_edited.png)
The purpose of the GDPR is to strengthen the protection of European citizens' personal data, and to make the organisations that collect and process their data more accountable. It requires organisations to provide understandable, legible and transparent information to people affected by the collection and processing of personal data.
This transparency obligation is defined in Articles 12, 13 and 14 of the Regulation, which we will be analysing today.
In particular, the data controller must provide detailed and exhaustive information on how your data is collected and processed, as well as the legal grounds justifying the said processing.
The transparency required is a guarantee that the data subject knows why his or her data is being collected, understands how it will be processed, and can therefore ensure that he or she retains control of his or her personal data thanks to the various rights that exist in this area. This transparency obliges organisations to ensure that your data is used fairly.
So how can you ensure that the processing of your personal data complies with the GDPR regulation?
That's what we're going to try and explain in this new article.
Do you inform the people concerned about the collection of their personal data?
The very first indicator of the compliance of your personal data processing is to ensure that the data subjects are properly informed about the personal data collected.
An organisation has an obligation to inform data subjects when it collects personal data.
However, this is clearly not enough.
How do you inform people about the collection of their personal data?
A fair organisation is one that regularly informs its prospects, customers and website visitors about the use made of the personal data it collects, and communicates with them in a timely manner.
Organisations are obliged to inform the people concerned of each direct data collection action (for example, when you fill in a contact form, when you make an online purchase and thus share your personal data yourself); but also indirectly, for example through activity observation devices (for example, when you browse the internet and a website deposits cookies to identify and track you, when you enter a public place that has installed video surveillance cameras, etc.).
Where data collection is indirect (i.e. where the data subjects do not themselves share their personal data with your organisation but you collect it), you must inform the data subjects as soon as possible (immediately where possible, or within a maximum of 1 month).
When you collect data for a specific purpose, and that purpose changes, you must inform the data subjects (provided that the data processing is not subject to consent! If the legal basis for data processing is consent, then consent will have to be obtained again for this new purpose).
In the event of personal data breaches, data subjects must also be informed of the nature of the data breach, the personal data affected by the breach, and the actions taken by the organisation to mitigate the potential impact on the privacy of data subjects.
What information do you communicate?
When you collect personal data, whether directly or indirectly, the organisation is obliged to share certain information, such as:
What is the identity of the data controller (is it you? Is it one of your subcontractors?) and the contact details of this data controller, and if there is one, of the data protection officer (DPO) who has been appointed by the organisation?
What are the purposes of this collection of personal data? In other words, what uses will be made of this data, and for what purpose has it been collected?
What is the legal basis for processing personal data in this way? Is it necessary for the data subject to give his or her consent, or is it necessary to comply with a legal obligation?
Who will have access to this personal data? Will this personal data be transferred to another country (in particular to a country outside the European Union)?
How long will this data be kept, and how long will you keep it?
What rights do the people concerned have in terms of data protection, opposition or restrictions on data processing? These are data protection rights
Do you offer data subjects a way (as easy as possible, of course) of withdrawing their consent at any time after they have given their consent to the processing of their personal data? When the legal basis for data processing is consent, it is mandatory to be able to allow data subjects to withdraw their consent at any time.
Is there any automated decision-making, including profiling (i.e. the use of an individual's personal data to analyse and predict their behaviour, by assessing certain personal aspects, with a view to making a judgement or drawing conclusions about them)?
Do you offer an easy way for data subjects to lodge a complaint with the CNIL? Please note that the answer here must be "yes".
When the organisation collects personal data indirectly, there are two additional questions to ask:
What categories of personal data are processed? For more information on the different categories of personal data that exist, please consult our blog post on the subject.
Finally, what is the source of the data? By what means, what tools and in what way has this personal data been collected?
The completeness of the information to be shared with the people affected by the data processing carried out by your organisation is a real guarantee of trust and loyalty.
However, it is quite possible to share this information in a slightly disparate way, and in different documents or media within the organisation.
Generally speaking, the Privacy Policy is THE document that makes it possible to centralise all this information exhaustively.
Once you have provided answers to all the above questions, there is one final element to consider: the clarity of this information. Obviously, there is little point in sharing exhaustive information that no-one understands.
Is the information I share understandable?
As a data controller, you need to bear in mind that the data subjects (i.e. your customers, prospects and visitors to your website) are not necessarily experts in regulatory compliance and personal data protection.
So when you share this information with the people affected by the personal data processing carried out by your organisation, it is imperative that you share information that is written or expressed as clearly, precisely and simply as possible.
This means that the information must be easily accessible, but above all comprehensible, and contain only those elements that are essential for the data subject to understand, whatever their level of knowledge of data protection.
This means no long sentences, no complicated technical terms, and no ambiguous paragraphs. The vocabulary used must be simplified, and use media adapted to the situation. For example, if this information is to be shared with children or vulnerable people, it should be adapted and simplified, using animations for example.
Once again, offering easy and immediate access to this essential information positions you as an organisation committed to transparency with its public.
To conclude
So here's what you need to remember to ensure that you are transparent with the people affected by your organisation's processing of personal data.
First of all, ask yourself:
Have data subjects been informed about the collection and processing of their personal data?
When were they informed?
What information has been shared?
Is this information clear and understandable?
If you can answer each of these questions in the affirmative, then you can say that your duty of transparency has been properly fulfilled.
A quick reminder of data protection rights:
Your rights deserve a dedicated article on the CyberSecura blog. However, as we discussed in this article, and insofar as informing Internet users about these rights is part of an organisation's obligation to be transparent, here is a simple summary of the various data protection rights.
The right to information: Data subjects have the right to know how their personal data will be used, and what their various rights are.
This enables them to assess whether they can trust organisations to process their personal data.
The right of access: Data subjects have the right to ask what personal data an organisation holds about them.
This enables them to find out which of their personal data is being processed and to check that it is accurate so that, if necessary, it can be rectified or deleted.
The right of rectification: Data subjects have the right to request the rectification of inaccurate or incomplete information about them.
This enables them to ensure that the organisation responsible for processing does not use or disseminate incorrect information about them.
The right to erasure: Data subjects have the right, in the cases provided for by law, to request the deletion of personal data concerning them.
This enables them to obtain the deletion of data which they no longer wish to be used.
The right to object to or restrict processing: Data subjects have the right, in cases provided for by law, to object to an organisation processing their personal data.
This allows them to challenge the use of their personal data by an organisation for a specific purpose.
Related blogposts :
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!