Article 29 Working Party Published Guidelines on Transparency under the GDPR
5 Minute Read
On December 12, 2017, the Article 29 Working Party (“Working Party”) published its guidelines on transparency under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance and clarification on the transparency obligations introduced by the EU General Data Protection Regulation (“GDPR”). The transparency obligations require controllers to provide certain information to data subjects regarding the processing of their personal data. Key takeaways from the Guidelines include:
- “Concise, transparent, intelligible and easily accessible” information notices: In order to be compliant, the information provided to data subjects regarding the processing of their personal data must be clearly distinguished from other information. This means controllers that attempt to hide processing information in the middle of wider terms and conditions will be in breach of the GDPR. The Working Party recommends processing information be provided in a “layered” structure that allows data subjects to navigate easily through the information. The Guidelines suggest that the first layer provide a clear overview of processing where they can find more detailed information, as well as information for data subjects on processing that has the greatest impact on them and processing that may come as a surprise to them. It is further recommended that a hyperlink to the privacy policy is provided at the point of data collection.
- “Clear and plain language” must be used: Information should be provided in a manner that is easy to understand and avoids complex sentences and language structures. Language must also be unambiguous, and avoid abstract terminology or equivocal language (e.g., conditional tenses and qualifying terms, such as “may,” “might” or “some”). In particular, where information is provided to children or other vulnerable people, the vocabulary, style and tone of the language must be adapted appropriately.
- Information must be “in writing or by other means”: Where a controller maintains a website, the Working Party recommends using electronically layered privacy notices. Other electronic means can be used to provide information to data subjects, including “just-in-time” contextual pop-up notices, 3D touch or “hover-over” notices and privacy dashboards. The chosen method must be appropriate for the circumstances.
- Information “may be provided orally”: Controllers may provide information orally if the identity of the data subject is clear. This does not apply to the provision of general privacy information to prospective customers or users whose identity currently cannot be verified. Oral information may be provided on a person-by-person basis or by automated means. Where automated means are adopted, the Working Party recommends the implementation of measures that allow data subjects to re-listen to the information, for example, through pre-recorded messages that can be replayed. In this context, controllers must maintain records and be able to demonstrate that (1) the data subject requested that information is provided orally, (2) where necessary, the identity of the data subject was verified, and (3) information was in fact provided to the data subject.
- Information must be provided free of charge: Controllers are prohibited from charging fees for the provision of processing information to data subjects. The provision of information also cannot be made conditional upon entry into a financial transaction.
- Content of the notice: With respect to the content of information to be provided to data subjects, the Guidelines refer to Articles 13 and 14 of the GDPR and the Annex to the Guidelines, which list the categories of information that must be included in the notices. The Working Party also clarifies that all categories of information to be provided pursuant to Articles 13 and 14 of the GDPR are of equal importance. The Working Party recommends that controllers provide data subjects with an overview of the consequences of the processing as it affects them, in addition to the information prescribed by the Articles.
- Changes to the notice: The Guidelines emphasize that the transparency requirements apply throughout the processing process. Any subsequent changes to a privacy notice must be communicated to data subjects. In this respect, the Guidelines recommend controllers explain to data subjects any likely impact that the changes may have on them. Where processing occurs on an ongoing basis, controllers are recommended to inform and periodically remind data subjects of the scope of the data processing.
- Timing: Information must be provided to data subjects at the commencement phase of the processing cycle when personal data is obtained and, in the case of personal data that is obtained indirectly, within a reasonable period (and no later than one month) following the receipt of the personal data. Where personal data is obtained indirectly and is to be used for communications with data subjects, information must be provided, at the latest, at the time of the first communication, but in any event within one month of receipt.
- Exceptions to the obligation to provide information: The Guidelines explain that exceptions to the obligation to provide information to data subjects about the processing of their personal data must be interpreted and applied narrowly. In addition, it stresses the importance of accountability for controllers. Where controllers seek to rely on exceptions, then as a general rule they must be able to demonstrate the circumstances or reasons that justify reliance on those exemptions (e.g., demonstrate the reasons why providing the information would prove impossible or involve disproportionate efforts).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code