GDPR Transparency Requirements
Transparency is an overarching obligation under the GDPR that must be considered in communications with data subjects about their rights, how to exercise them, and the provision of information about the processing of their data. If an organization is not transparent with data subjects, than it may not lawfully process their data.
Because the transparency requirement is integral to the rights provided to EU citizens by the GDPR, it can be found interwoven in the contents of several GDPR Articles and Recitals. A few of the key sections involve the information about consent, data subject access requests, obtaining personal data and data breach notifications.
Highlights of the Key Transparency Sections of the GDPR:
Article 5 – Principles Relating to Processing of Personal Data
“Personal data shall be … processed … in a transparent manner in relation to the data subject.”
Article 7 – Consent
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear plain language.”
Article 12 – Transparency
“The controller shall stake appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear plain language, in particular for any information addressed specifically to a child.”
The controller must provide certain information to the data subject, including:
– identity and contact details;
– contact details of data protection officer (or outsourced DPO), if applicable;
– purposes of the processing intended and the legal basis;
– recipients or categories of recipients of the personal data;
– intention to transfer to certain other countries;
– period of data retention;
– information about data subject access rights;
– whether the data subject is required to provide the data, and the consequences of not providing it;
– if the data will be used in certain automated decision-making;
– if using consent, the right to withdraw consent;
– if the information originates from another source, which source or if it came from publicly accessible sources; and
– the right to complain to a supervisory authority;
If the information is collected from the data subject, this information is provided at the time of the collection of the personal data. If the information is obtained from another source, at the time of first communication with the data subject or another recipient of the information, or within a reasonable period after obtaining the personal data but at the lastest within one month.
Article 15 – Right of Access by the Data Subject
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information …”
Additional information on data subject access rights.
Article 34 – Communication of a Personal Data Breach to the Data Subject
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. … That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.”
“The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.”
“The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.
Article 24 – Responsibility of the Controller (Accountability)
“… the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
How is Transparency Achieved?
The GDPR implicitly recognizes that many individuals skip over long legal notices and thus they frequently do not deliver effective notice about their contents. Instead, it favors clear, concise notices that provide specific, relevant information, including the identity and contact details of the controller, the purpose of processing the data, the recipients or categories of recipients of the data, the details of data transfers outside the EU, the retention period for the data, the individual’s access and rights to the data.
The best privacy statements are those that are easy to comprehend and deliver useful facts in plain English (or language of choice, but never legalese). Yet, for many organizations, new business models or products are require ever more complex treatments of data that are difficult to describe. Moreover, GDPR and other regulations mandate detailed disclosures with specific requirements to communicate a myriad of information to consumers. The balance of these sometimes-competing challenges force organizations to craft very long, complex privacy statements that are too legalistic, too difficult for the average consumer and too cumbersome to be updated and kept current, as business needs demand. The end result is consumer frustration and diminished trust. Even worse, consumer confusion often leads to reduced interaction and regulatory or legal risk that have a significant negative impact on business growth.
The GDPR also requires that controllers facilitate the exercise of data subject rights by providing information in response to data subject access requests. One way to do so is with a DSAR portal. The GDPR prohibits controllers from refusing access to data subjects exercising their rights unless the controller can not identify the subject. Information provided at a data subjects request must be furnished, for the most part, without undue delay and free of charge.
A great system for transparency should also be built into the organization’s consent management software.
California’s New Privacy Law: Get your business ready for the California Consumer Privacy Act with Clarip.