The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance. In particular, it seems to have been strongly influenced by the UK Information Commissioner’s guidance on Privacy Notices.
Transparency is required in three areas: providing information to data subjects to ensure processing is fair; informing data subjects about their rights; and facilitating the exercise of those rights. Most of the guidelines deal with the first of these, commonly known as privacy notices or fair processing notices. Although the guidelines don’t explicitly admit the tension between the GDPR requirements to be “concise” and also “specific”, they do suggest how to prioritise information. Data subjects must always be informed of the processing that will have most impact on them, and especially any processing or consequences that may surprise them. This matches the Information Commissioner’s view that telling people the blindingly obvious is not a priority! However data controllers should avoid the temptation to rely on vague wording; a number of words and phrases are singled out as undesirable, including “to develop new services”, “for research purposes” and “for personalisation”. In the on-line context, layered notices are repeatedly mentioned as a possible solution, though with a possibly new twist that such notices should allow individuals not just to choose the level of detail, but also the specific areas they want information about.
Finally, there’s a reminder that existing notices should be reviewed before May 25th, and pages 31-35 have a table (less pretty, but containing more detail, than the Information Commissioner’s version) of the information required in different circumstances.