One of the key principles of GDPR laid out in Article 5 is that of transparency.
A data controller must not only adhere to this principle, he or she must be able to demonstrate that personal data are processed in a transparent manner. The transparency requirements in the GDPR are required irrespective of the legal basis for processing and apply throughout the life cycle of processing.
Practical requirements of transparency
Information provided to individuals must comply with the following rules:
- it must be concise, transparent, intelligible and easily accessible
- clear and plain language must be used
- the requirement for clear and plain language is of particular importance when providing information to children
- it must be in writing “or by other means, including where appropriate, by electronic means”
- where requested by the data subject it may be provided orally; and,
- it generally must be provided free of charge.
The requirement that the provision of information to, and communication with, data subjects is done in a “concise and transparent” manner means that data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue.Close
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience.
Intelligibility is closely linked to the requirement to use clear and plain language. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand. For example, a controller collecting the personal data of working professionals can assume its audience has a higher level of understanding than a controller that obtains the personal data of children.
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.Close
GDPR Article 5 and Recitals 39 and 58
In addition, GDPR Article 12 sets out the transparency requirements which apply to:
- the provision of information to data subjects (under Articles 13 - 14)
- communications with data subjects concerning the exercise of their rights (under Articles 15 - 22); and,
- communications in relation to data breaches (Article 34).
Transparency is not defined in the GDPR. However, GDPR Recital 39 provides the following information as to its meaning and effect in the context of data processing:
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed…”
The Article 29 Working Party (Art. 29 WP), an advisory body that provides expert advice to the EU Member States regarding data protection has provided the following guidance on transparency:
The Irish Data Protection Commissioner has also published the following article about transparency and children
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.