It should be transparent for data subjects that personal data concerning them are collected, used, consulted or otherwise processed and to what extent personal data are processed or will be processed. In accordance with the principle of transparency, information and communication related to the processing of such personal data should be easily accessible and comprehensible, and clear and simple language should be use
- especially when the information is specifically intended for a child;
- in combination, if necessary or desirable, with standardized pictograms to provide an easily visible, understandable and clearly legible overview of the intended processing.
This means that existing ‘fair processing notices’ or ‘privacy policies’ included in, for example, documents, online forms, apps or websites, or tucked away in general terms and conditions or of such a general nature, that no meaningful information is provided, must be replaced. .
Transparency goes beyond existing requirements and although much of the information is similar, some additional information is required.
Compliance with these requirements therefore probably requires resources, the level of which will depend on:
- what information is currently being provided to individuals;
- whether that information is a true reflection of the processing that is being undertaken (a thorough knowledge of data flows will be fundamental to making that assessment)
- how that information is currently being communicated to the individual.
A controller should provide sufficient information to ensure that the data subject understands the processing and, where necessary, is able to make informed choices about the processing of his personal data.
The amount of information provided to the individual depends on the risk to the rights and freedoms of the individual.
The greater the risk, the more detailed and informative the information must be. Similarly, the more complicated the processing activities, the more consideration is needed to make the information clear and informative for the target group (read: category of stakeholders).
The way in which the information must be provided must be ‘provided’ to the data subject, rather than being ‘available’ to him. A data subject also has the right to request that the information be provided to him orally.