December 22, 2017

The Working Party says that the Guidelines provide practical guidance and interpretative assistance on the new obligation of transparency concerning the processing of personal data under the GDPR.

The Guidelines explain that the concept of transparency is an overarching obligation under the GDPR applying to three central areas: (i) the provision of information to data subjects related to fair processing; (ii) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (iii) how data controllers facilitate the exercise by data subjects of their rights.

The Guidelines say that transparency is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary challenge, those processes. It is also an expression of the principle of fairness in relation to the processing of personal data, as set out in Article 8 of the Charter of Fundamental Rights of the European Union.

Under the GDPR, in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject. Connected to this, the accountability principle requires transparency of processing operations in order that data controllers are able to demonstrate compliance with their obligations under the GDPR.

When the GDPR becomes effective on 25 May 2018, where processing which is already under way before that date, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that before 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements, notices etc) to ensure that they adhere to the requirements in relation to transparency.

The Guidelines explain that the concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information which must be provided to data subjects.

The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. Article 12 provides that transparency applies at the following stages of the data processing cycle:

• before or at the start of the data processing cycle i.e. when the personal data are being collected either from the data subject or otherwise obtained;
• throughout the whole processing period i.e. when communicating with data subjects about their rights; and
• at certain specific points while processing is ongoing, for example, when data breaches occur or in the case of material changes to the processing.

The Working Party invites comments on the Guidelines by 23 January 2018. To access the Guidelines, click here.