Dear Madam or Sir,
First of all we would like to express our sincere thanks for the opportunity to provide comments on the Article 29 Working Party’s proposed “Guidelines on transparency under Regulation 2016/679” (hereinafter “the Guidelines”). Spolek pro ochranu osobních údajů (Data Protection Association) is the largest organization bringing together professionals in the area of personal data protection and future personal data protection officers in the Czech Republic. We are grateful to have been given the opportunity to review the Guidelines. However, we would like to respectfully submit some amendments and refinements to the proposals on the Guidelines in this areas:
It is not clear from the text whether the Working party considers it obligatory to re-provide information to all existing clients, or to all persons whose personal data the controller processes. It is apparent that the current statutory level of information (and transparency) cannot meet the benchmarks set by the Regulation and the already widening interpretation of the Working Party. In this context we kindly propose to clarify that there is no direct obligation of controllers to individually communicate extended information about processing to existing clients (i.e. those whose personal data were processed prior to the effective date of the Regulation) in those cases where there is no substantial change. However, this is without prejudice to the obligation to modify or supplement information documents (ex nunc) in such a way that it will meet the requirements of the Regulation, this is applicable esp. where it is simply feasible – e.g. information documents on the web, in the mobile application, information provided via authorized emails etc. But not in already printed paper documents.
Point 8, 21 and others
We suggest removing indications of the obligation to test solutions using consumer research, panels, etc. from all places. Such duties go beyond the regulation and should not be considered obligatory nor forced to organizations by virtue of the Working Party’s wide interpretation.
Point 9, 27
We propose amending the part relating to the obligation to communicate the consequences of processing and, in particular, to describe different scenarios or examples of processing consequences. Such an interpretation goes beyond the main text of the regulation. In addition, these aspects are often governed by sectoral regulations (such as investment scenarios, insurance, etc.) and it is not desirable to duplicate such obligations. Finally, from practical experience, such attempts to model scenarios seem rather confusing and counterproductive to the extent to which they can mislead consumers into thinking that their case will be in line with the model’s course. The reality however, is different in most cases.
We believe that the request for placing privacy statement on each page of the website is too strict. We would rather recommend placing privacy notice on the main page and then other pages, which serve for collecting of personal data.
We would further recommend amending the example in the sense that “two taps away” means “two taps away from the main interface” of the application.
…Read the whole text
We suggest reformulating examples of an inadequately defined purposes of processing. Examples are overly strict, explaining further details in given cases may lead to:
a. excessive complexity of information and denial of the principle of transparency (esp. in case of explanation of the aspects of personalization), or
b. unjust restrictions on any development of services or innovations (a detailed description of potential new services whose features cannot reasonably be known).
We would suggest to be more precise about the possibility of providing oral information to the data subject. We don’t fully understand this sentence: “This precondition to the provision of oral information cannot apply to the provision of general privacy information as outlined in Articles 13 and 14, since information required under Articles 13 and 14 must also be made accessible to future users / customers (whose identity a data controller would not be in a position to verify).” We believe that Art. 12 of the Regulation allows even general privacy information to be provided orally on request of data subject. We believe that Regulation states no obligation to inform any future user. Art. 13 and 14 of the Regulation clearly state when the information obligation is supposed to be fulfilled. We would suggest additional clarification in this matter.
We propose to re-word the following text: ‘For clarity, WP29’s position is that there is no difference between the status of the information to be provided under sub-articles 1 and 2 of Articles 13 and 14 respectively. All of the information in these sub-articles is of equal importance and must be provided to the data subject.’
It is unclear whether that statement relates to the relationship between sub-article 1 and 2 or the relationship between Articles 13 and 14. While both articles have the same meaning, we see a clear difference between the importance of the information according sub-article 1 and sub-article 2. The information listed in sub-article 2 should be provided only if it is “necessary to ensure fair and transparent processing in respect of the data subject“.
The interpretation putting both sub-articles on the same level runs counter to standard methods of legal interpretation and denies the text of the Regulation.
We would recommend reconsidering “data collected by the means of observation of data subject” as data, which falls under Art. 13: “Article 13 applies to the scenario where the data is collected directly from the data subject. This includes personal data that ….. a data controller collects from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras, network equipment, wifi tracking, RFID or other types of sensors).” We believe that such kinds of data should be considered rather as data not obtained from the data subject. In these cases, the data subject may not always be aware of what types of data the controller collects or even that his or her data are collected. It is therefore more appropriate to apply to such processing an information obligation under Article 14, especially under Art. 14 (1) point (d) – information about the categories of personal data concerned.
We believe that processor, who processes personal data on behalf of controller, cannot be considered as the recipient within the meaning of Article 14.
We propose to reconsider including this paragraph in the guidance as it clearly goes beyond the provisions of the regulation and only means additional transaction costs for businesses (another communication/letter/email) with a controversial added value, in particular where such information is anyway permanently made available to the data subject, for example, in the interface of the service
We recommend to reconsider including this point in the guidance as it is very vague and not clear what information relates to it (with the exception of optional information about the DPIA).
As in point 19, it is not possible to deduce an obligation to communicate all information, even though it is clear from the text of the Regulation that it is possible to consider whether certain information is necessary.
This point contains two examples of informing data subject how to request access to personal data. We see the first example rather as best practice recommendation and the second one as a standard practice.
Opinion states that: “…it follows that impossibility or disproportionate effort only arise by virtue of circumstances which do not apply if the personal data is collected from the data subject. In other words, the impossibility or disproportionate effort must be directly connected to the fact that the personal data was obtained other than from the data subject.” We don’t fully understand why there should be a direct connection between impossibility or disproportionate effort and the fact that the personal data was obtained other than from the data subject. We believe that there could be many other reasons why the fulfilment of the information obligation could be impossible or disproportionate.
Art. 13.1 (d) / 14.2 (b):
We kindly propose to leave out the recommendation for disclosure of balancing test for processing based on legitimate interests even as the best practice – this is not supported by any of the provisions of the Regulation. The Regulation establishes an obligation to inform entities about “the legitimate interests pursued by the controller or by a third party“ (Art. 13 (1) point (d) and 14 (2) point (b), not about the balancing test itself.
Art. 13/14 (1) point (e).
Opinion states: “In accordance with the principle of fairness, the default position is that a data controller should provide information on the actual (named) recipients of the personal data. Where a data controller opts only to provide the categories of recipients, the data controller must be able to demonstrate why it is fair for it to take this approach.”
We believe that this opinion of the Working group is not supported by any provision of the Regulation and cannot be derived even indirectly from its text. Data subjects do not have the right to request detailed information about processors (and we cannot deduce this right in our opinion from Article 19 of the Regulation either). Such an approach of the Regulation is entirely balanced, since the provision of information on processors with their specification may have a number of negative consequences for controllers and other data subjects. We would recommend removing this part of guidelines.
We would like to once again emphasize that we are really grateful for the opportunity to provide the above mentioned comments on the Guidelines.
JUDr. Vladan Rámiš, Ph.D.
Chairman of the Committee
Ing. Václav Mach
Vice Chairman of the Committee