GDPR and Transparency

Volume 2018 | Issue 15

pdf icon Download this FYI Alert as a printable PDF

This FYI considers the new obligation of transparency when processing personal data under the General Data Protection Regulation (GDPR).

Personal data must be processed lawfully, fairly and in a transparent manner.

Transparency is an overarching obligation under the GDPR and applies to:

  • The provision of information to individuals related to fair processing;
  • Data controllers’ communications with individuals in relation to their data protection rights; and
  • How data controllers facilitate the exercise by individuals of their rights.

The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of the processing.

The quality, accessibility and comprehensibility of the information is as important as the actual content.

By 25 May 2018, data controllers should consider, with their advisers, whether all information previously provided to individuals about the processing of their personal data is adequate in relation to transparency and issue new privacy statements or notices accordingly.

Background

Transparency is not a new concept in relation to European law. Intrinsically linked to fairness, it was no surprise that the GDPR has sought to introduce it into the data protection requirements of member states.

Whilst the GDPR does not define transparency, it provides some indication as to what it expects in the context of data processing.  The European Union’s Article 29 Data Protection Working Party (the Article 29 Working Party), which consists of representatives of the data protection authorities from each member state, have now published Guidelines on Transparency.

The GDPR says that to be transparent, information provided to individuals about their rights must be:

  • Concise, transparent, intelligible and easily accessible;
  • Using clear and plain language;
  • In writing or by other means, including where appropriate by electronic means. It can be provided orally where so requested by an individual; and
  • Provided free of charge.

Elements of Transparent Information

Concise, transparent and easily accessible

Information should be provided efficiently and succinctly in order to avoid information fatigue.  It must be clearly differentiated from other non-privacy related information, such as contractual provisions.

When providing information, data controllers must consider the intended audience and ensure that it will be understood by the average member of that audience.

As best practice, particularly where the data processing is complex or technical, data controllers are not just expected to provide the prescribed information, they are also expected to spell out in unambiguous language what the most important consequences of the processing will be: in other words what kind of effect will the specific processing described in a privacy notice actually have on the individual concerned.

Individuals should not have to seek out information.  Where information is provided online, individuals should not have to scroll through large amounts of text to search for particular issues.  In such a context data protection information should never be more than two clicks away.

Clear and plain language

Information must be provided in as simple a manner as possible avoiding complex language and sentences. It should not be overly legalistic, technical or use specialist language or terminology.  Extra care needs to be taken where the audience includes children.  It should not leave room for different interpretations.  The legal basis for the processing must be clear.

In writing or by other means

The default position is that information should be given to individuals by data controllers in writing.  However, the GDPR allows for other unspecified means to be used where appropriate to the particular circumstances. It may only be provided orally if the individual so requests it.  The person giving the information orally must, of course, verify the identity of the individual before providing the information, unless the information is restricted to the provision of general privacy information, when no such identity check is required.

Free of charge

Data controllers cannot charge individuals for the provision of information under the GDPR.  Thus, for example, the provision of such information cannot be made conditional on the payment for, or purchase of, services or goods.

Information to be Provided

Content

The GDPR prescribes the information that must be provided to individuals in relation to the processing of personal data.  It does not prescribe the format for providing that information, and it is thus left to data controllers to select an appropriate method of communication.  Data controllers should remember that transparency applies not just at the point of collection but throughout the processing life cycle.  Thus data controllers cannot assume that just because they have issued a GDPR compliant privacy notice at some point in the past, all future processing is compliant.

Timing

When personal information is collected from the individual concerned, the information required by the GDPR must be provided to the individual at the commencement of the processing cycle, for example, at the point they complete an online form.

Where personal information has been supplied by a third party, the data controller must provide the individual with the prescribed information at the earliest of:

  • A reasonable period after obtaining the data and no later than one month from so doing;
  • The date of the first communication with the individual; or
  • The date the information is first disclosed to another recipient (whether a third party or not).

Digital communications

Where data controllers are communicating with individuals digitally, the Article 29 Working Party recommends using layered privacy notices linked to various categories of information, rather than displaying all such information on one screen.  This is in order to avoid information fatigue.

Information relating to further processing

The processing of personal information for a purpose which is incompatible with the purpose for which it was originally obtained is prohibited. However, there will be occasions when further processing of the data is compatible with the purpose for which the data was originally obtained.  In such cases the individual should not be taken by surprise at the purpose of the processing.

Where a data controller intends to further process personal data of an individual for a compatible purpose, the individual must be informed under the transparency principle.  This gives individuals the opportunity to judge for themselves whether the processing is compatible and to decide whether they wish to exercise their rights, for example to restrict or object to the further processing.

The GDPR requires this notification to take place prior to the further processing.  The Article 29 Working Party elaborates on this and says there should be a reasonable period between the notification and the further processing commencing.  What is reasonable depends on the circumstances.  The more intrusive the processing the longer the period should be.

Exceptions

There are limited circumstances in which a data controller processing personal data does not have to inform the individual.  One such exception is where information was not obtained directly from the individual and the provision of information to the individual is impossible or would involve disproportionate effort.  The burden of proof in such cases is on the data controller to prove the exception.  The exception cannot be used routinely by data controllers and will be interpreted and applied narrowly.

Processing and disclosure in line with legal requirements, for example responding to statutory requests in relation to potential offences from HMRC or the prosecuting authorities, is also an exception.

Comment

When the GDPR comes into effect on 25 May 2018 data controllers are expected to be compliant with it.  The obligation of transparency concerning the processing of personal data is a new requirement, and existing communications are unlikely to prove sufficient.  Data controllers thus have just over two months to revisit all information they provide to individuals and ensure they are adhering to the requirements in relation to transparency.