaining the personal data and no later than one month, depending on the specific circumstances in which the data is processed.

Similarly, in relation to the notification of changes to Article 13 and 14 information, the WP29 says that if the change to the information is indicative of a fundamental change to the nature of the processing, such as enlargement of the categories of recipients or introduction of transfers to a third country, then that information should be provided to the individual “well in advance of the change actually taking effect”.

Articles 13 and14 also contain similar provisions requiring the data controller to inform the individual if it intends to further process their personal data for a purpose other than that for which it was collected or obtained in the first place.

The WP29’s robust position is that data controllers should provide individuals with an explanation as to how the processing for other purposes is compatible with the original purpose where a legal basis other than consent or applicable law is relied on for the new processing purpose.

The only exception under Article 13 is “where and in so far as, the data subject already has the information”.  

The WP29 notes that Article 14 carves out a much broader range of exceptions including where the provision of information is impossible or would involve disproportionate effort.  A further exception under Article 14(5)(d) applies where the personal data “must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy."

Why is this important?

The provision of guidance as to the GDPR's new obligation of transparency is particularly important in the context of privacy policies and privacy notices, and provides clearer guidance as to the level of transparency which the GDPR requires organisations to comply with.  

Any practical tips?

When drafting your privacy policy or notice, remember to check the guidance provided on the requirements of Article 12-14 of the GDPR.  As a rule of thumb, simplification of language will almost certainly aid the clarity and accessibility of such policies / notices.  Basically, keep it simple and don't over-lawyer! This may feel like a hard balance to achieve, especially given the prescriptive nature of the GDPR's requirements on transparency.  Having said this, clarity and transparency are what the regulators are looking for and, in any event, clearly makes sense from the perspective of engaging and building trust with your customers.


Example A

A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services.  The app also tells its users it will use the collected data for behavioural advertising purposes.  Neither geo-localisation nor online behavioural advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided.  Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given.

Example B

A music festival sells tickets through an online ticket agent.  With each online ticket sale, consent is requested in order to use contact details for marketing purposes.  To indicate consent for this purpose, customers can select either No or Yes.  The controller informs customers that they have the possibility to withdraw consent.  To do this, they could contact a call centre on business days between 8am and 5pm, free of charge.  The controller in this example does not comply with article 7(3) of the GDPR.  Withdrawing consent in this case requires a telephone call during business hours, and this is more burdensome than the one mouse-click needed for giving consent through the online ticket vendor, which is open 24/7.