Phone icon +45 45 34 44 00
Book meeting

Documentation

12. Inform Users

GDPR’s transparency principle requires that all information or communication regarding processing of personal data must be concise, transparent, understandable, and easily accessible in clear and simple language.

Who Should Be Informed, and When?

  • Data subjects must be informed:

    • When data is collected directly, i.e., when data is collected directly from individuals (examples: forms, online purchases, contract signing, opening a bank account) or via devices and technologies for monitoring individuals’ activities (examples: internet behavior analysis, geolocation and Wi-Fi tracking for audience analysis, etc.).
    • When personal data is collected indirectly, i.e., when data is not collected directly from individuals (examples: data obtained from trading partners, data brokers, publicly available sources, etc.).

  • This information must be provided:

    • At data collection in case of direct collection.
    • As soon as possible for indirect collection, and no later than one month after collection (with exceptions).
    • For significant changes or special events, e.g., new purpose, new recipients, change in how rights are exercised, or in case of data breach.

What Information Must Be Provided?

  • The following information must always be provided:

    • Identity and contact details of the organization collecting the data.
    • The purpose of the data processing (what will the data be used for?).
    • The legal basis for the processing (see more about legal bases).
    • Whether data collection is mandatory or voluntary, and the consequences of not providing data.
    • Recipients or categories of recipients of the data (who needs access?).
    • Retention period for the data (or criteria for determining it).
    • The data subject’s rights and how they can be exercised (the right to access, rectification, deletion, and restriction applies to all processing).
    • Contact details for the Data Protection Officer (DPO), if one has been appointed.
    • The right to file a complaint with the national data protection authority.

  • In certain cases, additional information must be provided, e.g., if data is transferred outside the EU, for fully automated decisions or profiling, or when processing is based on legitimate interest (see guidance on transparency).

  • For indirect data collection, information must also be provided about:

    • The categories of data collected.
    • The data source, including whether the data originates from publicly available sources.

In What Form Must the Information Be Provided?

  • The information must be easily accessible – the user must be able to find it without difficulty.

  • It must be clear and understandable, i.e., with simple language (short sentences, no legal or technical terms) and adapted to the target audience (with special attention to children and vulnerable persons).

  • It must be concise. To avoid information overload, the most relevant information should be presented at the right time.

  • Information about data protection must be separate from other information such as contract terms or general conditions.

What Communication Is Required for a Data Breach?

  • An organization may inadvertently or intentionally be subjected to a breach of personal data security, i.e., destruction, loss, alteration, or unauthorized disclosure of data. In such cases, the organization must report the breach to the national data protection authority within 72 hours if it poses a risk to data subjects’ rights and freedoms.

  • If the risk is assessed as high, the affected persons must also be informed as soon as possible and receive advice on how they can protect their data (e.g., blocking a compromised payment card, changing password, etc.).

  • Reporting of breaches to CNIL can be done via CNIL’s website.

Useful Resources

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us