Personal data must be processed in a transparent manner. In the context of this transparency principle, the information obligation will be considerably reinforced. More attention is paid to the way in which information must be provided. The Article 29 Working Party, (“WP29”), an advisory and consultation body of European Data Protection Supervisors, published its final advice on 11 April 2018, where the notion of “transparency” is discussed.
The GDPR extends the information obligation for companies regarding the processing of the personal data of all categories of persons whose data are processed. In addition to the information that must be provided at present, the company will also have to provide the legal ground, if they intend to transfer data outside the European Union, the period for which the data will be stored, the right to lodge a complaint with the Belgian supervisory authority, the right to withdraw consent, the identity of the “Data Protection Officer”, etc. In the context of the transparency principle, this more extensive information has to be provided in an intelligible and easily accessible form, using clear and plain language.
In its provisional opinion, the WP29 gave a first interpretation of the obligations of a company relating to the transparency principle. In its final opinion of 11 April 2018, the WP29 gives its final position on this matter. The key elements of this recommendation are set out below.
How must the information be provided?
The WP29 emphases in its advice that the notification must be as transparent as possible, taking into account the form, the language and the accessibility:
- Form? The WP29 recommends a written notification. The data controller should determine the actual form, taking into account all of the circumstances of each particular case.
- Language? The requirement for clear, plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. The WP29 gives a few examples of “do’s” and “don’ts”.
- Accessible? The “easily accessible” element means that the data subject should not have to seek out the information; The WP29 recommends that the data controller should ensure that it is immediately apparent where this information can be accessed, for example by providing it direct to the data subject, by linking them to it or by clearly signposting it.
WP29 recommends the use of layered privacy statements/notices, especially in a digital context. Every organisation that maintains a website should publish a privacy statement/notice on its website. Such a layered privacy statement/notice should allow the data subject to find the relevant privacy statement/notice, or when the information is given electronically, to click on the relevant privacy statement/notice. The first layer of the privacy statement/notice (the first thing that is brought to one’s attention) should contain the details of the purposes of the processing, the identity of the controller, a description of the rights of the data subjects, and where appropriate the information that would have the biggest impact on the data subject. Such layered privacy statements/notices can cover occasional processing activities (e.g. the processing of contact details of customers or suppliers). Similar principles apply if the information is delivered orally.
How detailed should the notification be?
The WP29 goes on to interpret the extended information obligation of the company towards the data subjects whose data is being processed.
In particular, according to the Working Party, the information that needs to be given under the GDPR should be made concrete as follows:
|
Required Information Type |
Advice of the WP29 |
|
The identity and contact details of the company and, where applicable, its representative. |
This information should allow for easy identification of the company and preferably allow for different forms of communications (e.g. phone number, e‑mail, postal address etc.) |
|
Contact details for the data protection officer, where applicable. |
The Working Party refers to its previous Guidelines on Data Protection Officers. |
|
The purposes and legal basis for the processing. |
The purposes of the processing for which the personal data are intended, as well as the relevant legal basis, must be specified. Special personal data that will be processed must also be specified. |
|
Legitimate interests of the company or of a third party if this is the basis of the processing.
