New technologies are often a source of wonder, but they can also be a source of concern. There are many reasons for this, one being the lack of transparency in certain modern processing operations, which could provoke confusion, and even suspicion, among data protection and cybersecurity experts and non-experts alike.

It is for this reason that it is so important to clarify from the very start of a new technology’s lifecycle the terms and conditions of any data processing, especially those that involve innovative technologies that many people might not be familiar with or easily understand. It is up to the controller - those who are responsible for determining how the data is processed and for what purpose - to determine that the proposed data processing operations are fair and transparent and to clearly explain them to users.  

Not only do controllers have a legal obligation under both the General Data Protection Regulation (GDPR) and the equivalent rules for the EU institutions, to provide this information, but it is in their interest to do so, in order to maintain and build consumer trust. If controllers do not explain how technologies work, as well as their personal data processing operations, they may lose this trust. The information that controllers are legally obliged to provide includes the name of the controller in the data processing, for which purposes data is processed, to whom personal data may be transmitted and for how long data will be stored. Individuals must also be informed about their rights in relation to the data processed.

All of this information needs to be communicated in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This becomes even more important when communicating with minors. The information should be provided in writing, usually in the form of a data protection notice, available either online or on paper. If requested by an individual, it can also be provided orally.

Retrieved from https://edps.europa.eu

News archive