The WP29 is an advisory body comprising representatives from each EU member state, and has produced numerous reports and advice on the GDPR.
Transparency is an overarching obligation under the Regulation, applying to the way organisations:
- Inform individuals about what personal data they collect and why;
- Tell individuals how they can exercise their data subject rights; and
- Comply with data subject rights.
Although the term ‘transparency’ isn’t defined in the GDPR, Recital 39 provides some clarity, explaining that individuals should know “[what] personal data concerning them [is] collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed”.
- Concise, transparent, intelligible and easily accessible. Organisations should present the information in as few words as possible, each policy should be presented separately and the whole section must be clearly differentiated from other non-privacy related information.
- Clear and written in plain language. The policy must definitively state what the organisation intends to do with the information (avoiding vague terms such as ‘may’, ‘some’ and ‘possibly’). It must also be written in a way that an average member of the intended audience will understand. Organisations should make special provisions if they expect to provide information to children or vulnerable people.
- In writing. Although non-written means are permitted (videos, voice alerts, cartoons and infographics will be helpful – particularly for children or vulnerable people), privacy policies must always be available to read in a single, written document.
- Available orally upon request. Organisations should have a recorded version of the policy (or someone available to read it aloud) if the need arises.
It adds that the GDPR’s transparency requirements apply irrespective of the legal basis for processing and throughout the lifecycle of processing.
For more information on the GDPR, take a look at EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide. This in-depth handbook outlines the complexities of the Regulation in an easy-to-understand way, detailing everything you need to know, from data protection terminology to the steps you need to take to become compliant.