|
The legitimate interest must be identified. The GDPR states that legitimate interest can only be invoked if the right to privacy and the fundamental right of the data subject are not outweighed. In other words, there must be a balancing test between the privacy right of the data subject and the legitimate interest that can be invoked. As a matter of best practice, the company should also provide the data subject with the information from the balancing test, or at least ensure that the data subject can receive this information on demand. In this way, there would be no doubt about the fact that a balancing test was conducted; this could prove essential for the data subjects that wish to lodge a complaint with the Data Protection Authority. The WP29 reverts to its previous position of November 2017, where it stated that the providing of information concerning the balancing test was obligatory. |
|
Categories of personal data concerned. |
As reflected in the GDPR, the WP29 confirms that this information is only required if the personal data have not been obtained from the data subject himself. |
|
Recipients (or categories of recipients) of the personal data. |
The Working Group emphasises that the recipient does not have to be a third party. It further states that the recipients should be described in detail. The information must be “meaningful” for the data subject, which means that the recipients should be addressed by their names so that the data subject knows who has his data in his possession. Where a data controller opts only to provide the categories of recipients, the information on the categories of recipients should be as specific as possible. |
|
The intention of the company in transferring data to third countries, the details of the relevant safeguards (including the existence or absence of a Commission adequacy decision) and the means to obtain a copy of them or where they have been made available. |
The information about the transfers to third countries must also be “meaningful”, according to the WP29, what means that it should explicitly mention all third countries to which the data will be transferred. The Working Group refines its opinion of November 2017, where it stated that it was obligatory that third countries be listed. The relevant GDPR article permitting the transfer and the corresponding mechanism should be specified. Where possible, a link to the mechanism used or information on where and how the relevant document may be accessed or obtained should also be provided. |
|
The storage period (or if not possible, criteria used to determine that period). |
The information should be phrased in a way that allows the data subject to assess what the retention period will be for specific data/purposes. It is not sufficient to state that personal data will be kept as long as necessary. This opinion of the WP29 goes against the previous opinion of the Belgian Privacy Commission. |
|
The rights of the data subject to access, rectification, erasure, restriction on processing, objection to processing and portability. |
This information should include a summary of what the right involves and how the data subject can take steps to exercise it. In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of the first communication with the data subject and must be presented clearly and separately from any other information. |
|
Where processing is based on consent (or explicit consent), the right to withdraw consent at any time. |
This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it. |
|
The right to lodge a complaint with a supervisory authority. |
This information should explain that, if a data subjects believes that his privacy rights under the GDPR are violated, he has the right to lodge a complaint with a supervisory authority, in particular in the Member State (in Belgium, the Data Protection Authority, the new name of the Privacy Commission) of his habitual residence, place of work or of an alleged infringement of the GDPR. |
|
Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure to do so. |
This information is only required if the personal data have been obtained from the data subject. For example, in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer. Online forms should clearly identify which fields are “required”, which are not, and what will be the consequences of not filling in the required fields. |
|
The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source. |
This information is only required if the personal data has not been obtained from the data subject. The specific source of the data should be provided unless it is not possible to do so, or a certain sort of information needs to be given. |
|
The existence of automated decision-making |
The Working Group refers to its previous Guidelines on automated individual decision-making and profiling. |
The question arises as to how detailed the notification needs to be. The WP29 states that there exists a tension between the obligation to provide extended information to the data subjects on the one hand and the condition to do this on a brief, transparent, understandable and easily accessible way on the other hand. The Working Group specifies that the data controller needs to make an analysis of the nature, the circumstances, the scope and the context of the processed data. The company can on this basis decide how detailed the information to be given needs to be, which information is given priority, and also the way in which the information needs to be given, subject to the legal provisions in the GDPR and the recommendations of the WP29. The level of detail of the information is to a certain extent based on a risk analysis by the company.
Other attention points.
The WP29 also draws attention to the following points:
- Changes to the notification: if the notification given to the data subjects is to be changed, the WP29 states that these changes need to be communicated by the company, especially when these changes are substantial or material. At least this information should be publicly accessible. The potential impact of these changes should also be clearly stated. In case of a fundamental or relevant change, this should be announced in advance, according to the Working Group. The period of time between the notification and the time of the change must be justified.
- Processing for another purpose: the Working Group states further which information should be given when the data controller wants to process the personal data for another purpose than the purpose for which the data were provided, and within which period of time this needs to be done.
- Exception to the obligatory notification: finally, the WP29 examines cases where no notification is required (in particular when the data controller already possesses the information, or – when the data are not obtained from the data subject – when it is impossible to provide information or it would require too much effort, when it is legally prescribed to obtain information or when the personal data must stay confidential). The WP29 explains with a few examples and best practices how it interprets these exceptions, showing that it seems to have a restrictive interpretation of these exceptions.