Many controllers use templates – but to ensure that individuals receive the most accurate information, transparency and privacy notices should be produced from the inventory or processing records.
This is because the content should always reflect the underlying processing of individuals’ personal data. Enforcement action is frequently taken where transparency notices are unclear, overly complex, or incomplete.
Best practice
The GDPR lawfulness principle requires processing to be lawful, fair, and transparent. Controllers, generally, should have captured the content for their notices in their inventory/records of processing – and through their gap-analysis of high-risk activities. These records should be used to produce most of the required documentation for GDPR compliance.
For processing to be lawful, at least one of the six legal bases in article 6 must be met, and where the data is ‘special category’, one of the ten additional requirements of article 9 must be met.
It should be noted that processing must also be fair and transparent (meaning that individuals must be provided with certain information on the collecting of data). These information requirements are contained in articles 12 to 14 of the GDPR.
Accurate information on the actual processing carried out should be communicated in what is commonly called a ‘privacy notice’ (but readers should note that the GDPR does not mention the word ‘privacy’, and the DPC uses the term ‘data-protection notice’ in decisions). Where the transparency information is directed at children, the content should be understandable by a child.
Overly complex
A large number of fines and sanctions on controllers were levied for using either overly complex notices, or notices deemed to be insufficiently granular, inaccurate, or incomplete. It seems to me, on an analysis of decisions, that a lack of transparency is the single-most prevalent reason cited by DPAs in reaching decisions of infringement.
However, it has not yet been tested in court as to the controller’s liability, for example, when a notice is misleading or inaccurate, and which causes damage when relied upon.
The WP29 group (in its Data Protection by Design and by Default paper) says that ‘fairness’ requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected, or misleading to individuals.
Measures and safeguards implementing the principle include the right to information (transparency); the right to intervene (access, erasure, data portability, rectification); and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination).
Effectively, the processing must be done in ways that individuals would reasonably expect at the time of data collection, and the personal data should not be used in ways that have not been communicated, or that have unjustified adverse effects on the exercise of their rights and freedoms.
Direct and indirect data collection
There are different requirements when the data is collected directly or indirectly from the individuals. Therefore, the notice(s) should state whether the data comes directly or indirectly from an individual. These notices, when they concern external matters, should be communicated directly to individuals when data is collected or otherwise processed.
They are most commonly included on a website, or through either a link or attachment in an email. For internal matters, the notices can be made available, for example, on corporate intranets or on a shared drive to which all affected employees are given access. At a minimum, a notice should provide (in an easily accessible form, using clear and plain language) the following:
- The data controller’s identity and contact details,
- The data protection officer’s contact details, where applicable,
- The purpose(s) of processing,
- The legal basis for processing,
- The legitimate interest of the controller or a third party, where it is the legal basis for the processing,
- The recipients or categories of recipients, and
- Details of any third-country transfers, and the method of transfer.
To meet the requirements of fairness and transparency, the following additional information should be provided:
- The data-storage period, or the criteria used to determine the period,
- The individual’s rights, including access, rectification/correction, erasure, restriction, objection, details of the automated processing and its logic, and data portability,
- Where processing is based on consent, the right to withdraw consent at any time,
- Details of the right to make a complaint to a supervisory authority,
- Whether the data controller uses automated decision-making (including profiling), information about the logic involved, and the consequences for the individual.
Under article 14, more details on the actual personal data processed must be given to individuals. Where the data was collected directly, the individual should have this information already.
Transparency significance
Transparency is particularly important, since if an individual has not been provided with the information, they will not be able to effectively exercise their rights. Individuals must be able to understand who holds data about them, what this data is, and how it will be used; as well as what their rights are, and how they can challenge their data being processed.
Under article 12(1) of the GDPR, the way of communicating with individuals must be “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed to a child”.
If the information does not come directly from the data subject, three additional pieces of information need to be provided under article 14 within a reasonable period – but at the very latest within one month.
