In this blogpost we ask in which situations you must have a multilingual Privacy Policy.
Transparency
If you are a data controller, then the GDPR says that you are responsible for and must be able to demonstrate (GDPR Article 5.2) that you process personal data in a transparent manner in relation to data subjects (GDPR Article 5.1(a)).
Data controllers are obliged to provide transparent information to data subjects in a number of documents, such as:
- Privacy Policy
- Consent Request
- Consent Record
- Data Subject Rights
- Data Breach Notification
Privacy Policy
You are transparent by providing data subjects with a Privacy Policy that meets the content requirements listed in GDPR Article 13 (when personal data are collected from the data subject) and GDPR 14 (when personal data are obtained from another source) and that meets the requirements to timing, language, form and structure (topic for a forthcoming blog post).
Understanding a Privacy Policy
The GDPR uses the words “informed”, “aware”, “understand”, “know”, “intelligible” in several other Articles and Recitals to say that for a data subject to understand the meaning of words a data controller uses in a Privacy Policy, the data controller must use a country specific language that the data subject understands to enable the data subject to perceive the meaning of the Privacy Policy content. Here are a few examples from the GDPR:
Recital 39 of the GDPR says that
“(t)he principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand (…( ..”
Recital 58 of the GDPR says that
“(t)he principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand (…).”
Recital 60 of the GDPR says that
“(t)he principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.”
Which country specific language does a data subject typically understand?
A data subject typically understands
- the language where the data subject resides,
- the language where the data subject works, or
- the language of the data subject’s nationality.
Which country specific language does a data controller typically use in a Privacy Policy?
A data controller typically writes the Privacy Policy in the language of the State where the data controller has its central administration or main establishment.
When is the country specific language in the Privacy Policy typically not understood by the data subject?
If a data controller in a Privacy Policy uses a country specific language that the data subject typically does not understand, then the data controller did not enable the data subject to perceive the meaning of the Privacy Policy content.
This may typically be the case when a data controller publishes on controller’s website a Privacy Policy in language X (e.g. German) of its central administration or main establishment in State A (e.g. Germany) and a data subject that understands the language Y (e.g. French) accesses the Privacy Policy from State B (e.g. France).
When must a data controller write the Privacy Policy in a “foreign” language?
WP29 says in point 15 of its Guidelines on transparency (endorsed by the EDPB) that when a controller targets data subjects in an EU Member State, then the data controller must provide the Privacy Policy in the language of that Member State.
When does a data controller target data subjects in an EU Member State?
WP29 gives an example of targeting in a footnote to point 15 of its Guidelines on transparency:
“(...) where the controller operates a website in the language in question and/or offers specific country options and/or facilitates the payment for goods or services in the currency of a particular member state then these may be indicative of a data controller targeting data subjects of a particular member state.”
This point will be further elaborated in an upcoming blog post.
Privacy Policy translation requirements
WP29 says in point 15 of its Guidelines on transparency:
“Where the information (in a Privacy Policy) is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted.”
Multilingual Privacy Policy with Signatu Privacy Policy Generator
Signatu enables data controllers to generate and tailor make and deliver to data subjects Privacy Policies in multiple country specific languages that meet the information requirements listed in GDPR Article 13 and 14.
Reach out to us
If you have an interest in Signatu Privacy Policy, please send us an email to hello@signatu.com.