Inform data subjects about processing

The requirements of the notification practices for controllers the requirements are laid down in the GDPR. The Office of the Data Protection Ombudsman urges industries to create shared notification practices as part of the codification of practices in the industry.

Intelligibility and transparency of information

The controller must provide the data subject with all information concerning the processing of personal data in a concise, transparent, intelligible and clear form.

The GDPR obligates controllers to evaluate whether the information is provided in intelligible language and consistent form. The evaluation should be made with regard to the potential target group. The purpose is for an average member of the target group to obtain a comprehensive and clear overall picture of the processing of personal data.

It is not sufficient to simply make the information on the processing of personal data available to the data subject; it must be provided in an intelligible, concise and clear form.

The principle of transparency is provided for as part of the principle of lawful and fair processing of the GDPR. The personal data must be processed transparently in relation to the data subject, and the controller must be able to demonstrate this (accountability).

Read more about accountability of the controller

The WP29 guide provides more detailed guidance and examples of transparent information.

Read more about the WP29 guide (pdf)

What information does information require?

The data subject must be told

  • who the controller is
  • for what purpose the data subject's personal data is needed
  • how long personal data is needed
  • whether personal data is forwarded or transferred outside EEA countries
  • how the data subject can exercise their rights relating to personal data
  • risks to the rights and freedoms of the data subject

Check out the table: Information required for the information obligation (pdf) (in Finnish)

Where to start?

What information does the notification obligation require?

See the table: Information subject to the notification obligation (pdf)