Shorter periods apply in two scenarios listed in article 14(3) where, essentially, the notice needs to be provided before communicating with the individual, or where it is intended to disclose the information to other recipients.
There are some different information requirements to that required under article 13, including the details of the categories of personal data held, its source, and whether it is publicly accessible.
WhatsApp lessons
There are also some lessons we can take from the initial decisions of the Irish DPC in the WhatsApp decision (binding decision 1/2021, adopted 28 July 2021). Although the matter is currently under appeal and thus not final, this decision had input from all the supervisory authorities and represents the collective thinking and best practice for drafting such notices.
On 2 September 2021, the DPC announced its decision to fine WhatsApp €225 million – the second-largest fine to date under the GDPR. The DPC found that there was a failure to provide the required information to WhatsApp users and non-user contacts of WhatsApp, as required by article 13 and article 14 respectively.
The non-users personal data was processed in order to show users whom from among their contacts were also WhatsApp users. However, WhatsApp had not made available this information in an easily accessible form, as required by article 12 – this resulted in a failure to comply with the principle in article 5(1)(a).
Ramifications
The DPC relied heavily on the European Data Protection Board’s Transparency Guidelines. Controllers should note the following points that emerged from the decision in reviewing their notices for clarity:
- The information should allow for easy identification of the controller, and preferably allow for different forms of communications with the controller (for example, phone number, email, postal address, etc),
- Individuals should be able to understand how their data is used for each purpose,
- The DPC noted several times that individuals should not have to work hard to access the required information, and individuals should not be left wondering whether they have exhausted all available sources of information – they should not have to try to reconcile discrepancies between various pieces of information laid out in different locations,
- Notices should be kept separate from contractual terms and conditions,
- Controllers should avoid an abundance of text that communicates very little – so avoid long but uninformative notices,
- The relevant legal basis relied upon must be specified and must be linked to the actual processing operation,
- Where the legal basis is a legal obligation, the member state or EU law should be referenced,
- The specific legitimate interest in question must be identified, which benefits individuals.
Best practice requires that controllers should also provide individuals with the information from the ‘balancing test’, which should have been carried out by the controller when relying on article 6(1)(f) as the lawful basis for processing, before collecting the individual’s personal data.
This is essential for effective transparency where individuals have doubts as to whether the balancing test has been carried out fairly, or they wish to file a complaint with the DPC. (For more on the balancing test, readers should refer to the DPC’s December 2019 guidance note, ‘Legal Bases for Processing Personal Data’. Briefly, controllers need to undertake a balancing exercise when assessing whether the processing of personal data should take place under article 6(1)(f) GDPR. This exercise should, as noted in recital 47 GDPR, take into consideration the ‘reasonable expectations’ of data subjects, in the context of their relationship with the controller.)
In accordance with the principle of fairness, controllers must provide information on the recipients of the information that will be most meaningful for individuals. In practice, this will generally be the named recipients, so that individuals know exactly who has their personal data.
If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient, and reference the activities carried out, the industry, sector and sub-sector, and the location of the recipients.
In accordance with the principle of fairness, the information provided on transfers to third countries should be as meaningful as possible to individuals. The DPC has said that this will generally mean that the third countries should be named.
The storage period or criteria to determine retention may be prescribed by factors such as statutory requirements or industry guidelines, but should be stated in a way that allows individuals to assess, on the basis of their own situation, what the retention period will be for the specific data and purpose(s).
The specific source of the data when collected under article 14 should be provided, unless it is not possible to do so.
If the specific source is not named, then the information provided should include the nature of the sources, whether publicly or privately held, and the types of organisation/industry/sector.
Look it up
CASES:
- Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish supervisory authority regarding WhatsApp Ireland under article 65(1)(a) GDPR (adopted 28 July 2021)
LEGISLATION:
LITERATURE:
Read and print a PDF of this article here.