[Structure] By data

This design pattern is part of the LINC’s research initiative focusing on interface design. It comes from frequent proposals made by participants of the Data & Design workshops to implement the principle of transparency provided in the GDPR. It can be used and adapted to the specific context of your services and products. However, its reuse as such do not guarantee compliance with the GDPR in general and the principle of transparency in particular.

This patternproposes to structure the information by collected data. For each data, or category of data, the mandatory GDPR information is associated. This gives a detailed view of the use of each data.

This approach puts the GDPR information in a concrete context, linked to the data and its uses, making it easier to find. For example, a user of a sports application would find very directly with this patterna complete information on the use of his geolocation. This pattern is particularly appreciated when sensitive data, such as health data, are processed, as it highlights the associated information and makes them easily accessible.

Using the pattern in the user journey

When signing-up: using this pattern during an onboardingis particularly useful for highlighting and clarifying to the person the intended uses of a particular kind of data. This approach is particularly relevant when the individual provides data directly, especially when it is processed based on consent.

In a privacy policy: this patterncan be used to highlight certain categories of data that are of particular importance to the individual (e.g. health data). It thus makes it possible to provide a “data portrait” allowing a precise understanding of the way data are processed and to directly set one’s preferences. 

When using the service: integrating information about some data into the user journey is particularly effective in making people understand the ins and outs of the processing of their data. The person’s attention can be drawn to a message or an icon placed at the level of a functionality using some data, and redirects them to all the information relating to that data.

In case of a problem with the data or its use: this patternis particularly indicated if people are likely to encounter problems with a specific use of a data. This is particularly the case for sensitive data (health, biometrics, offences, etc.) for which people are more attentive to their uses. Having centralised and detailed information on this type of data allows people to quickly understand and control its use.

When setting one’s preferences: this pattern can provide a very good second level of information to a data setting page.


This approach may not be appropriate for complex processing as it would create redundancy in the information presented or fragment the information into different parts, which is not desirable. In such cases, one may choose to use this pattern with only some of the data, especially those of particular importance to users, such as sensitive data, and use another pattern, such as the purpose pattern, for the rest of the information.

Using it in a privacy policy, this pattern has limitations in associating certain information required by the GDPR (e.g. identity of the organisation, DPO contact) with data per se. It is therefore appropriate to supplement this pattern with specific sections providing such information.

The information required by the GDPR that fits particularly well with this data approach is: the purpose for which data are needed and the associated legal basis, recipients, transfers and storage period.

This data approach is particularly well suited to the exercise of the right of access and the right to portability, both of which allow for the retrieval of a copy of personal data.

It is possible to present this pattern in a synthetic way using a table.

A template can be used to present data information in a systematic, simple and standardised way.

It is possible to associate an icon for each data processed. This visual indicator helps people to read and guide themselves in the contents. It can particularly help certain categories of people (children, dyslexic people, etc.).


Possible approach

This privacy policy structures the information required by the GDPR around the data processed by the service. Thus, for each data, the purposes, legal bases, recipients, storage periods and transfers are detailed. Information on rights and contact details are available outside the data sections as they relate to all of them.aux droits et de contact sont disponibles en-dehors des sections relatives aux données car concernant chacune d’entre elles.

Données & Design par LINC