This document provides an introduction to transparency under the GDPR. It discusses the overarching obligation of transparency that applies throughout the entire data processing period. It outlines the requirements for providing information to data subjects under Articles 13 and 14, including what information must be provided, when it must be provided, and exceptions. The information must be concise, transparent, intelligible, easily accessible, and in clear plain language. Privacy statements are recommended to communicate this information to data subjects.
2. AN
INTRODUCTION
TO
TRANSPARENCY
No definition under the GDPR.
It is an overarching obligation that applies irrespective of the legal
basis for processing and through the entire processing period.
3. PROVIDING DATA SUBJECTSWITH
INFORMATION RELATINGTO FAIR
PROCESSING
COMMUNICATING WITH DATA
SUBJECTS IN RELATIONTOTHEIR
RIGHTS
FACILITATINGTHE EXERCISE BY
DATA SUBJECTS OFTHEIR RIGHTS
APPLICATION
4. ELEMENTS
ARTICLE 12
ARTICLE 13-14 ARTICLE 15-22 ARTICLE 34
PROVISIONOF
INFORMATIONTO
DATA SUBJECTS
COMMUNICATIONS
IN RELATIONTO
DATA BREACHES
COMMUNICATIONS
CONCERNING
RIGHTS OF DATA
SUBJECTS
5. ARTICE 13
Article 13 – Information to be provided when data is collected from
the data subject.This includes personal personal data when:
A data subject consciously provides information to the data
controller;
A data controller collects data from a data subject by observation.
6. ARTICE 14
Article 14 – Information to be provided when data has not been
obtained from the data subject. This includes personal data that
has been obtained from sources such as:
Third party data controllers;
Data brokers;
Publicly available sources.
7. ELEMENTS
ARTICLE 12
Information
must comply
with the
following
requirements
Concise, transparent, intelligible, and easily accessible;
Clear and plain language;
Must be in writing or by other means;
When requested by a data subject, it should be provided orally;
Should be provided free of charge, with a few exceptions (i.e.,
when requests are “manifestly unfounded or excessive”).
8. ELEMENTS
ARTICLE 12
CONCISE, TRANSPARENT, INTELLIGIBLE, AND EASILY
ACCESSIBLE
Information should be communicated efficiently, should avoid
information fatigue, and should be differentiated from other non-
privacy related information.
It should be understood by an average member of the intended
audience & is closely linked to clear and plain language.
The data subject should not have to seek out information and
should not be more than 2 taps away (for example: the use of
contextual pop-ups when filling out forms or though the use of
layered privacy statements).
9. ELEMENTS
ARTICLE 12
CLEARAND PLAIN LANGUAGE
GOOD: We will retain your shopping history and use details of the
products you have purchased to make suggestions for other
products which we believe you will be interested in.
BAD: We may use your personal information to develop a new
service.
Indefinite language - “may”, “might”, “possible”, etc. - should be
avoided.
13. INFORMATION
TO BE
PROVIDED
Use privacy statements (or notices or policies) or fair processing
notices .
The data controller should take appropriate measures in relation
to the provision of information for transparency. This means
gauging the situation to decide the best way to communicate
information.
Test different methods.
14. WHENSHOULD
INFORMATION
BE PROVIDED?
Article 13 – at the time when personal data is collected.
Article 14 or indirectly obtained personal data – within a
reasonable period after obtaining the data, and no later than one
month, having regard to the circumstances.
If data is used for communication with the data subject,
information should be provided at the latest at the time of first
communication.
If data is being disclosed to a third party, information should be
provided at the latest at the time of first disclosure.
15. EXCEPTIONSTO
PROVIDING
INFORMATION
Article 13 – in the event the data subject already has this
information. Data controllers will need to demonstrate and
document what information the data subject already has, how and
when it was received, and that no changes have occurred to the
information to make it out of date.
16. EXCEPTIONSTO
PROVIDING
INFORMATION
Article 14
Provision of information would prove impossible, would involve a
disproportionate effect, would make the objectives of the
processing impossible, or seriously impair them.
Data controller is subject to national / EU law to obtain and
disclose the personal data and the law provides appropriate
protections for data subject’s legitimate interests.
Secrecy obligations
17. THANK YOU
Should you have any questions or comments, please get in touch
with aadya.misra@spiceroutelegal.com or
mathew@spiceroutelegal.com !