This document details how to comply with art. 12 to 22 and 34. Great attention is devoted to art.13 and art. 14..
WP art.29 on paragraph 2 make clear that privacy statements/ notices shall comply with Transparency, as expressed is in the document, by May 25th.
I would like to bring to your attention some points:
- The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. This means that the controller needs to first identify the intended audience and ascertain the average member’s level of understanding. As the intended audience may, however, differ from the actual audience, the controller should also regularly check whether the information/ communication is still tailored to the actual audience (in particular where it comprises children), and make adjustments if necessary. Controllers can demonstrate their compliance with the transparency principle by testing the intelligibility of the information and effectiveness of user interfaces/ notices/ policies etc. through user panels.
- In order to help identify the most appropriate modality for providing the information, in advance of “going live”, data controllers may wish to trial different modalities by way of user testing (e.g. hall tests) to seek feedback on how accessible, understandable and easy to use the proposed measure is for users. Documenting this approach should also assist data controllers with their accountability obligations by demonstrating how the tool/ approach chosen to convey the information is the most appropriate in the circumstances.
- As noted above at paragraph 14, WP29 recommends that where a data controller has an online presence, an online layered privacy statement/ notice should be provided.
- Where the information is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted. (A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages.)
- If the change to the information is indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon the data subject, then that information should be provided to the data subject well in advance of the change actually taking effect and the method used to bring the changes to the data subject’s attention should be explicit and effective.
- References in the privacy statement/ notice to the effect that the data subject should regularly check the privacy statement/notice for changes or updates are considered not only insufficient but also unfair in the context of Article 5.1(a).
I feel that WP29 is asking of a more radical change on how privacy notices are managed. Small business will have major efforts to comply.
Fines are huge: up to 20 millions Euro, compared to 36.000 foreseen now in Italy
The public consultation will close on January the 23rd. The final version at the earliest will be ready mid February 2018.
A considerable effort in two months!!