How to meet the GDPR’s transparency requirements

The Article 29 Working Party (WP29) has released guidance to help organisations comply with the transparency requirements of the EU General Data Protection Regulation (GDPR). 

The WP29 is an advisory body comprising representatives from each EU member state, and has produced numerous reports and advice on the GDPR. 

Transparency is an overarching obligation under the Regulation, applying to the way organisations: 

  • Inform individuals about what personal data they collect and why; 
  • Tell individuals how they can exercise their data subject rights; and 
  • Comply with data subject rights. 

Although the term ‘transparency’ isn’t defined in the GDPR, Recital 39 provides some clarity, explaining that individuals should know “[what] personal data concerning them [is] collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed”. 

This information should be provided in a privacy policy. Article 12 of the Regulation outlines the rules for creating privacy policies, stating that they must be: 

  • Concise, transparent, intelligible and easily accessible. Organisations should present the information in as few words as possible, each policy should be presented separately and the whole section must be clearly differentiated from other non-privacy related information.
  • Clear and written in plain language. The policy must definitively state what the organisation intends to do with the information (avoiding vague terms such as ‘may’, ‘some’ and ‘possibly’). It must also be written in a way that an average member of the intended audience will understand. Organisations should make special provisions if they expect to provide information to children or vulnerable people.
  • In writing. Although non-written means are permitted (videos, voice alerts, cartoons and infographics will be helpful – particularly for children or vulnerable people), privacy policies must always be available to read in a single, written document.
  • Available orally upon request. Organisations should have a recorded version of the policy (or someone available to read it aloud) if the need arises. 

The WP29 guidance also notes that individuals should be able to determine the scope and consequences of data processing. Organisations must be clear about how the processing described in the privacy policy will affect the data subject. 

It adds that the GDPR’s transparency requirements apply irrespective of the legal basis for processing and throughout the lifecycle of processing.

Put your knowledge into practice 

For more information on the GDPR, take a look at EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide. This in-depth handbook outlines the complexities of the Regulation in an easy-to-understand way, detailing everything you need to know, from data protection terminology to the steps you need to take to become compliant. 

Find out more >> 

Leave a Reply

Your email address will not be published. Required fields are marked *