Based on the transparency requirements of the GDPR, companies must now provide more detailed information on data processing. The usual form of relaying this information to the public is through a privacy notice. Now that May 25, 2018 is fast approaching and companies are working towards GDPR compliance, such privacy notices must be finalized.
GDPR-compliant privacy notices are critical because they represent the first time that individuals (and data protection regulators) are informed of a company’s privacy practices. On April 11, 2018, the EU’s Data Protection Working Party published its final Guidance on Transparency under the GDPR. It remains to be seen whether this Guidance will bring clarity or raise questions over the next six weeks for those companies involved in GDPR preparation.
The Form Privacy Notices Should Take
The GDPR contains 173 introductory paragraphs, 99 articles, and a long list of contents. The Guidance is 35 pages long. Nevertheless, the GDPR requires that privacy notices be concise, easily accessible, and easy to understand, and that clear and plain language be used. The Guidance also notes that companies should present their privacy notice efficiently and succinctly in order to avoid “information fatigue” among the public. Compliance with these multiple, often conflicting expectations is one of the biggest challenges of the GDPR project, given the large amount of privacy information to be communicated. Companies must now demonstrate their compliance with the transparency principle by testing the intelligibility of their privacy notices and the effectiveness of the interfaces being used (websites, dashboards, direct communications) – if indeed they have the time for testing during the final weeks of GDPR preparation.
Information About “Legitimate Interests”
In addition to outlining the purpose of personal data processing, the privacy notice must identify the relevant legal basis of the GDPR. The GDPR also gives companies the flexibility to rely on their “legitimate interests.” For example, affiliates may have a legitimate interest in transmitting data within their group for internal administration. The existence of a legitimate interest would need careful assessment through a “balancing test,” which is usually a three to five page long document, prepared for internal purposes in the company. Given the internal nature of the balancing tests, many companies do not prioritize them as part of their GDPR preparations. The new Guidelines now state, however, that the privacy notice should also provide the public with information from the balancing test, which highlights its importance.
Details on Data Transfers
Currently, most privacy notices contain only a general description of recipients (e.g. “service providers” and “affiliates”). Under the GDPR, the default position is that a company should provide information about named recipients. The privacy notice should also explicitly mention all countries outside the EU to which the data will be transferred. Considering the complexity of data flows in a company’s day-to-day operations, it may be difficult to comply with this requirement. Hence, it may help if companies identify all recipients during data mapping at the beginning of their GDPR preparation, and then transpose this information into the privacy notice.
Information on Data Storage
It is not sufficient to generally state in the privacy notice that personal data will be kept as long as necessary for the legitimate purposes of processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and different processing purposes. This should not be a problem for companies that used archiving in their data mapping exercise. This may, however, be challenging for other companies – like pharmaceutical firms – whose data retention practices are dictated by factors such as statutory requirements and industry guidelines.
Changes in the Privacy Notices
Before the GDPR, companies usually advised customers to check the most updated version of the privacy notice on the company’s website. Now the Guidelines state that companies must communicate fundamental changes (or any changes) to privacy information which impact people. This communication must take place well in advance of the change actually going into effect. Such changes include alterations in the data processing purpose, the data controller’s identity, or how individuals may exercise their rights. In practice, the most explicit and effective notification method is email and post, which is how the T&Cs of financial institutions and telcos have traditionally communicated with the public. Since companies must now revisit this issue, they are in a position to test and select the best way to communicate the upgraded, GDPR-compliant privacy notices to employees and customers.
By Marton Domokos, Coordinator of CEE Data Protection Practice, CMS
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.