Companies that process personal data must be transparent towards the data subjects and inform them about the processing. The principle of legality, fairness and transparency is one of the seven (7) fundamental data protection principles of the GDPR, but consists of three different parts.
Companies that process personal data must be transparent about the processing and inform about it
Articles 13-14 of the GDPR regulate this in more detail. This is information that the company must provide to the data subject:
- Controller: Who is the data controller and any data processors and data protection officers.
- Personal data: What personal data the company processes.
- Purpose: What is the purpose of the processing?
- How: How the company will process the personal data.
- Source: How the company has collected the personal data.
- Rights: What rights the data subject has under the GDPR.
- Storage period: How long the company processes the personal data.
- Third country: Whether the company transfers personal data to third countries (countries outside the EU/EEA).
- Complaints: Information on the supervisory authority to which the data subject may turn in the event of a complaint shall be provided.
The information should be understandable
The information provided to data subjects shall be understandable. It is especially important to adapt the language when the data subjects are children, so that they understand the content. For example, it should be written in the same language as the national language of the country.
An international company that operates a mobile application with many children as users had to pay a fine, because they informed the data subjects about the processing in English instead of Dutch in Holland.