Demystifying Article 12 – Don’t cloud over the importance of transparency
With the evolution of the digital age and its knock-on effect in terms of the ease with which information is collected (including in ever-increasing amounts), it’s now more important than ever for individuals to have clarity and certainty about how their personal data is used, and for organisations to be clear about exactly why they need an individuals’ data and what they’re going to do with it.
A key obligation when it comes to data protection is transparency.
Transparency is defined as a process which involves decisions and processes being completely visible and open to scrutiny, so that it's clear that nothing is being hidden.
Article 12 of the Data Protection (Jersey) Law 2018 (DPJL 2018) states that, as a data controller for an organisation, it is necessary to be clear about exactly what information is being collected and for what purpose, and that the data is being used in a lawful and transparent way. Not only that, but this intent must be communicated in a concise, intelligible and easy to understand way, using clear and plain language that is appropriate for the individual whose information is to be processed. This generally needs to be done at the time the data is obtained from the individual.
- WHAT: What personal data are you collecting?
- WHY: Why do you need to collect and process that exact data?
- WHERE: Where is the data going to be stored?
- WHO: Who will the data be shared with?
- HOW: How long do you need it for?
Don’t forget to also explain that individuals have certain rights under the law and give them a contact point, letting them know who they need to contact to exercise those rights.
- Using uncertain words like “may” and “might” in privacy policies.
Tip: Having information represented in an unambiguous way is important to be transparent. Words such as “may”, “might”, “often” and “most commonly” should be avoided. If you are doing something – you should say it. If you’re not, then you don’t need to mention it.
Tip: For retention periods, phrases “as long as necessary to fulfil the purposes…” are unlikely to be sufficient to fulfil the transparency obligations. Be specific. It is key that data subjects can clearly understand how their data is being used in each specific case, including the specific retention period or criteria.
- Controllers fail to provide complete information on the purposes and lawful basis for each of those purposes.
Tip: We have in the past suggested controllers consider using a table structure to present this information to subjects. This way, data subjects can easily search for the relevant purpose and check the relevant information. This table can also contain retention information for each purpose.
- Using legitimate interests as a lawful condition without providing an explanation.
Tip: Any use of legitimate interests must be accompanied by an explanation of the legitimate interests.
- Providing little or only general information of the recipients of personal information.
Tip: Controllers need to provide the recipients or categories of recipients of personal data to subjects. This should include processors like software providers and other recipients like group companies and government departments. If the recipients are not named, the controller should provide as much information as possible and be able to demonstrate why this is fair.
- Not realising that certain software tools are based in countries designated as third countries and to which special transfer rules apply. Controllers need to know where the data is being processed and if a controller is transferring data to a third country it must inform data subjects of this and outline whether there is an adequate level of protection.
Tip: Have a look at our Tools and International Transfers guidance. Remember that there must be adequate protection for any transfer to a third country to be lawful.
- Not providing all the required information under Article 12.