Inform data subjects about processing
The requirements of the notification practices for controllers the requirements are laid down in the GDPR. The Office of the Data Protection Ombudsman urges industries to create shared notification practices as part of the codification of practices in the industry.
Intelligibility and transparency of information
The controller must provide the data subject with all information concerning the processing of personal data in a concise, transparent, intelligible and clear form.
The GDPR obligates controllers to evaluate whether the information is provided in intelligible language and consistent form. The evaluation should be made with regard to the potential target group. The purpose is for an average member of the target group to obtain a comprehensive and clear overall picture of the processing of personal data.
It is not sufficient to simply make the information on the processing of personal data available to the data subject; it must be provided in an intelligible, concise and clear form.
The principle of transparency is provided for as part of the principle of lawful and fair processing of the GDPR. The personal data must be processed transparently in relation to the data subject, and the controller must be able to demonstrate this (accountability).
The WP29 guide provides more detailed guidance and examples of transparent information.
What information does information require?
The data subject must be told
- who the controller is
- for what purpose the data subject's personal data is needed
- how long personal data is needed
- whether personal data is forwarded or transferred outside EEA countries
- how the data subject can exercise their rights relating to personal data
- risks to the rights and freedoms of the data subject
Check out the table: Information required for the information obligation (pdf) (in Finnish)