Providing Transparent Information
Businesses and organisations that process personal data must provide individuals with information on the type of processing that is taking place and who is carrying it out. At a minimum, this information must clearly state:
Who you (the organisation) are.
Why you are processing the data.
What legal basis you rely on to legitimise the processing.
Whether or not the data will be transferred on to other organisations or individuals.
How long the data will be stored.
The existence of the individual’s rights under data protection, including the rights to access, correction, erasure, restriction, objection and portability.
The following information must also be supplied, if it is the case that your business or organisation comes within the scope of these provisions:
- If you are required to appoint a Data Protection Officer then the contact information of the DPO must be provided.
- If you are relying on legitimate interests as your legal basis for processing, you must explain what the legitimate interest is.
- If you are transferring the data outside of the EU, you must explain why.
- If you rely on consent as your legal basis for processing, you must explain how consent can be withdrawn.
- If there is a legal obligation to provide the data, that must be explained.
- If you are processing by means of automated decision-making, you must provide information about the logic underpinning the automated process, and any consequences arising out of a decision that has been arrived at through automated means. Be aware that the right to object to automated processing in the guidance for individuals section is one of the rights granted to individuals under the GDPR.
Further information on Transparency is available in the Article 29 Working Party Guidance.