By Thomas Nygren and Fredrik Steen
The principle of transparency is enshrined in GDPR article 5.1 (a) and from it stems controllers' obligations to inform data subjects of their processing, found in GDPR articles 12 – 14. Of the mentioned articles, article 12 lays the foundation of how the information is to be provided, article 13 dictates the information to provide when you collect personal data directly from a data subject and article 14 dictates information to provide when you collect personal data from other sources than the data subjects themselves. WhatsApp was found to be infringing all of the mentioned articles. In the following we review the WhatsApp decision in relation to GDPR article 13.
Transparency when you collect data from the data subject
II.i Information about the purposes and legal basis of processing and pursued legitimate interests
Pursuant to GDPR article 13.1 (c), the controller must provide data subjects with information about the purposes and legal basis of the processing. There are six legal bases for processing personal data and WhatsApp was found lacking in transparency in relation to all of them.
Pursuant to DPC's decision, a controller must identify and specify what categories of personal data and what processing operations rely on any given legal basis as well as the purpose for said processing. The information must be provided in a way that informs data subjects of what processing operations uses which categories of data and on what legal basis said processing operation rests on. Otherwise, the information provided would not be specific or concrete enough to enable data subjects to hold the controller responsible for the processing, which would fail to hold up the principle of transparency. In other words, the purpose, legal basis, processing operations and categories of personal data must not be given separately from each other (e.g., under separate sections of the policy). A data subject must be able to clearly understand the purpose of each processing operation, what categories of data are concerned and what legal basis for processing the processing operation relies on.
To fulfill these requirements means providing the reader with a lot of information. In response to WhatsApp's objection that providing such an amount of information would cause the reader information fatigue and thereby in itself be a cause for lack of transparency, the DPC answered simply that such was not the case if the text was written in a clear and accessible way. Furthermore, between the lines the DPC recommended the use of tables, particularly in the case of an information requirement comprising a number of linked elements - such as, e.g., the information required under GDPR article 13.1 (c).
II.ii Information on data retention
WhatsApp was further deemed to be in breach of article 13.2(a) requiring that controllers inform data subjects regarding data retention periods, or if they cannot, the criteria used for the determination of such periods.
The DPC notes that information provided pursuant to transparency under the GDPR should be meaningful to the data subject. When it comes to retention periods, this means that a data subject should be able to understand the basis for any retention of data by way of practical examples on how data retention criteria impact the retention period. As such, a controller must provide key information regarding whether certain information will be retained and explain if and how such retained records are disassociated from personal identifiers.
Most critically, this places a larger information duty on controllers retaining personal data after the provision of services to or contact with the data subject have ceased. It is not sufficient to state that personal data may be kept as required by law. Instead, retention periods should be given by way of specific examples that clarify how the period for retention is calculated.
II.iii Transparency when transferring personal data to third countries (a.13(1)(f))
Since the Schrems II-decision and the revised standard contractual clauses, third country transfers have been on everyone's radar. However, the DPC decision now further develops the requirements for transfers of personal data outside the EU/EEA, this time from a transparency viewpoint.
WhatsApp, as well as many of its contemporaries, inform data subjects about third country transfer by way of saying something along the lines of "any transfers of personal data to countries outside the EU/EEA, including the US, is done according to the EU approved standard contract clauses, an adequacy decision or other safeguards as applicable." This is not sufficient, according to the DPC decision.
When relying on an adequacy decision for the transfer of personal data, the DPC writes that a controller should identify the country of transfer, provided this information enables the data subject to receive transparent and meaningful information as to those transfers, even if there is not. The DPC does not further elaborate on in what situations the provision of such information wouldn't enable the data subject transparent and meaningful information. However, the DPC further states that even if the receiving countries are not specified, the controller must find another way to enable data subjects to access information regarding the specific adequacy decision supporting the transfer in question.
As such, the DPC decision makes it clear that in most cases the controller is incumbent to clearly inform the data subjects of the country of transfer or otherwise find a way to inform the data subjects of the specific adequacy decision supporting the transfer in question.
When transferring personal data pursuant to a safeguard other than adequacy decisions, the controller must be able to provide further information enabling data subjects detailed information about the safeguards being used to protect the personal data. For example, this includes being able to provide the data subject with the applicable standard contractual clauses entered into for the transfer in question. Furthermore, the DPC quotes Working Party 29's transparency guidelines stating that the third countries be named, so that the information provided can be as meaningful as possible to data subjects.
And lastly, but not least, a controller must specify the categories of personal data that will be transferred, if need be on a transfer by transfer basis, so that the data subject may hold the controller responsible in relation to the transfer mechanism relied on.
Presentation of information
It should also be noted that as the burden of providing information increases, e.g., as a consequence of the DPC's clarifications on the GDPR, the importance of the presentation of said information becomes paramount. The obligation to provide specific and useful information to data subjects, means an increase in the information provided compared to many privacy policies today. This in turn increases the importance of brevity, clarity and the presentation of the information, now more than ever.
Summary (call to action)
More active supervisory authorities, increasing administrative fines, heightened interest and knowledge from individuals all speak for the fact that it is becoming increasingly important to become compliant and continuously review one's compliance with the GDPR.
 Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, as last revised and adopted on 11 April 2018 (17/EN WP260 rev.01) (“the Transparency Guidelines”)