According to the GDPR, the data controller must always be able to show that s/he processes your personal data in a transparent way. This entitles you to hold the data controller and the data processor responsible and to exercise control over your personal data, for example by providing or withdrawing informed consent and acting on your data rights. This results in specific practical requirements for data controllers and processors.
Recital 39 GDPR states that it should be clear to you that your personal data is collected, used, reviewed or otherwise processed. All information and messages related to the processing of your personal data should be easily accessible and understandable and formulated in clear and simple language. This rule applies in particular to informing about the identity of the data controller and the purposes of processing as well as your right to obtain confirmation and information about the personal data being processed.
Art. 12 GDPR requires them to communicate with you:
• in a concise, clear, understandable and easily accessible form,
• using clear and simple language (especially if you are a child).
Concise, transparent, understandable and easily accessible form
The data controller should communicate with you in an effective and concise manner, so as not to overwhelm you with information.
The information should be formulated so that the average representative of the target group can understand it. The responsible data controller must know who the information is collected about and be able to determine what wording will be best understood by you. You should always be able to determine in advance the scope and consequences of processing your data. You cannot be surprised later by the information on how your personal data was used.
If you are a highly qualified specialist, then the data controller collecting personal data may inform you in a more difficult way than if you were a child.
If the data controller is in doubt as to whether the information will be understandable to you, s/he may first examine the comprehensibility of the information using, for example, readability tests, dialogue with branch groups, consumer groups and regulators.
"Easly accessible " means that no one can force you to search for information. The place and method of access to information should be immediately obvious to you, e.g. by providing information directly, providing links, clearly marking information or providing it in the form of an answer to a question formulated in an accessible way.
Clear and plain language
You should receive information in the simplest way possible, without complex sentence and language structures. The information is to be specific: it cannot be formulated using abstract or ambiguous concepts or leave any margin of interpretation. In particular, the purposes and legal basis for the processing of personal data are to be unambiguous to you.
The data controller should avoid words such as "maybe", "some", "often" and "possible". It's good to use bullets and indents in the text. It is to use active and not passive voice, and to avoid too many nouns. The information directed to you should not be written in legal or other specialist language. In case of doubt, the data controller must be able to show why s/he could not avoid using ambiguous phrases and that they did not affect the reliability of the processing.
If you speak a foreign language, the data controller must provide you with the translation of the information. He is responsible for ensuring that all translations are faithful and understandable so that you do not have to decipher the meaning of the translated text or interpret it.
Example 4 - incorrect messages
"We may use your personal information to develop new services."
You do not know what services. You do not know how the data will help to develop them.
"We may use your personal information for research purposes."
You do not know what reserach is meant.
"We may use personal data to offer personalized services."
You do not know what "personalization" means.
Example 5 - correct messages
"We will store the history of your purchases and use detailed information about the products you have bought in the past to offer you other products that we think you may be interested in."
You know what kinds of data will be processed, and that you will receive targeted advertising of products and that your data will be used for this purpose.
"We will store and research information about your recent visits to our website and how you navigate through the different sections of our site to find out how users use our website so that we can make it more intuitive."
It is clear what types of data will be processed and what kind of analysis will be carried out by the data controller.
"We will record which articles on our website you have clicked on and use this information to create advertisements on this site that are directed to you and correspond to your interests, as determined by us based on the articles you have read".
You have been explained what personalization means and how your interests have been determined.
Providing information to children and other persons who require special treatment
If the data controller is referring to children or should be aware that the goods or services are specifically used by children, s/he should use appropriate language, tone and language style so that the children consider that the information is addressed to them. The message should be formulated in a clear and simple language, as well as on a medium that children can easily understand.
Take a look at the following version of the UN Convention on the Rights of the Child, written in a child-friendly language. You can see who it is directed to right away!
In the case of very small or illiterate children, information measures should be better addressed to their legal guardians, because in most cases it is unlikely that even the most basic messages will be understood.
Similarly, if the data controller is aware that his or her goods or services are used by people with disabilities or people who may have difficulty accessing information, they must include this in communication.
The form and manner in which the data controller gives you information about the processing of your data are very important. Whether they are appropriate in your specific case should be assessed in the light of your experience. To determine the most appropriate way to communicate with you, data controllers can test you for feedback on how to address you in an accessible, understandable and easy-to-use way. The data controller who is able to document such an approach will more easily settle his or her duties.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88.
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, Adopted on 29 November 2017, As last Revised and Adopted on 11 April 2018, 17/EN WP260 rev.01.
UN Convention on the Rights of the Child in Child friendly Language, https://www.unicef.org/rightsite/files/uncrcchilldfriendlylanguage.pdf