One of the foremost tenants of the GDPR is the right for data subjects to be informed and kept informed as to why and for what purpose organisations are processing their data. This right plays on the fundamental principle of transparency, and the need for businesses and organisations to ensure that they have appropriately drafted privacy notices.
Recital 39 of the Regulations states that
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information or communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used…”
Building upon this Article 12 requires that information supplied should be
· concise transparent, intelligible and easily accessible;
· written in clear plain language;
· provided in writing or by other means, including where appropriate by electronic means;
· provided orally, where requested by the data subject; and
· free of charge
The requirement for transparency and the right of data subjects to be informed flows from and is linked to the principle that the data controller is accountable in accordance with article 5(2) of the regulations. Ultimately the Data Controller must be able to demonstrate that personal data has been processed in a transparent manner and therefore it is crucial that this documentation is maintained, and reviewed to evidence this.
Transparency and the right to information apply throughout the data processing cycle (before, throughout, and at specific points, while processing is ongoing (ie for example change to processing or data breach)).
When considering whether information relating to the processing is easily accessible, businesses should reflect on whether data subjects are required to deliberately seek it out, or whether it is immediately available to them. In this regard, guidance has been issued which confirms that ‘organisations, which maintain a website, should publish their privacy notice on their website, with links to that notice clearly visible. Where ‘apps’ are used information should be available prior to downloading the app, and should ‘never be more than “two taps” away’ (Article 29 Data Protection Working Party’ – “Guidelines on transparency under regulation 2016/679”).
The requirement for clear and plain language is of particular importance when providing information to children, where appropriate language should be used.
Article 13 of the Regulation goes on to specify the information to be provided where personal data is collected from a data subject by a data controller. At the point of collection this information will include, but is not limited to;
· The identity and the contact details of the controller and where applicable the controllers representative
· The contact details of the data protection officer, where applicable
· The purpose of the processing for which the personal data are intended as well as the legal basis for the processing
· Where the processing is based on the legitimate interests, what those legitimate interests are
· The recipients or categories of the recipient of the personal data; and
· Where applicable the fact that the controller intends to transfer data to a third country or international organisation.
A similar right to provide information arises, pursuant to article 14, in circumstances where personal data has not been obtained directly from the data subject.
If you are unsure about the extent to which you are required to provide information to your customers, or whether you have been sufficiently informed as to how your data is being processed then please contact Richard Burraston on 01293 596984 or at Richard.burraston@stevensdrake.com or Paul Dungate on 01293 596981 or by e-mail at paul.dungate@stevensdrake.com.