Article 29 Working Party publishes draft guidelines on transparency under the GDPR
The WP29 has adopted draft guidelines aimed at providing practical guidance and interpretive assistance on the new obligation of transparency concerning the processing of personal data under the GDPR. The draft guidelines describe transparency as an overarching obligation that applies to three central areas:
- the provision of information to individuals relating to fair processing;
- how data controllers communicate with individuals in relation to their rights: and
- how data controllers facilitate the exercise by data subjects of their rights. The guidelines are particularly relevant in the context of drafting privacy policies and notices.
The transparency requirements, which derive from Articles 12-14 of the GDPR, apply from the point that personal data is collected or obtained, throughout the whole processing period and at specific points in the processing cycle.
Article 12 sets out the general rules which apply to the provision of information to individuals under Articles 13 and 14. Articles 13 and 14 prescribe the information to be provided when data has been collected from the individual or obtained from elsewhere, respectively.
Article 12 requires that the information or communication in question must comply with the following rules:
- it must be concise, transparent, intelligible and easily accessible;
- clear and plain language must be used;
- the requirement for clear and plain language is of particular importance when providing information to children;
- it must be in writing "or by other means, including where appropriate, by electronic means";
- where requested by the data subject it may be provided orally; and
- it must be provided free of charge.
Under Articles 13 and 14, information is to be provided where personal data is collected from the data subject (Article 13), or where it is not (Article 14).
While the GDPR does not prescribe the format or modality by which information under Articles 13 and 14 should be provided, it does make clear the data controller’s responsibility to take “appropriate measures” in relation to the provision of required information for transparency purposes.
As regards the timing for provision of information under Articles 13 and 14, the WP29 notes that while information must be provided under Article 13(1) “at the time when personal data are obtained”, the general requirement under Article 14 is that the information must be provided within a “reasonable period” after obtaining the personal data and no later than one month, depending on the specific circumstances in which the data is processed.
Similarly, in relation to the notification of changes to Article 13 and 14 information, the WP29 says that if the change to the information is indicative of a fundamental change to the nature of the processing, such as enlargement of the categories of recipients or introduction of transfers to a third country, then that information should be provided to the individual “well in advance of the change actually taking effect”.
Articles 13 and14 also contain similar provisions requiring the data controller to inform the individual if it intends to further process their personal data for a purpose other than that for which it was collected or obtained in the first place.
The WP29’s robust position is that data controllers should provide individuals with an explanation as to how the processing for other purposes is compatible with the original purpose where a legal basis other than consent or applicable law is relied on for the new processing purpose.
The only exception under Article 13 is “where and in so far as, the data subject already has the information”.
The WP29 notes that Article 14 carves out a much broader range of exceptions including where the provision of information is impossible or would involve disproportionate effort. A further exception under Article 14(5)(d) applies where the personal data “must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy."
Why is this important?
The provision of guidance as to the GDPR's new obligation of transparency is particularly important in the context of privacy policies and privacy notices, and provides clearer guidance as to the level of transparency which the GDPR requires organisations to comply with.
Any practical tips?