As we already prefigured in our earlier blog post, the Article 29 Working Party (the “WP29”) has adopted drafts for guidance regarding requirements for transparency and consents under EU’s General Data Protection Regulation (the “GDPR”).
Transparency is one of the key principles of the processing of personal data under the GDPR. Furthermore, under the accountability principle of Art. 5 of the GDPR, a data controller must be able to demonstrate that personal data is processed in a transparent manner in relation to the data subjects. In practice, this requires data controllers to provide data subjects with concise, transparent, intelligible, and easily accessible information in clear plain language throughout the life cycle of processing.
We have listed some key points from the WP29’s guidance below:
- Apply the KISS principle (“Keep it Simple and Short”): Avoid using overly complicated wordings and sentences in privacy policies and other communication to data subjects.
- The WP29 also recommends using the active voice rather than the passive and avoiding certain qualifiers – for instance the words “might”, “may”, “possible”. The WP29 also considers that the wording “We may use your personal data to develop new services” (which we have often seen in privacy policies to date) is not clear enough and should instead describe the services or how the data will help develop them.
- In order to avoid an “information overload”, privacy policies should be clearly differentiated from non-privacy information.
- Data controllers should take appropriate measures to provide information in a transparent way. What is appropriate will depend on the product or service as well as the nature of the user interface or experience. In an online environment, the information should be provided in layered privacy statements and notices.
- The guidance contains a useful table summarising the information that should be provided to data subjects when collecting data from (i) a data subject himself/herself (GDPR Art. 13) and (ii) other sources than data subjects (GDPR Art. 14). The WP29 also provides some further explanations and examples regarding the matters that the data subjects should be informed about.
In connection with the transparency guidelines, the WP29 also issued proposed guidelines on consent. According to the Wp29, since the GDPR provides further clarification and specification on the requirements for obtaining and demonstrating valid consent, the guidelines focus on these changes and provide practical guidance to ensure compliance with the GDPR. In the guidance, the WP29 also addresses the difference between normal consent and “explicit consent” (higher level of consent required for the processing of “special categories of personal data” a.k.a sensitive personal data). According to the WP29, “explicit” means that the data subject must give an express statement of consent. As the GDPR has raised the standard for the regular consent (which must be a “clear affirmative act”), there is not a huge difference between explicit and regular consent in practice.
The WP29 also emphasises that the imbalance of power between a subject and a controller means that “for the majority of data processing at work, the lawful basis cannot and should not be the consent of the employees”, as it is unlikely that employees will feel able to respond freely to a request to process or refuse without detriment. Instead, other legal grounds set forth in the GDPR should be relied upon, such as the performance of a contract (Art 7(b)), compliance with legal obligations that necessitate the processing (Art. 7(c)), or an employer’s legitimate interest in the processing (Art. 7(f)).
Both drafts for guidelines are open for comments until 23 January 2018.
Our data protection specialists are happy to assist you if you need any assistance in preparing privacy policies, guidelines, and wording for consents or if you have any other questions about the practical implications of the GPDR.
Managing Associate at Hannes Snellman