The transparency of personal data processing: common pitfalls and key findings from decisions of the Czech Office for Personal Data Protection, Part I
The principle of transparency is another fundamental principle of the GDPR, closely correlated to the principle of lawfulness, which we discussed in previous articles (Part I. and Part II.). Only if the data subject is informed in a timely and sufficient manner about the processing of their data and its purpose can they assess whether their rights are being violated. Transparency also means that all information and communications relating to data processing must be easily accessible and understandable, and provided using clear and simple language.
Even when the principle of transparency and related information obligations are complied with, frequent errors still occur. Based on the decision-making practice of the Czech Office for Personal Data Protection (the DPA), we have prepared a selection of the most common ones for you.
Factual errors in information on personal data processing
The data controller must provide the data subject with accurate and correct information. Otherwise, the principle of transparency is not fulfilled. One audited company, which trades in electricity, created detailed information on the processing of personal data, but listed approximately 50 companies—distribution system operators—as data processors and designated itself as the controller, even though the personal data processing agreements showed that the company itself was the processor and the distributors were the controllers. Although this error was only in the privacy notice for three months, the company was fined.
When preparing any information documents, it is necessary to ensure their accuracy and doublecheck them.
Failure to link the individual purpose of processing to a specific legal basis
The personal data controller is obliged to inform the data subject, among other things, about the purposes of processing for which the personal data are intended and the legal bases for processing. In one case, the controller formulated its privacy notice in such a way that, although it listed the purposes for which the personal data were processed, the legal basis could only be deduced indirectly and, for several purposes, could not be deduced at all. The DPA emphasised that such information on the legal basis for processing was incomprehensible to the data subjects. For example, it is not possible to state the legal basis negatively with the words: "Without consent, the following data are further processed...", without giving the specific legal basis for the given purposes of processing (e.g. fulfilment of a legal obligation or legitimate interest).
When providing information on the purposes and legal bases of processing, it is always necessary to assign a specific legal basis to a specific purpose of processing.
Hard-to-find information on personal data processing
Information on the processing of personal data must be easily accessible. One of the audited companies published information on the processing of personal data on its website, however under the “Contacts” tab. Nowhere on the website was it stated that the information was available there, so the data subjects had to actively search for it. The DPA concluded that the information was not provided in an easily accessible manner and fined the company.
Information on the processing of personal data should be accessible to the data subjects with no more than two clicks, preferably under a tab with a relevant name.
Stay tuned
In the next article, we will reveal three more common mistakes that can lead to a breach of the principle of transparency in data processing. Do not miss it!
If you have any questions regarding data protection, please contact our experts.
