You are here:
15 January 2018 / article

Transparency requirements under the GDPR and DPA

As regular readers of our data protection articles will know, our aim is to give you a practically oriented overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Data Protection Act (DPA), a draft revision of which is still subject to debate, and which is expected to enter in to force later this year.

Read more on the impact of GDPR and DPA.

In this article, we’ll be taking you through the requirements to be met by any data controller under both pieces of legislation when it comes to transparency.

What is transparency?

Under both the GDPR and the DPA, data controllers must adhere at all times to the principle of transparency when it comes to processing personal data. That means ensuring that anyone whose data is collected is kept adequately and sufficiently informed about just what is being done, and will be done, with their data.

The most common way to provide that information is through a privacy policy.

The obligation to inform the data subject under the GDPR

While the GDPR does not define the term “transparency”, it does stipulate that communication with data subjects must meet the following key requirements:

  • It must be concise, transparent, intelligible and easily accessible.
  • The language must be clear and plain.
  • It must be conveyed in writing, or by other means, including, where appropriate, by electronic means, and where requested by the data subject, orally;
  • It must be presented free of charge.

The GDPR sets out an extensive list of topics on which data subjects must be informed, including

  • the identity and contact details of the controller and, where applicable, their representative and the data protection officer;
  • the purposes for which the data is being processed;
  • the legal basis for processing the data;
  • the recipients or categories of recipients of the data, if any;
  • the details of any transfer of the data in question to a third country—and, if that country does not have in place an adequate level of protection, the particular safeguards that will be in place for the data, or the details of any exception under which such a transfer is allowed;
  • how long the data will be stored for;
  • the data subject’s rights;
  • the existence of automated decision-making (including profiling);
  • whether the collection of the data subject’s data is required for statutory or contractual reasons, or is necessary in order for them to be able to enter into a particular contract, as well as whether the data subject is obliged to provide (certain of) the requested data and the possible consequences of failure to provide said data (if data is collected directly from the data subject):
  • the categories of data concerned (in cases where the data is not collected directly from the data subject).

Although there are certain exceptions to this obligation to provide this information to the data subject—such as where, and insofar as, they already have it—they should be interpreted and applied narrowly.

Data controllers must ensure that the information listed above is provided to the data subject either before their data is collected or at the moment in which that happens. In cases where the data is obtained from a source other than the data subject themselves, the data subject must be informed of this within a reasonable period, depending on the circumstances.

The obligation to inform the data subject under the DPA

The collection of data—and, in particular, the purposes for which it is being collected and processed—must be clear to the data subject concerned. Although the DPA neither defines transparency nor stipulates a particular way in which the information must be provided to the data subject, it is generally understood that the controller must ensure that the information is provided to the data subject in such a way that the subject is, in effect, in a position to take note of it.

Just as the GDPR does, the DPA contains a list of topics on which data subjects must, in principle, be informed, although exceptions sometimes apply—such as where, and insofar as, they already have the information in question. Though the requirements are similar overall, the list in the DPA is less extensive than that in the GDPR. The following four differences are worth highlighting in particular:

  • There is no requirement under the DPA to inform the data subject how long their data will be stored for.
  • There is no requirement to inform the data subject of their rights.
  • There is no obligation to indicate whether the collection of the data subject’s data is required for statutory or contractual reasons, or is necessary in order for them to be able to enter into a particular contract, or whether the data subject is obliged to provide (certain of) the data that is being requested, and the possible consequences of any failure to provide it;
  • Information regarding the existence of automated decision-making is necessary on in cases where such decisions either has legal or other significant effects on the data subject.

Just as under the GDPR, under the DPA data controllers must ensure that the information in question is provided to the data subject either before their data is collected or at the moment in which that happens. In cases where the data is obtained from a source other than the data subject themselves, the data subject must be informed of this within a month.

What to do? Comply with the highest transparency standards

The safest approach is to comply with the highest standards of both the GDPR and the DPA.

Organisations should thus ensure that:

  • the information is provided to the data subject in a concise, transparent, intelligible and easily accessible form, by providing the data subject with a reader-friendly privacy policy that uses plain language, as well as icons or other visual elements.
  • their privacy policy is always fully compliant with the information requirements under both the GDPR and the DPA.


Rights to withdraw consent, object and lodge a complaint with a supervisory authority under the GDPR and DPA

Rights to withdraw consent, object and lodge a complaint with a supervisory authority under the GDPR and DPA

Learn more about the rights to rectification, erasure and restriction under the GDPR and DPA. read more

Questions and answers regarding ICOs in Switzerland

We offer regulatory, corporate and tax advice specifically on FinTech, cryptocurrencies and ICOs/TGEs. Read our Q&A from a Swiss point of view. read more
Draft bill on Swiss Tax Proposal 17 released – call to action

Questions and answers regarding ICOs in Switzerland

We offer regulatory, corporate and tax advice specifically on FinTech, cryptocurrencies and ICOs/TGEs. Read our Q&A from a Swiss point of view. read more