The guidelines on Transparency under Regulation 2016/679 provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation (GDPR).
Transparency is an overarching obligation under the GDPR applying to three central areas:
(1) the provision of information to data subjects related to fair processing;
(2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and
(3) how data controllers facilitate the exercise by data subjects of their rights.
Where data are already processed prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations under the GDPR. Data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/notices etc.) to ensure that they adhere to the transparency requirements (Whereas 171, GDPR).
Transparency is not defined in the GDPR. The Guidelines aid in the understanding of its content by listing the main elements of transparency under the GDPR. The relevant articles include: Article 12 which sets out the general requirements that information and communication shall have; Articles 13, 14, which describe the provision of information to data subjects; Articles 15 – 22, concerning communications with data subjects on the exercise of their rights; Article 34, relating to communications in case of data breaches.
The Guidelines give practical examples (comparing good and poor practice examples) of how to make the information provided to the data subject:
- is “concise, transparent, intelligible and easily accessible (Article 12.1);
- “clear and plain language” (Article 12.1);
- in writing “or by other means, including where appropriate, by electronic means” (Article 12.1), or – where requested – provided orally (Article 12.1);
- free of charge (Article 12.5).
The Guidelines also discuss the visualization tools useful to implement the principle of transparency such as icons, certification mechanisms, seals and marks.
Exercise of data subjects’ rights. WP29 deals with the controllers obligation to facilitate the exercise of data subjects’ rights under Articles 15 to 22.
More information on the duty to provide information under the GDPR is available here.
Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) are available at http://ec.europa.eu…