The idea of transparency under data protection law is to give the person an insight into the essential processing circumstances (e.g. processed data categories, processing purposes, data recipients, deletion periods). Knowledge of these circumstances enables the person to assert further rights with regard to the processing, e.g. the right to erasure or the right to rectification.

A distinction can be made between two types of transparency under data protection law. On the one hand, the GDPR requires that the person must be given certain information without being asked before or at the start of data processing. This is usually done by means of so-called data protection notices. In the second form of transparency, on the other hand, it is the data subject who gains knowledge of the circumstances of the data processing by exercising their right to information. The following only deals with the first case of transparency – i.e. the case of not requested information.

According to Art. 13 or 14 GDPR, the company responsible for data processing must provide the data subject with certain information about the data processing. There may be several data controllers who process personal data either under so-called “joint controllership” (Art. 26 GDPR) or under so-called “separate controllership”. While controllers with joint controllership can stipulate that only one controller is responsible for providing information (see Art. 26 para. 2 GDPR), separate controllers must inform the data subject independently of the information provided by the other controller.

The GDPR then distinguishes between the case in which personal data is collected “from the data subject” (regulated in Art. 13 GDPR) and the case in which personal data is obtained “not from the data subject” (regulated in Art. 14 GDPR). The question of the applicability of the two articles is very relevant in practice, as only Art. 14 contains exceptions to the obligation to provide information.

The law does not define when the data is collected “from the data subject”, which is why it must be carefully checked in practice whether information must be provided in accordance with Art. 13 or Art. 14 GDPR. Classification is not always easy. In many cases, the person is the source of the information but is not aware of the data processing, e.g. if they happen to be filmed by a covert camera. Therefore, Art. 13 should generally only be considered applicable to data processing where the data subject actively provides data in a specific context (e.g. when passing through the entrance of a supermarket that is visibly under video surveillance). Constellations in which it is the controller who – in pursuit of a legitimate purpose – approaches the data subject secretly or unnoticed by the data subject should be regarded as indirect collection under Art. 14 GDPR.

Finally, the way in which information is provided is also of great importance. According to Art. 12 para. 1 sentence 1 GDPR, the information must be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. It is therefore not about creating an unwieldy legal text – spongy formulations or legal terms that are incomprehensible to the layperson have no place in a privacy policy.

Transparency obligations are usually implemented by means of so-called data protection notices. Depending on the data collection context, these can either be issued in digital form (website) or printed out on paper. Verbal information is also possible in principle. However, it should be verifiable that the information is actually provided.

If the extensive data protection obligations cannot be meaningfully (completely) displayed due to the small size of the data collection medium (e.g. smartwatch), a link can be provided to further data protection information, e.g. by means of a QR code.