Transparency

One of the key principles of GDPR laid out in Article 5 is that of transparency. 

A data controller must not only adhere to this principle, he or she must be able to demonstrate that personal data are processed in a transparent manner. The transparency requirements in the GDPR are required irrespective of the legal basis for processing and apply throughout the life cycle of processing.

Practical requirements of transparency

Information provided to individuals must comply with the following rules:

  • it must be concise, transparent, intelligible and easily accessible
  • clear and plain language must be used
  • the requirement for clear and plain language is of particular importance when providing information to children
  • it must be in writing “or by other means, including where appropriate, by electronic means”
  • where requested by the data subject it may be provided orally; and,
  • it generally must be provided free of charge.

What does it mean to be “concise, transparent, intelligible and easily accessible”?

The requirement that the provision of information to, and communication with, data subjects is done in a “concise and transparent” manner means that data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue.

Close

Data protection or privacy information should be clearly differentiated, or set apart, from other non-privacy related information such as contractual provisions or general terms of use. In an online context, the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues.

Close

The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience.

Intelligibility is closely linked to the requirement to use clear and plain language. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand. For example, a controller collecting the personal data of working professionals can assume its audience has a higher level of understanding than a controller that obtains the personal data of children.

If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.

Close
Where do I find "transparency" in GDPR?

GDPR Article 5 and Recitals 39 and 58

In addition, GDPR Article 12 sets out the transparency requirements which apply to:

  • the provision of information to data subjects (under Articles 13 - 14)
  • communications with data subjects concerning the exercise of their rights (under Articles 15 - 22); and,
  • communications in relation to data breaches (Article 34).
Guidance on transparency

    Transparency is not defined in the GDPR. However, GDPR Recital 39 provides the following information as to its meaning and effect in the context of data processing:

    “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed…”

    The Article 29 Working Party (Art. 29 WP), an advisory body that provides expert advice to the EU Member States regarding data protection has provided the following guidance on transparency:

    The Irish Data Protection Commissioner has also published the following article about transparency and children

    Disclaimer

    This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

    It is intended to be general guidance for educational and informational purposes only.

    It is not legal advice.