Transparency requirements under the GDPR and D-DPA
As regular readers of our data protection articles will know, our aim is to give you a practically oriented overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Draft Data Protection Act (D-DPA), a draft revision of which is still subject to debate, and which is expected to enter in to force later this year.
In this article, we’ll be taking you through the requirements to be met by any data controller under both pieces of legislation when it comes to transparency.
What is transparency?
Under both the GDPR and the D-DPA, data controllers must adhere at all times to the principle of transparency when it comes to processing personal data. That means ensuring that anyone whose data is collected is kept adequately and sufficiently informed about just what is being done, and will be done, with their data.
The obligation to inform the data subject under the GDPR
While the GDPR does not define the term “transparency”, it does stipulate that communication with data subjects must meet the following key requirements:
- It must be concise, transparent, intelligible and easily accessible.
- The language must be clear and plain.
- It must be conveyed in writing, or by other means, including, where appropriate, by electronic means, and where requested by the data subject, orally.
- It must be presented free of charge.
The GDPR sets out an extensive list of topics on which data subjects must be informed, including
- the identity and contact details of the controller and, where applicable, their representative and the data protection officer.
- the purposes for which the data is being processed.
- the legal basis for processing the data.
- the recipients or categories of recipients of the data, if any.
- the details of any transfer of the data in question to a third country—and, if that country does not have in place an adequate level of protection, the particular safeguards that will be in place for the data, or the details of any exception under which such a transfer is allowed.
- how long the data will be stored for.
- the data subject’s rights.
- the existence of automated decision-making (including profiling).
- whether the collection of the data subject’s data is required for statutory or contractual reasons, or is necessary in order for them to be able to enter into a particular contract, as well as whether the data subject is obliged to provide (certain of) the requested data and the possible consequences of failure to provide said data (if data is collected directly from the data subject).
- the categories of data concerned (in cases where the data is not collected directly from the data subject).
Although there are certain exceptions to this obligation to provide this information to the data subject—such as where, and insofar as, they already have it—they should be interpreted and applied narrowly.
Data controllers must ensure that the information listed above is provided to the data subject either before their data is collected or at the moment in which that happens. In cases where the data is obtained from a source other than the data subject themselves, the data subject must be informed of this within a reasonable period, depending on the circumstances.
The obligation to inform the data subject under the D-DPA
The collection of data—and, in particular, the purposes for which it is being collected and processed—must be clear to the data subject concerned. Although the D-DPA neither defines transparency nor stipulates a particular way in which the information must be provided to the data subject, it is generally understood that the controller must ensure that the information is provided to the data subject in such a way that the subject is, in effect, in a position to take note of it.
Just as the GDPR does, the D-DPA contains a list of topics on which data subjects must, in principle, be informed, although exceptions sometimes apply—such as where, and insofar as, they already have the information in question. Though the requirements are similar overall, the list in the D-DPA is less extensive than that in the GDPR. The following four differences are worth highlighting in particular:
- There is no requirement under the D-DPA to inform the data subject how long their data will be stored for.
- There is no requirement to inform the data subject of their rights.
- There is no obligation to indicate whether the collection of the data subject’s data is required for statutory or contractual reasons, or is necessary in order for them to be able to enter into a particular contract, or whether the data subject is obliged to provide (certain of) the data that is being requested, and the possible consequences of any failure to provide it.
- Information regarding the existence of automated decision-making is necessary only in cases where such decisions either has legal or other significant effects on the data subject.
Just as under the GDPR, under the D-DPA data controllers must ensure that the information in question is provided to the data subject either before their data is collected or at the moment in which that happens. In cases where the data is obtained from a source other than the data subject themselves, the data subject must be informed of this within a month.
What to do? Comply with the highest transparency standards
The safest approach is to comply with the highest standards of both the GDPR and the D-DPA.
Organisations should thus ensure that:
Joanne ZaaijerAssociate Attorney at law
Joanne Zaaijer, attorney at law, is an associate in our Rotterdam office. She focusses on data protection and privacy law, telecommunications, life sciences, advertising and e-commerce.T: +31 20 578 52 55 M: +31 653 57 74 21 E: Joanne.Zaaijer@loyensloeff.com