News top

Implementing Transparency and Consent under the GDPR

Transparency is one of the main principles related to data protection, according to GDPR.The regulation aims to use transparency as an instrument that empowers the individual and provides relevant information about the processing activities, such as risk mitigation, user rights and accountability of the organisation for the processing activities.

 

According to the regulation, transparency should be context-specific, flexible, dynamic and adaptable to constantly evolving and changing uses to provide clear and understandable information to individuals. It should also enable individuals to choose where possible, if they agree or not for their personal data to be used.

When implementing transparency in your organization, you should know that:

  • Transparency is key to ensuring that processing is fair. Transparency is linked to fair processing, according to GDPR. It states in its first principle that personal data must be “processed lawfully, fairly and in a transparent manner”.
  • Transparency is a business consideration and priority. It is critical for trust and digital confidence, and goes beyond pure legal compliance.
  • Transparency will have a role in defining and supporting the purposes for which personal data may be used (including compatible uses for further processing).
  • Transparency is an intrinsic part of any consent, as consent must inform in order to be valid.
  • Transparency is an essential element of accountability. Together with other accountability elements, transparency ensures responsible data use.
  • GDPR transparency is intended to be user-centric. This is why Article 12 (1) GDPR requires that information is provided to the individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • In practice, transparency may have to be delivered by (a) actionable and targeted user-facing information focused on individuals and their needs; and (b) more detailed legal disclosures (privacy notices and policies) that are designed to ensure legal compliance as well as to provide comprehensive and accountable information.

 

Organisations need to provide the following key information in order to ensure transparency:

  • Purposes of processing
  • Reliance on the legitimate interest processing ground
  • The logic in automated decision making
  • Use of third parties to process data;
  • Cross-border data transfers
  • Data retention period
  • Individuals’ rights (access, rectification, objection, etc.)

 

Consent is one of the grounds for processing personal data in the GDPR. Consent should be used as a legal ground for processing where: a) it is possible to provide clear and understandable information; b) individuals have a genuine choice to decide whether to use a service or not; and c) consent can be withdrawn without any deteriment to individuals.

The implementation of consent should align with the underlying policy goals behind consent:

  • individuals have the information they need to make informed choices about their data;
  • individuals can make those choices before their personal data is being processed;
  • individuals can withdraw their consent any time thereafter but should understand that this can mean that a specific service may no longer be offered;

 

It’s essential that everyone understands the importance of GDPR and takes responsibility for the transparency of the processing activities and the consent implementation. You can use our comprehensive online solution for GDPR implementation – a self-assessment tool for monitoring GDPR progress in your organization. The assessment will bring focus to the areas of your business that still need GDPR attention, bringing clarity to all regulation requirements while providing a detailed roadmap with actionable information and evidence report in case of external audits. Check it now: www.gdprq.eu.

gdprq.png

A honlap utolsó módosításának időpontja: 2018.09.21