It must be transparent to people that their personal data are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Transparency applies at the following stages of data processing:
- before or at the start of the data processing cycle i.e. when the personal data is being collected either from the data subject or otherwise obtained
- throughout the whole processing period i.e. when communicating with data subjects about their rights
- at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing
The information or communication must comply with the following rules:
- it must be concise, transparent, intelligible and easily accessible
- clear and plain language must be used
- the requirement for clear and plain language is of particular importance when providing information to children
- it must be in writing
- where requested by the data subject it may be provided orally
- it must be provided free of charge
In the case of directly obtained personal data the information must be provided at the time when personal data are obtained. In the case of indirectly obtained personal data the general requirement is that the information must be provided within a “reasonable period” after obtaining the personal data and no later than one month.
With regards the timing of notification of changes to the privacy notice, say, where there is going to be a fundamental change to the nature of the processing or may have an impact on the data subject, then that information should be provided to the data subject well in advance of the change actually taking effect. This is especially important where further processing of the personal data is being planned.
Layered privacy notices
In the digital context, in light of the volume of information which is required to be provided to the data subject, layered privacy notices should be used rather than displaying all the information in a single notice on the screen. In a digital context, aside from providing an online layered privacy notice, data controllers may also choose to use additional transparency tools such as a privacy dashboard or a just-in-time notice.
Other options relevant to specific scenarios include hard copy, person-to-person, audio recordings, icons, certification mechanisms, seals and marks, QR codes, voice alerts, videos incorporated into digital set-up instructions, written information on a smart device, messages sent by SMS or email, visible boards containing the information, public signage, public information campaigns etc.
Information that must be provided to a data subject under Article 13 or Article 14
The identity and contact details of the controller and, where applicable, their representative
This information should allow for easy identification of the controller and preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address etc.)
Contact details for the data protection officer, where applicable
The purposes and legal basis for the processing
In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 or Article 9 must be specified.
Where legitimate interests (Article 6.1(f)) is the legal basis for the processing, the legitimate interests pursued by the data controller or a third party
The specific interest in question must be identified for the benefit of the data subject. As a matter of best practice, the data controller should also provide the data subject with the information from the balancing test, which should have been carried out by the data controller to allow reliance on Article 6.1(f) as a lawful basis for processing, in advance of any collection of data subjects’ personal data.
Categories of personal data concerned
This is NOT required where personal data is collected directly from the data subject. This information IS required in the case of indirect collection because the data subject lacks an awareness of which categories of their personal data the data controller has obtained.
Recipients (or categories of recipients) of the personal data
Data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” and information on such recipients should be provided in addition to information on third party recipients.
Where a data controller opts only to provide the categories of recipients, e.g. where the recipients’ names are commercial-in-confidence, the data controller must be able to demonstrate why it is fair for it to take this approach. In such circumstances, the information on the categories of recipients should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.
NOTE: In your GDPR compliance management solution, you could change (existing) or create (new) processors or data sharing recipients, using a generic name defined by activity/sector/etc - this will display in the privacy notice template. The actual processor name will/should appear in the signed, uploaded document.
Details of transfers to third countries
The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. adequacy decision under Article 45 / binding corporate rules under Article 47/ standard data protection clauses under Article 46.2/ derogations and safeguards under Article 49 etc.) should be specified.
The storage period (or if not possible, criteria used to determine that period)
The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes.
The rights of the data subject
This information should include a summary of what the right involves and how the data subject can take steps to exercise it.
Where processing is based on consent (or explicit consent), the right to withdraw consent at any time
This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.
The right to lodge a complaint with a supervisory authority
Whether there is a statutory or contractual requirement to provide the information
For example, in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer.
The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source
Information should include: the nature of the sources (i.e. publicly/ privately held sources; the types of organisation/ industry/ sector; and where the information was held (EU or non-EU) etc.). The specific source of the data should be provided unless it is not possible to do so.
The existence of automated decision-making including profiling
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018