The Article 29 Working Party Issues Revised Guidelines on Transparency
Transparency is one of the pillar principles of privacy and data protection. When individuals easily understand how their personal data are processed, used and shared, they become empowered to make informed decisions about their personal data, allowing them to exercise control over them. By the same token, organizations can create user trust and are made accountable.
Two main articles in the GDPR (Articles 13 and 14) detail all the information that must be provided to individuals at the time their personal data are being collected or shortly after when personal data have not been obtained from the data subject directly. Personal data are collected in lots of different ways – phone, paper, person-to-person, app, IoT, electronically when paying at a store, browsing the internet, online purchasing etc. – which raises the difficult question of how organizations should convey this information to individuals in a way that truly allow them to see it and understand it.
To shed light on this issue, the Article 29 Working Party (WP29) published guidelines on transparency in November of 2017, which we summarized here. The revised version came out this week and the main changes are detailed below.
The WP29 emphasizes in its introduction that those transparency guidelines are of general application and therefore do not address the specificities of particular sectors or industries. Organizations should review them to understand, at a high level, the interpretation of what the transparency obligations entail in practice and the approach. The WP29 has determined controllers should take to being transparent while embedding fairness and accountability into their transparency measures.
Changes to Existing Privacy Notice
Almost all organizations subject to GDPR will need to revise their privacy notice to comply with the new information requirement of the Regulation. Data subjects should be made aware of such changes and the updated privacy notice made public (e.g. on the controller’s website), at a minimum.
If changes to the privacy notice are substantial, controllers will be responsible to actively bring the revised notice to the attention of data subjects (e.g. email, hard copy letter, pop-up on a webpage, or other modality that effectively brings the changes to the attention of the data subject).
The WP29 further states that changes to a privacy statement/notice should always be communicated to data subjects and should include, inter alia, a change in processing purpose; a change to the identity of the controller; or a change as to how data subjects can exercise their rights in relation to the processing. Conversely, examples of changes to a privacy statement/notice that are not considered by WP29 to be substantive or material include corrections of misspellings, or stylistic/grammatical flaws.
Using Clear and Plain Language
Privacy notices must use “clear and plain language,” which means that they should not contain legal or technical jargon. After providing some practical examples of poor practices that do not satisfy the clarity requirement in the first version, the WP29 now also offers some examples of good practices illustrating the level of details that is expected when describing the purposes of processing activities.
Good Practice Examples
- “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in”
- It is clear what types of data will be processed, that the data subject will be subject to targeted advertisements for products, and that their data will be used to enable this
- “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive”
- It is clear what type of data will be processed and the type of analysis which the controller is going to undertake
- “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read”
- It is clear what the personalization entails and how the interests attributed to the data subject have been identified).
If controllers still choose to use indefinite language, they need to be able to demonstrate why such language could not be avoided and how it does not undermine the fairness of processing.
Information to Provide to Children
As a general matter, controllers must take into account their known audience (people with disabilities, children, etc.) when drafting their privacy notice.
The WP29 emphasizes the fact that the right of information applies to children even though consent is given by the holder of parental responsibility.
Therefore, data controllers have an obligation to ensure that where they target children or are aware that their goods or services are particularly utilized by children of a literate age, that any information and communication should be conveyed in clear and plain language or in a medium that children can easily understand. That said, the WP29 recognizes that with very young or pre-literate children, transparency measures may also be addressed to holders of parental responsibility.
Layered Approach in a Non-Digital Environment
After recommending the use of layered approached in the digital context in its first version, WP29 added some explanation in a non-digital environment stating that the layered approach can also be used in the latter situation. For example, the data subject can be informed during a phone call about the most important information, namely, the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, as well as information that would have the greatest impact on processing, or any processing which could surprise the data subject.
Schedule of Information That Must be Provided to Data Subjects
The guidelines include a schedule of the information that must be provided to data subjects along with the corresponding article and WP29 comments for each requirement. Some of the comments were developed in the revised version, notably with regard to the purposes and legal basis for processing, and the use of legitimate interest as a legal basis.
The Guidelines’ Paradox
The WP29 recognizes the inherent tension between, on the one hand, the requirements to provide the comprehensive information to data subjects, and, on the other hand, do so in a form that is concise, transparent, intelligible and easily accessible. It recommends controllers to undertake their own analysis of the nature, circumstances, scope and context of the processing of personal data which they carry out and decide, based on the GDPR requirements and the guidelines, how to prioritize information which must be provided to data subjects and what are the appropriate levels of detail and methods for conveying the information.
How OneTrust Helps
Check out our newly released questionnaire GDPR Privacy Notice Checklist available in the OneTrust template gallery. This questionnaire is designed to assist with analyzing your privacy notice to ensure that it meets GDPR requirements. It can easily be linked to a processing activity in the Processing Activities Inventory. For more information, or to schedule a demo of this and other GDPR solutions by OneTrust, email [email protected].