- The Art. 29 Group sets out guiding principles on transparency, which give those responsible a high degree of discretion in practical implementation.
- The recommended “layered” approach applies to content and time provision; complete explanations must also be available as a document.
- Active notification of the data subjects is required for comprehensive adjustments to data protection declarations, otherwise publication is sufficient.
- For exceptions pursuant to Art. 14 para. 5 lit. b (disproportionate effort), protective measures are mandatory; publication on the Internet can be such a measure.
The Article 29 Working Party published the final version of Working Paper 260 on transparency on April 13, 2018 (WP260 rev.01). A comparison of this version with the hearing version published in January 2018 The following is a summary of the situation – which is, of course, not exhaustive. – A Comparison document (redline) is available here: PDF.
-
- The Art. 29 Group emphasizes that not all nuances can be mapped and that the goal is for responsible parties to understand “at a high level” what the Group means by transparency – underscoring that the principles are guiding, but that there is discretion in implementing transparency;
- In general, however, the approach of the Art. 29 Group has not become more pragmatic. Some references – mostly in nuances – even represent tightenings;
- when Data protection declarations to be adapted due to the GDPR, this should be actively communicated to the affected persons if the changes are comprehensive. Otherwise, publication is sufficient;
- special consideration must be given to children in the wording and design of data protection declarations if the declaration concerns a processing operation which is aimed at children or which is likely to affect children of literate age to a particular extent;
- the “layered” approachThe group recommends that the layered approach be applied not only to electronic declarations, but also to the timing of the process: If just-in-time notices are provided (e.g., as mouse-over text in an online form), the entire statement must also be available as a document; this, too, represents a layered approach in the group’s view. There are additional comments on the “layered” approach;
- indeterminate formulations (“may”, “might”, “some”, “possible” etc.) should be avoided. If they are used nevertheless, the person responsible should be able to explain why such terms are necessary and that they do not violate the principle of fairness – after all;
- at Editing changes a new notification should be made according to the opinion already expressed so far – the Working Party proposes new criteria to be taken into account in this context;
- the privacy group gives a new example of the Exception in Art. 14 (5) lit. b DSGVO (“disproportionate effort”):
A large metropolitan hospital requires all patients for day procedures, longer-term admissions and appointments to fill in a Patient Information Form which seeks the details of two next-of-kin (data subjects). Given the very large volume of patients passing through the hospital on a daily basis, it would involve disproportionate effort on the part of the hospital to provide all persons who have been listed as next-of-kin on forms filled in by patients each day with the information required under Article 14
- If a data controller invokes this exception, it is obliged to take protective measures pursuant to Article 14 (5) (b) GDPR. The Working Party now confirms that such a protective measure can consist of, for example, posting a data protection statement on the Internet that creates the corresponding transparency.