The Article 29 Working Party (WP29), the representative group of data protection authorities across the EU, has issued guidance on the principle of transparency established in the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.
Transparency requirements oblige data controllers to provide information to data subjects on their rights, to be transparent in communications with data subjects, and to facilitate the exercise of data subjects' rights under the GDPR.
The guidance sets out that the GDPR requires any information or communication relating to the processing of personal data to be provided:
In a concise, transparent, intelligible and easily accessible form; Using clear and plain language; In writing, or by other means, including, where appropriate, by electronic means; Where requested by the data subject it may be provided orally; and It must be provided free of charge. "Concise, transparent, intelligible and easily accessible" information
The GDPR requires information be presented in a manner clearly differentiated from other non-privacy related information. Controllers should provide unambiguous information on the most important consequences of the processing on the data subject. They should not have to seek it out.
"Clear and plain language"
Best practices for clear writing are preferred under the GDPR. Any language used must be concrete and definitive. Overly legalistic, technical or specialist language and terminology should not be presented to the data subject.
"In writing or by other means"
The default position for the provision of information under the GDPR is that the information is in written form.
"The information may be provided orally"
The provision of oral information does not necessarily require it to be done in person or by telephone. The WP29 has noted that automated oral information may be provided in addition to written means, such as in the context of persons who are visually impaired.
"Free of charge"