The Article 29 Working Party (WP29) has recently published its final guidance on Transparency under the General Data Protection Regulations (“GDPR”). The final guidance can be found here.
Transparency is one of several overarching obligations under the GDPR, and it is linked to the GDPR principles of accountability and fairness of processing. The GDPR does not offer a definition of Transparency but it does state that it requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand
This guidance was initially published in draft form for consultation on 29 November 2017 and the consultation period ended on 23 January 2018. The final guidance makes only minor amendments on the whole but differs slightly from the original guidance, in particular, it clarifies and covers in greater detail the position regarding transparency in respect of children, naming recipients of the data, international transfers and changes to privacy notices.
As provided by Article 12 of the GDPR, information must be:
- concise, transparent, intelligible and easily accessible;
- in writing or by other means, including electronic means where appropriate;
- in a clear and plain language, especially when providing information to children/minors. No complex, ambivalent or technical sentences should be used (i.e. terms such as “may”, or “some” should be avoided);
- provided orally, where requested by the data subject; and
- provided free of charge.
Organisations should take care to ensure that they fully comply with the transparency obligations where they act as controller prior to 25 May 2018.