The principle of transparency in the GDPR lays the foundation for a business’ communication with data subjects. The principle steers both which information you must provide as well as how you must provide it. The main goal of the principle is to enable the subject to easily understand what they are consenting to and to understand their rights. Reading time: 5 minutes.
Transparency – a core principle
Transparency is a core principle in the GDPR, and it affects several essential areas. It mainly affects how businesses interact with subjects and gives them a right to information. The information that you give to the subject must:
- be intelligible and easily accessible,
- use clear language,
- be provided free of charge,
- in written form or by other means,
- contain all relevant information, and
- be provided by an appropriate measure and in an appropriate time.
You must also:
- disclose relevant changes, further processing, and
- inform the subject about their rights.
There are also exceptions, which are when:
- the subject already has the information,
- it would be impossible, be a disproportionate effort or impair the purpose of processing,
- the law mandates processing, or
- there exists an obligation of secrecy.
Intelligible and easily accessible
The way you express information must be transparent and easy to digest. “Hiding” it in long swaths of texts or mixed with other information is not acceptable. It should be easy for the subject to find the relevant information. Layered-notices, pop-ups or chatbots are good examples of accessibility and transparency.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
Transparent and clear language
The language that you use has to be clear and simple. The EU has provided guidelines for how to write clearly. It doesn’t matter if it is in written form or some other form, the rule still applies.
Avoiding complex sentences and abstract or unclear terms is important. You should also avoid overly technical, legalistic or specialist terms.
The information has to be intelligible for the intended reader. This is especially important if it is a child or a particularly vulnerable individual. A practical example is the child-friendly version of the UN Convention on the Rights of the Child.
The goal with clear language in the context of transparency is to make sure that the subject understands why the information is being processed.
“We may use your personal data to personalise your experience.”
This is bad, because the subject doesn’t get information about what data you use nor what for.
“We will keep your shopping history, products you have viewed and use details of these products. We use this information to make suggestions to you for other products which we think will be of interest to you.”
This is better. The subject understands what types of data you will process. They also understand that they will be subject to targeted advertisements for products and that you will use their data for this purpose.
Free of charge
In order to be transparent, you must provide the information free of charge. You cannot make the information dependant on a payment or purchase of a product or a service.
Written or by other means
You must provide the information either in written form or in another form. For example, you can provide it in an audiovisual way for the vision-impaired. If requested, you must provide it orally. If you provide the information contextually, you must also gather it in a single place for ease of access.
Relevant information for transparency
Which information you have to provide is dependant on the legal basis for processing the personal data. Some types of information are generally relevant. Answers to these questions are a good start to being transparent.
- Who is the controller (and, if applicable, their representative)? How do you contact them?
- Which categories of data do you collect, and why?
- Who is the recipient of the data?
- Will you transfer the data to third countries? What are the safeguards?
- For how long do you store the data?
- What rights does the subject have?
- What is the source of the data?
- Is there any use of automated decision-making? What logic does it use? What consequences are there for the subject?
All this information has the same status and is of the same level of importance. For more information regarding the information, the data subject has the right to, see this article on Individuals Right to Information.
Appropriate measures, appropriate time
You must provide the information with appropriate measures. The principle of transparency in the GDPR doesn’t determine the exact measure. Several factors determine whether a measure is appropriate. The user experience, which device is being used and other similar factors are especially important. If you use icons to purvey the relevant information to the subject, they should be standardised and not be a substitute for other forms of information.
In case you collect the data directly from the subject, you must give the information when you collect it. If you collect it from another source, you must still give information to the subject. In that case, the rule is to provide the information within a reasonable time. This can never be longer than a month. The principle of fairness is also relevant here. In this case, it means that you have to meet the subjects reasonable expectations.
Relevant changes and further processing
When relevant changes are made, the subjects need to be informed. What is a relevant change? Examples are changes in privacy policies, change of controller och change of processing purpose. Not included are correction of typos and similar, purely “cosmetic” changes.
As with the regular information, you must provide the information within a reasonable time. The more substantial a change is, the faster you must provide the information.
If you are planning to further process the data it is also required to fulfil the mentioned requirements of transparency.
Transparency about subjects rights
A controller also has the responsibility to inform the subject of their rights. This information also has to fulfil the requirements of transparency. Additionally, the controller must facilitate the exercise of the rights of the subject.
The overall purpose of this is to put the subject in a position where they can use their rights.
The exceptions do not mean that the principle of transparency does not apply. It means that you, in certain situations, are not required to provide information to certain subjects. The exceptions must be interpreted restrictively.
The subject already has the information
The first exception is when the subject already has the information. When dealing with data collected directly from the subject, this is the only possible exception. It is up to the controller to show and document what information the subject already has, how they got the information and that it is still up to date. If additional information is required, it must be provided.
Impossible, disproportionate or impair the objective
The second exception is when it would be impossible, a disproportionate effort or the objective of the processing would be impaired. This exception is foremost used for scientific (or similar) purposes.
The controller must show what factors makes it impossible to provide the information. If these factors no longer exist, the information must be provided.
Regarding a disproportionate effort, the relevant factors are, for example, a large number of subjects or the age of the data. These factors have to originate in the fact that the data doesn’t come directly from the subject.
If the objective of the processing would be impaired, the controller must show that this is the case.
Mandated by law
The third exception is when the processing is mandated by law. The controller must ensure that they comply with the relevant law.
Obligation of secrecy
The fourth and final exception is when an obligation of secrecy means the data must remain confidential. The controller must show that they have correctly identified the obligation that creates an exception.
In conclusion, transparency in the context of the GPPR means that the subject must be able to find and understand the information which you share with them. You must provide the information in an adequate way within a reasonable time. You must also inform the subject of changes and further processing. There is also a requirement to inform them of their rights. There are four exceptions. You do not have to provide information when the information already has been given, it would be impossible, the data is processed due to law or it must remain confidential due to an obligation of secrecy.