DPC consultation on international transfers & transparency under the GDPR

The Data Protection Commissioner (DPC) has called for submissions on issues of Transparency and International Data Transfers under the GDPR. The submissions received by the DPC from its consultation will be shared with the Article 29 Working Party (WP29), at its third Fablab in Brussels on 18 October 2017 to inform the preparation of new guidelines on transparency under the GDPR and the updating of existing guidelines on international data transfers.

Transparency

Transparency is a key obligation under the GDPR. Data controllers are required to process data fairly, lawfully and transparently, and to provide a prescribed list of information to data subjects when collecting their data. Transparency is also intrinsically linked to the new principle of accountability, which requires data controllers to be able to demonstrate that personal data are processed in a transparent manner.

The DPC is seeking submissions on a range of issues including, amongst others:

There is no definition of transparency in the GDPR – how should it be defined/interpreted?

The GDPR requires data controllers to take “appropriate measures” to provide information to data subjects; to communicate with individuals in regard to their rights under the GDPR; and to notify data subjects of data breaches. What sorts of tools/techniques/mechanisms/approaches might constitute “appropriate measures” for these purposes?

The GDPR requires a higher transparency threshold when the data subject is a child – how should that higher transparency threshold be achieved?

Data controllers are required to provide information to data subjects “in writing, or by other means, including, where appropriate, by electronic means“. What tools/mechanisms/approaches might constitute “by other means” in a non-electronic environment? What tools/techniques/approaches might constitute “by other means” in an electronic environment?

An exception to the obligation to provide data subjects with information regarding processing activities, applies where the provision of such information proves “impossible” or would involve “disproportionate effort“. How should the concept of “impossibility” be interpreted? What should constitute a “disproportionate effort“?

How can information “fatigue” be avoided by data controllers, while still ensuring compliance with all the transparency requirements in the GDPR?

International Transfers

The GDPR permits transfers out of the EEA where such transfers take place on the basis of an adequacy decision; or if a controller or processor has put in place appropriate safeguards such as BCRs, model clauses, or an approved code of conduct or certification mechanism; or where one of the derogations applies, such as explicit consent.

The DPC seeks submissions on the following issues:

Which legal bases for conducting non-EEA personal data transfers under the GDPR are likely to be most commonly relied on by your organisation?

What are the challenges to conducting non-EEA personal data transfers under each of the legal bases/mechanisms set out in the GDPR?

What specific actions might the WP29 and/or national data protection authorities take to help organisations address or alleviate such challenges?

The DPC’s consultation is open until Friday 13 October 2017. The DPC will not be summarising or preparing a report on the submissions received.

For further information please contact Davinia Brennan.

This article was first published in our Ireland IP & Technology Law Blog on 13 September 2017.