The EDPB’s guidelines recall that transparency helps « build trust in the processes applicable to citizens by enabling them to understand and, where necessary, challenge those processes. » With respect to the accountability of processing, transparency allows data controllers to demonstrate that they are meeting their obligations under the GDPR.
It is quite significant that the GDPR mentions this obligation of information and transparency in its chapter 3 of the Rights of the Data Subject. Indeed, this is not a coincidence since this obligation is related to the right of the person whose data is being processed to have a clear, easily accessible and precise information on the collection and processing of their data. This transparency is essential to allow the user to understand why his data is collected and the processing on his data itself in order to better control them and fully exercise his rights.
In the GDPR, it is articles 12, 13 and 14 that define this obligation of information and transparency.
###What information to share?
The text distinguishes two cases in which the controller must provide the data subject with specific information. It distinguishes according to whether the information has been collected from the data subject directly or indirectly.
Direct collection is similar to collection from individuals, via a form, an online purchase, the opening of a bank account or via devices or technologies for observing the activity of individuals. This is the case, for example, with video surveillance, geolocation or Internet browsing analysis measures.
Indirect collection refers to data that is not collected directly from the data subject, but through business partners, data brokers, other individuals or publicly available sources.
The information to be provided by the controller is therefore different depending on whether it is a direct or indirect collection, the purpose of the processing or other circumstances.
However, in both cases he must provide :
– The identity and contact details of the data controller
– The purposes
– The legal basis of the data processing : this may be the consent of the data subjects, compliance with an obligation provided by a text, the execution of a contract, or other conditions provided for in Article 6 of the GDPR
– The mandatory or optional nature of the collection of data and consequences for the person in case of non-provision of data
– The recipients or categories of recipients of the data
– The periods for which the data will be kept
– The rights of the persons concerned
– The contact details of the organization’s data protection officer, if appointed, or of a contact point on personal data protection issues
– The right to lodge a complaint with the CNIL.
Moreover, in the case of indirect collection, the categories of data collected and the sources of the data must be brought to the knowledge of the individual.
This information concerns all cases without exception. However, in some cases, the sharing of additional information may be required.
If the legal basis is legitimate interest, the data controller must inform the data subject of the legitimate interests pursued.
If the legal basis is consent, the person must be informed of his or her right to withdraw consent at any time.
It is essential to inform the person of a possible transfer of data to a country outside the European Union. This information must be accompanied by the safeguards associated with the transfer and the documents authorizing the transfer, namely the European Commission’s standard contractual clauses.
If automated decision making or profiling is implemented, the data subject must have access to the information needed to understand the algorithm and its logic, as well as the consequences of this processing. The existence of other applicable rights must also be brought to the attention of the person; in particular the right to object and the right to portability in the case where the legal basis is contract or consent.
Concerning the modalities of implementation of this obligation, they will be developed in a second article, Obligation of information and transparency (2).