Transparency of the processing

Practical consequences of the transparency of processing

Although it is an expression of the principle of good faith, this principle is explicitly mentioned in Art. 5 (1) (a) GDPR due to the fundamental importance of transparency in processing. Accordingly, personal data must be processed in a manner that is comprehensible to the data subject.

The practical significance in organisations should not be underestimated. The most important obligations with regard to transparency are:

Information and rights of the data subject

The principle of transparency manifests itself vis-à-vis the data subject in particular in the context of the information obligations pursuant to Art. 13 or Art. 14 GDPR. This is intended to inform data subjects about the circumstances of the processing of their data and also about their rights.

The duty of transparency goes so far that control over data processing must not ultimately lie solely with the controller (the processor of the data). The data subject must be able to decide against processing activities and check their legality or at least their conclusiveness. This also corresponds to the fundamental right to informational self-determination recognised in some constitutional systems.

Comprehensibility of the privacy policy

In order to comply with the principle of transparency, Recital 39 GDPR requires that

“all information and communications relating to processing activities (…) must be easily accessible and easy to understand, and that clear and plain language be used”.

This means, for example, that the privacy policy on a website must be sufficiently linked and accessible before (!) data is collected. In terms of content, the privacy policy must clearly reflect the points listed in Art. 13 GDPR and Art. 14 GDPR.

The privacy policy must be drafted in such a way that external third parties can gain a concrete picture of the processing activities of their personal data in order to assess whether or not they wish to authorise them. In particular, data subjects should be able to recognise connections between different processing operations, e.g. if a company collects personal data from many different sources in multichannel marketing in order to enrich a profile.

The more complex data processing is for data subjects and the more serious the consequences, the higher the requirements for the duty to provide information.

Clarity about the responsible body

The information for data subjects must also clearly state who the controller is. This is because data subjects can only exercise their rights to information, rectification or erasure, for example, if they know who to contact.

In the case of groups whose companies jointly process data, this can lead to ambiguities. If several companies are named, it may not be clear whether all the companies named are jointly responsible or whether they are only responsible for individual processing operations.

To whom can consent be withdrawn or a right to erasure asserted? If several bodies are named, this should be possible vis-à-vis all of them. In any case, if there is joint controllership pursuant to Art. 26 GDPR, the information obligations pursuant to Art. 13 or 14 GDPR must be fulfilled in a transparent manner vis-à-vis the data subjects. In addition, data subjects must receive essential information about the joint controllership agreement. Data subjects must be aware of who fulfils which data protection obligations and who they can contact if they have specific questions.

If there is no joint responsibility, this must be clearly communicated to the data subjects and the privacy policy must be adapted accordingly so that it is clear which company is specifically responsible for which processing operations.

Scope of the information obligations

Art. 13 GDPR provides for a catalogue of necessary information for each individual processing operation in the case of direct collection and Art. 14 GDPR as a counterpart for the indirect collection of personal data. The minimum requirements are set out in para. 1 and para. 2 respectively. In the case of direct collection, for example, it is necessary to inform the data subject of the purposes for which the personal data is to be processed and the legal basis for the respective processing activity.

The division into two paragraphs often causes confusion, as paragraph 2, especially in Art. 13 GDPR, speaks of “necessary” information, giving the impression that the information obligations listed therein are merely optional. However, the purpose of Art. 13 and 14 GDPR is to strengthen the rights and interests of data subjects in particular, so that it must always be assumed that this additional information is necessary.

Consequences of violations of the transparency principle

Data subjects should be informed in advance about which processing activities concerning their person and to what extent (future) data processing is intended or is already taking place and should have all the W questions (Who? What? How? For what? How long? Where to? etc.) answered by the controller. Because only those who know what happens to their data can decide for themselves whether they consent to data processing or exercise their rights as a data subject.

If companies violate the principles of Art. 5 GDPR, the supervisory authorities can impose the highest fines – up to EUR20 million or 4% of the total worldwide annual turnover of the previous financial year (Art. 83 (5) (a) GDPR). It is therefore worth paying close attention to these principles when processing personal data.