Sheet n°12: Inform users
11 June 2020
The transparency principle of the GDPR requires that any information or communication relating to the processing of personal data should be concise, transparent, comprehensible and easily accessible in plain and simple language.
Who to inform and when?
- Data subjects must be informed:
- both in the case of direct data collection i.e. when data are collected directly from individuals (examples: form, online purchase, subscription of a contract, opening of a bank account) or when they are collected via devices or technologies for observing the activity of individuals (examples: analysis of Internet navigation, geolocation and Wi-Fi analytics/tracking for audience measurement, etc.);
- and in the case of indirect collection of personal data, when data are not collected directly from individuals (examples: data retrieved from trading partners, data brokers, publicly available sources, or others).
- This information is needed:
- during the data collection in the case of direct collection;
- as soon as possible in the case of indirect collection (in particular at the time of first contact with the person) and no later than a month from the collection (with exceptions);
- in the event of a substantial change or a particular event. For example: new purpose, new recipients, change in the way rights are exercised, data breach.
What information do I have to give?
- In all cases, you must specify:
- The identity and contact details of the organization that collects the data (who processes the data?);
- The purposes (what will the collected data be used for?);
- The lawful basis on which the data processing is based (find all the information on the lawful basis);
- The compulsory or optional nature of the data collection (which implies an upstream reflection on the usefulness of collecting the data in view of the objective pursued - the principle of “minimisation” of the data) and the consequences for the person in case of failure to provide the data;
- Recipients or categories of recipients of the data (who needs to access or receive them for the defined purposes, including processors?);
- The data retention period (or criteria for determining it);
- The existence of data subjects’ rights and the means to exercise them (the rights of access, rectification, erasure and restriction are applicable to all processing operations);
- The contact details of the Data Protection Officer of the body, if appointed, or of a contact point on personal data protection issues;
- The right to file a complaint with your local Data Protection Agency.
- In certain specific cases, additional information must be provided, for example in the case of data transfers outside the EU, fully automated decision-making or profiling, or when the lawful basis for the processing is the legitimate interest pursued by the body collecting the data ( see the guidelines on transparency for more information).
- In the case of indirect collection, the following must be added:
- Categories of data collected;
- The source of the data (indicating in particular whether it comes from publicly available sources).
In what form should I provide this information?
- The information must be easy to access: the user must be able to find it without difficulty.
- It must be provided in a clear and comprehensible manner, i.e. with simple vocabulary (short sentences, no legal or technical terms, no ambiguities) and information adapted to the target audience (with particular attention to children and vulnerable persons).
- It should be written in a concise manner. In order to avoid the pitfall of a flood of information drowning out the user, it is necessary to bring the most relevant information at the right time.
- Data protection related information must be distinguishable from information that is not specifically related to privacy (such as contractual clauses or general terms and conditions of use).
What communication should be made when data security is compromised?
- An organization may mistakenly or negligently suffer, accidentally or maliciously, a personal data breach, i.e. the destruction, loss, alteration or unauthorized disclosure of data. In this case, the organization must report the violation to the local data protection agency within 72 hours if it is likely to pose a risk to the rights and freedoms of individuals.
- If these risks are high, the organization must also inform the persons concerned as soon as possible and provide them with advice on how to protect their data (e.g. cancellation of a compromised bank card, modification of a password, modification of privacy settings, etc.).
- Notification of the violation to the CNIL must be made via the CNIL website.
Useful resources
- The Data & Design site developed by the CNIL’s Digital Innovation Laboratory develops these concepts and contains interface examples.
- The CNIL site also contains many examples of information notices in French.
- The personal data violations page on the CNIL website (in French).