According to Article 12 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
—
Any processing of personal data should be lawful and fair. It should be transparent to natural persons.
The controller should provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Where personal data are collected from the data subject, the data subject should also be informed of the fact that the provision of personal data is mandatory and of the consequences of not providing such data. This information may be provided in combination with standardized icons to provide a meaningful overview of the intended processing in a clearly visible, understandable, and easily accessible manner. If the icons are provided in electronic form, they should be machine-readable.
The principle of transparency requires that all information relating to the processing of such personal data be easily accessible and easy to understand and be formulated in clear and simple language. This principle applies in particular to:
- the identity and contact details of the controller and, where applicable, the controller's representative;
- the contact details of the person responsible, if any
- the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing
- if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party
- the recipients or categories of recipients of the personal data, if any
- where relevant, information that the controller intends to transfer personal data to a third country or international organization
the period for which the personal data will be stored or, if not possible, the criteria for determining that period ( personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to the extent necessary. Personal data should only be processed if the purpose of the processing cannot be achieved by other means under reasonable conditions. In order to ensure that personal data are not stored longer than is necessary, the controller should establish time limits for erasure or for a review of the storage period. In addition to this information, the controller shall provide the data subject with the following information at the time when personal data are obtained, which is necessary to ensure fair and transparent processing:
- the existence of the right to request from the controller access to personal data concerning the data subject and the right to rectification or erasure or restriction of processing or the right to object to processing, as well as the right to data portability,
- where the processing is based on Article 6(1)(a) or Article 9(2)(a) (processing of personal data based on the consent of the data subject), the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority,
- information on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the personal data and of the possible consequences of such non-provision,
- the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
All reasonable measures must be taken to ensure that inaccurate data are corrected or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of personal data, including preventing unauthorized access to personal data and the equipment used for processing, or unauthorized use of such data and equipment.
All information intended for the public or the data subject must be concise, easily accessible, and easy to understand, formulated in clear and simple language, and, where appropriate, easily perceptible. Such information could be provided in electronic form, for example when addressing the public via a website. Of course, it is also important to have it in physical form, ready for inspection by the persons concerned at any time.
