How can a GDPR compliant privacy information notice provide all the information required and at the same time meet the applicable transparency requirements?
The Article 29 Working Party (WP29) issued its guidelines on transparency which require to solve a complex rebus, given the large amount of information to be communicated to individuals through the privacy information notice in a manner that needs to be
“concise, transparent, intelligible and easily accessible” and use “clear and in plain language“.
My personal experience is that the drafting of a privacy information notice was a commodity under the EU Directive 95/46, but has now become a very time consuming, difficult and long process with the General Data Protection Regulation, especially when it comes to the processing of customers’ personal data and the data controller
- needs to rely on automated decision-making technologies for instance to assess the level of risk in the insurance and finance sectors;
- plans to invest in machine learning or artificial intelligence in order to automate activities that are manually handled at the moment; or
- just wants to have more flexibility in the performance of direct marketing, including profiling, activities and wants to assess for instance the possibility of exploiting legitimate interest for this purpose.
Below are my top takeaways from the WP29 guidelines of the transparency and my position on how the required goal can be achieved in a privacy information notice first in Italian as part of my video blog series Diritto al Digitale and in more detail in English:
A concise privacy information notice cannot be “short”
The WP29 states that
“The requirement that the provision of information to, and communication with, data subjects is done in a “concise and transparent” manner means that data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue“.
The above concept is repeated on and on throughout the guidelines on transparency of the Article 29 Working Party, which however also contain a long list of contents to be included in the privacy information notice, referring to concepts that are difficult to convey in a plain and clear language.
My personal view is that the key to achieve the above is to work on the format in which the privacy information notice is provided. And indeed, also the WP29 makes reference to a “layered” privacy information notice which might be structured as a kind of FAQs very short and with very plain language, with a link to the sections of the quite long privacy information notice where the matter is addressed in detail. In any case though, “the entirety of the information addressed to data subjects should also be available to them in one single place or one complete document (e.g. whether in a digital form on a website or in paper format) which can be easily accessed should they wish to consult the entirety of the information“.
Also, the requirement of transparency triggers the obligation to show in the privacy information notice the data processing activities that are actually performed. Therefore, adopting a privacy information notice with the goal of using it for any possible service or product offered by a company risks not to be in line with the GDPR.
You need to thoroughly monitor the categories of recipients of personal data
The WP29 requires that
“controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients [—]. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.“
The solution to the above cannot be to just identify very broad categories and state that personal data “might” be communicated to them since, according to the WP29, this would impact on transparency requirements. Therefore, during the data mapping exercise, categories of recipients should be identified in detail and such information should be transposed in the privacy information notice.
You cannot quickly change a privacy information notice
A frequent practice was to refer to a website in order to review the most updated version of the privacy information notice. However, this practice is not considered sufficient by the WP29 which requires that if a change to the privacy information notice is
“indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon the data subject, then that information should be provided to the data subject well in advance of the change actually taking effect and the method used to bring the changes to the data subject’s attention should be explicit and effective“.
The above is relevant especially during the transitional phase prior to the effective date of the GDPR which will require to update all the privacy information notices. And my view is that the notification of changes to a privacy information notice should be treated as it is done by banks and financial institutions for updates of Ts&Cs, sending a notification via email of the changes. Such notification according to the WP29 shall be included in a communication “specifically devoted to those changes (e.g. not together with direct marketing content)“.
Also, it should be considered that under the WP29 guidelines it should be possible to link obtained privacy consents to the relevant version of the privacy information notice and consent form.
And the WP29 also provides that data controllers shall send “express reminders to data subjects as to the fact of the privacy statement/notice notified and where they can find it“.
Exceptions to the obligation to provide a privacy information notice become more limited?
The position of the WP29 is that the exception to the obligation to provide a privacy information notice in the cases when it would involve “a disproportionate effort” with the option of making “the information publicly available” applies only when personal data is not obtained from the relevant data subjects, given its reference in article 14 of the GDPR.
This interpretation is not in line with recital 62 of the GDPR which does not provide such limitation and hopefully, the WP29 will review its position in the final version of the guidelines. Indeed, this provision might be a very useful tool to provide for instance a GDPR compliant privacy information notice to former customers and employees whose personal data is stored just for compliance purposes. And, given the wording of recital 62, I would not totally remove the possibility to rely on such an option.
What is your view on the above? What are other aspects to be considered?