5. Description of Information Provided to Data Subjects
The aim here is to ensure data subjects are properly informed, the processing should be expected by data subjects, they should not be surprised by it. Information must be clear, accessible, and provided in an appropriate manner, and should at least describe who is processing their data, how is their data being processed and for what purposes, and what are their rights and how they can exercise them.
Providing privacy-related information does not necessarily need to be a “separate” exercise. When you engage with data subjects, there is a lot of information that needs to be provided besides privacy-related information. If you are inviting people to a seminar or symposium, you also need to provide practical information on the event, and you need to ensure that the presented information is sufficiently engaging and inviting to convince people to attend your event.
This is why it is important to remember that providing privacy-related information is not necessarily a separate section of the overall communication with data subjects. As long as you provide them with the required information (described below), and it is clear that individuals’ expectations of the processing are matching the reality (data subjects won’t get surprised), then you are free to shape the way you provide information in such a way that facilitates reaching your other privacy-unrelated goals, like convincing people to participate in your research project.
Especially relevant for scientific research: Individuals cannot make an informed decision about whether to give (or refuse) their consent if they don’t know how your project will use their personal data. Informed individuals are also empowered to exercise their data protection rights, or perhaps to try to change the terms of that relationship by revoking their consent or objecting to the processing of their data – by making use of their data protection rights.
When providing information, you should pay attention to how information is provided. Provided information should be clear and understandable, accesible and timely, and multi-chanel and layered.
Information shall be in clear and plain language, concise and intelligible to the targeted individuals. It should have a clear meaning to the audience in question and should be relevant and applicable to the specific individual and their context. You should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note if necessary. Avoid unnecessarily legalistic and technical terminology. You should avoid phrases like “We may use your personal data for research purposes” (as it is unclear what kind of “research” this refers to). Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.
Information shall be easily accessible for the data subject. For example, you may leave individuals with a copy of the information, or by placing the information online – accessible via a QR-code and/or the edu.nl URL shortener. Information should also be provided at the relevant time and in the appropriate form.
Information should be provided in different channels and media when possible and appropriate, – in writing is not necessarily the only way to provide information – to increase the probability for the information to effectively reach the data subject. Information may be presented in various ways, such as written or oral statements, or audio or video messages. Likewise, information should be layered in a manner that resolves the tension between completeness and understandable, while accounting for data subjects’ reasonable expectations. Clear and concise information can be provided upfront (the initial layer, offering the most relevant information), and additional information (secondary layers, offering detailed and complete information) can be provided elsewhere – i.e., by providing a link to more detailed and complete inform.
Attention should also be paid on what information is provided to data subjects. Provided information should include a description of the way the research project will process personal data, a description of future data (re)use for scientific purposes (if applicable), and a description of the rights available of data subjects.
This description will allow the data subject to understand how and why the project will use personal data, as well as the questions that will be the subject of the research. This description should include at least:
A description of the research team – who is responsible for the project – the lead researcher or the project representative – and how they can be contacted. Try using a project-specific email address instead of a personal email as much as possible. Additionally, include if applicable:
- The roles and responsibilities of the other controller(s) involved in the process.
- Any external companies or organizations (processors) that will process personal data on your behalf or under your instructions. Describe also the (types of) data they will process, how they will process it, and the reasons why the project needs to use these processors.
- Any other recipient(s) of personal data – any other third party to which personal data is disclosed, apart from the already described controllers and processors. For example, data may be disclosed to the Dutch CBS.
- It should be clear for data subjects who has what kind of access to their personal data – and for what purpose. It should be clear for individuals how to contact controllers.
A description of the data processing – What is happening with the personal data – including:
- A description of how data will be collected – especially if it is not directly collected from data subjects. If other data will be used from other sources to enrich collected, this should be also described.
- A description of what type(s) of data will be collected by the survey, and how this data is going to be used/processed by the project. This information should make it clear why this data processing is necessary to reach the project goals.
- For how long, in what shape and for what purposes will their personal data be stored/archived. The storage period (or the criteria used to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, based on his or her own situation, what the retention period will be for specific data/purposes. It is not sufficient to generically state that personal data will be kept for as long as necessary for the purposes of the processing. Rather, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including archiving periods.
- If applicable, a description of any transfers to third (non-EU) countries, including details on how this data transfer is permitted under the GDPR – for example, by stating the relevant derogation or safeguard permitted under GDPR Art 49.
- If applicable, a description of any automated decision-making including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject.
- If applicable, a description of any potential risks to data subjects. It should be clear to data subjects how the processing of their personal data may affect them personally (and/or as a group). If available, communicate the advice obtained from the project ethical review assessment.
In summary, it should be clear for data subjects why and how their data will be used to fulfil the project/survey goals.
