Transparency obligations

Transparency obligations are the central expression of the data protection principle of transparency under Art. 5(1)(a) GDPR. They require the controller to inform data subjects proactively, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, about who processes their personal data, for which purposes, on which legal basis and for how long. This information must be provided on the controller's own initiative and must not be made conditional on a request from the data subject.

The GDPR distinguishes according to the source of the data. Art. 13 GDPR governs direct collection, where data are obtained directly from the data subject; here the information must be given at the time of collection. Art. 14 GDPR concerns indirect collection, where data originate from other sources (such as credit agencies, public registers or business partners); here staggered deadlines apply, generally within one month, but at the latest at the time of the first communication with the data subject or when the data are first disclosed to a third party. In the case of indirect collection, the source of the data must additionally be stated.

The mandatory information includes, among other things, the identity and contact details of the controller and, where applicable, of the data protection officer, the purposes of processing and the respective legal basis, the legitimate interest where this is relied upon, the recipients or categories of recipients, any transfer to a third country together with the relevant safeguards, the storage period, the rights of the data subject including the right to withdraw consent and the right to lodge a complaint, as well as information on automated decision-making. Breaches of the transparency obligations are among the most frequently criticised deficiencies and may, under Art. 83(5) GDPR, be sanctioned with fines of up to EUR 20 million or 4 % of total worldwide annual turnover.