Pursuant to Article 12 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of April 27, 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
—
All processing of personal data should be lawful and fair. It should be transparent to natural persons.
The controller should provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Where personal data are collected from the data subject, the data subject should also be informed whether the provision of personal data is mandatory and of the consequences of failing to provide such data. This information may be provided in combination with standardized icons to provide a meaningful overview of the intended processing in a clearly visible, understandable, and legible manner. If the icons are provided in electronic form, they should be machine-readable.
The principle of transparency requires that all information relating to the processing of such personal data be easily accessible and easily understandable, and be formulated clearly and simply. This principle applies in particular to:
- the identity and contact details of the controller and, where applicable, the controller’s representative,
- the contact details of any data protection officer,
- the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing,
- if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party,
- the recipients or categories of recipients of the personal data, if any,
- where applicable, information that the controller intends to transfer personal data to a third country or an international organization
the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period (personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This requires, in particular, ensuring that the period for which such personal data are retained is limited to what is necessary. Personal data should be processed only if the purpose of the processing could not be achieved under reasonable conditions by other means. To ensure that personal data are not retained longer than is necessary, the controller should establish time limits for erasure or for a regular review. In addition to this information, the controller shall provide the data subject, at the time of collection of personal data, with further information necessary to ensure fair and transparent processing:
- the existence of the right to request from the controller access to personal data concerning the data subject and the right to rectification or erasure or restriction of processing, or the right to object to processing, as well as the right to data portability,
- if the processing is based on Article 6(1)(a) or Article 9(2)(a) (processing of personal data based on the data subject’s consent), the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent given prior to its withdrawal,
- the right to lodge a complaint with a supervisory authority,
- information as to whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data,
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
All reasonable measures must be taken to ensure the rectification or erasure of inaccurate data. Personal data should be processed in a manner that ensures appropriate security and confidentiality of personal data, including the prevention of unauthorized access to personal data and the equipment used for processing, or the unauthorized use of such data and equipment.
All information intended for the public or the data subject must be concise, easily accessible, and easily understandable, formulated clearly and simply, and, where appropriate, easily visually perceivable. Such information could be provided in electronic form, for example when addressing the public via a website. Of course, it is also important to have it available in physical form, ready for the data subjects to view at any time.