What will happen to with the data after the current project is finished? Research data may still be very useful for future research projects. But data subjects must become aware of this, and if necessary, they should be able to provide/revoke their consent. Therefore, to ensure personal data can be further used for other scientific projects, you should provide:
- A description, as detailed as possible at the time, of who could potentially use the data for future research, for what purposes and for how long. In other words, a description of potential future research teams/groups and a description of the possible ways their data may be used in future research, considering the information that is currently available at the time of data collection – meaning that if you can’t provide specifics at that moment, you can describe at a more general level any potential future scientific use, see note below for when there is a lack of purpose specification.
- A description of what kinds of safeguards will be implemented to protect their data in those future projects. Potential safeguards may include a commitment to no data transfer to third countries with a lower level of data protection; specific commitments to data minimization, encryption, anonymization or pseudonymization; specific rules for limiting access to the collected data; and the establishment of an Internet presence (project site) through which data subjects are informed about ongoing and future studies derived from their personal data.
- To facilitate managing access to a project site, it is recommended to use a URL-shortener like edu.nl. An edu.nl link can thus be given to data subjects as it will remain constant, while the destination URL can be edited as much as necessary throughout the project life.
A lack of purpose specification may be offset by periodically providing information on the development of the project, as the research project progresses so that, over time, the consent will become as specific as possible. By doing so, the data subject will have at least a basic understanding of the state of play, allowing him/her to assess whether to use, for example, the right to withdraw consent.
In summary, it should be clear for data subjects why and how their data would be used for future research by other researchers. They should not be surprised at the purposes of future research.
How would data subjects be able to exercise their rights, and how would controllers respond to their rights requests? This description should be specific to the processing scenario – the project at hand – and include a summary of what the rights involve and how the data subject can take steps to exercise them and, if any, any limitations on the rights. Data subjects should also be informed of their right to contact the UU Data Protection Officer (DPO) and the right to lodge a complaint with a supervisory authority (like the Dutch Autoriteit Persoonsgegevens – AP) – for example, by including the contact information of the UU DPO (fg@uu.nl) and the contact information of the Dutch AP – autoriteitpersoonsgegevens.nl.
The rights available to data subjects are as follows. They do not need to be repeated verbatim. Rather, you should rephrase them considering the context of the processing, so that it is clear what their rights means specifically for individuals involved in the project.
- The right to be informed – data subjects have the right to be informed, in a clear and easy to understand manner, about how their personal data is processed. That is why information is provided before any data collection starts, but data subjects can also request (or be provided with) additional information throughout the life of the project. You are already complying with this right when data subjects are properly informed (as stated above) and are able to contact you by having your contact information, as well as the UU DPO and the Dutch AP contact information.
- The right to access – In addition to the information already provided, data subjects have the right to request a copy of their personal data which is being processed by the project.
- The right to rectification – If their personal data is inaccurate or incomplete, data subjects have the right to have their data rectified or completed without undue delay.
- The right to erasure – data subjects have the right to request deletion of their personal data, under certain conditions. This is also known as the ‘right to be forgotten’.
- The right to restrict processing – data subjects have the right to request to restrict the processing of their personal data, under certain conditions. Restricting the processing means that data can still be stored, but most other processing actions, such as deletion, will require data subjects’ permission. This is useful for data subjects that would like the processing to stop, but do not want their data to be deleted.
- The right to data portability – Data subjects have the right to request the transfer of their personal data to another organization, or directly to them, in a structured, commonly used and machine-readable format, under certain conditions.
- The right to object to processing – Data subjects have the right to object to the processing of your personal data, under certain conditions. They also have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal or significant effects. If data subjects gave their consent to participate in the project, they also have the right to unconditionally withdraw their consent.
Processing deidentified personal data – Your goal is to process data in a deidentified state as much as possible, and only process data that is necessary to achieve the goals of the project. This means that in most cases, directly identifying data (like name, email or postal address) will not be used by the research and therefore will not be linked to the rest of personal data that is present in the research dataset. As a result, if you are unable to identify an individual’s information within your dataset – because you use deidentified data – you will not be able to (and do not have to) comply with data access, rectification, erasure, restriction of processing or data portability requests (unless you are provided with additional information that may enable you to locate the specific data of the requesting individual) – in accordance with Art. 11 of the GDPR. In other words, you do not need (and must not) keep data identified just for the sole purpose of being able to respond to data access or erasure requests.
It is important to make sure that provided information is understood by everyone. Think that you are writing something that the average person/ data subjects can understand, and not only for your peers. Keep it short upfront and use the layered approach to provide complete information. Provided information is meant to be read by individuals, so be creative and make people cast an eye on it. Don’t be afraid of using a lighter tone, or to use modern and smart language. Making an effort to make it less boring increases the chances data subjects will actually read and understand the information you are providing, which is the goal to comply with the transparency requirement.
Previous: Description of the Processing of Personal Data | Next: Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment