The transparency principle demands that all information or communication regarding the processing of personal data be concise, transparent, understandable and easily accessible in clear and simple terms.
Why is information important?
Informing data subjects is fundamentally important as it allows them to understand the purpose of the processing and how their data are used. The transparency of the processing is one of the main ways of establishing trust with data subjects.
Information indicates those in charge of the processing (data controller) and allows data subjects to know where to file a request relating to their data, such as exercising their rights. Information must be provided when collecting data or when there is a change in the processing.
Information must be easily accessible
Information must be easy to access: the user must be able to find it easily, whether in a digital environment or not (information note, etc.).
The methods and techniques chosen to make information accessible can vary, depending on the context and interactions with data subjects: pop-ins, tooltips, dedicated pages, QR code, audio messages, videos, display boards, paper documentation, information campaigns, etc.
Example
In this example, the user wants to learn more about the information collected by a fitness monitoring app.
Focus of attention
Possible approach
Information must be understandable, simple and clear
The information must be understood by most of the targeted public, expressed in clear and simple terms. This is expressed by the use of vocabulary adapted to the targeted public, short phrases and a direct style, avoiding complex legal or technical, abstract or ambiguous terms. Special attention will be taken on this point if addressing children or vulnerable persons (for example a patient or employee).
Example
In this example, the user consults the privacy policy of the website he is visiting.
Focus of attention
Possible approach
Information must be intelligible and concise
Good information must be effective and succinct. To avoid the pitfall of excessive information that submerges the user, it is necessary to provide the most relevant information at the right time. This information dissemination approach in the user experience does not aim to replace privacy policies, providing a centralising document and giving the detail of data practices, but to provide a first level of information and highlight the important characteristics of processing.
Information related to data protection must be kept separate from information that is not specifically linked to privacy (like contractual clauses or general terms and conditions of use), as it contributes to fair processing of data and helps establish a trusting relationship with users.
Example
In this example, the user creates an account on a social network and is confronted to a first level of information.
Focus of attention
Possible approach (animated example)
Find out more
If you want to find out more about informing data subjects and the notion of transparency, you can consult the links below:
(fr) How to inform data subjects and guarantee transparency? cnil.fr
A detailed explanation of how to inform data subjects, referring to articles of the GDPR and the law.
(fr) Examples of information notices cnil.fr
Examples illustrating ways of drafting information notices, depending on different contexts.
Guidelines on Transparency pdf
EDPB guidelines setting out the transparency concept.