If you are a data controller, then the GDPR says that you are responsible for and must be able to demonstrate (GDPR Article 5.2) that you process personal data in a transparent manner in relation to data subjects (GDPR Article 5.1(a)).
Data controllers are obliged to provide transparent information to data subjects in a number of documents, such as:
- Consent Request
- Consent Record
- Data Subject Rights
- Data Breach Notification
Recital 39 of the GDPR says that
“(t)he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand (…( ..”
Recital 58 of the GDPR says that
“(t)he principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand (…).”
Recital 60 of the GDPR says that
“(t)he principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.”
Which country specific language does a data subject typically understand?
A data subject typically understands
- the language where the data subject resides,
- the language where the data subject works, or
- the language of the data subject’s nationality.
When does a data controller target data subjects in an EU Member State?
WP29 gives an example of targeting in a footnote to point 15 of its Guidelines on transparency:
“(...) where the controller operates a website in the language in question and/or offers specific country options and/or facilitates the payment for goods or services in the currency of a particular member state then these may be indicative of a data controller targeting data subjects of a particular member state.”
This point will be further elaborated in an upcoming blog post.
WP29 says in point 15 of its Guidelines on transparency:
Signatu enables data controllers to generate and tailor make and deliver to data subjects Privacy Policies in multiple country specific languages that meet the information requirements listed in GDPR Article 13 and 14.
Reach out to us