5. Description of Information Provided to Data Subjects
Summary: Data subjects must understand the full scope of the processing of their personal data. The first aim here is to describe the information strategy: how the project plans to ensure data subjects are properly informed. The actual information content – information sheets, privacy statements, etc. – is not described here. Instead, these texts are included in their respective files, stored in the project’s shared folder, and referenced in the description provided here
The principle of transparency is all about being clear, open and honest with the people behind the processed personal data, from the start, about how their data is being used, by whom, and for what purposes. When individuals are properly informed, their expectations of the overall process shall match the actual way their personal data is being processed – They must not be surprised by how or why their personal data is being processed.
Transparency is the cornerstone for ensuring proportionality, because when data subjects are aware that their data is being used, they are able to exercise their data protection rights – like giving or revoking consent, objecting to the process, requiring access or deletion of their personal data.
Transparency is often achieved by directly providing information to data subjects. Attention should be paid not only to what information is provided, but also to how it is provided – because the goal is not just to draft privacy statements or information sheets (which may or may not be read, or actually understood). The goal is to ensure data subjects’ expectations match the actual data processing. For sensitive projects, it may be necessary to set up tests to check if the information strategy is effective enough. On the other hands, if expectations already match the actual processing, it is not necessary to repeat already known information.
In step 5, a description of the strategy – how data subjects are informed – is required. The actual information provided to data subjects is not described here. Instead, provided information is documented in separate documents (like invitation_text.docx, or information_letter.docx) and stored in the shared folder of the project. Then, when describing the information strategy, a link is provided when referencing to the actual documents. For example, step 5 would include a description like “Prospective research participants are initially informed when they receive an invitation to participate in the project via email (see the text of the invitation – link)“, where the actual invitation document is stored in the shared folder.
In short: Information must be provided in an understandable, transparent and clear manner, and must be provided in a timely fashion, concise, and in an easily accessible manner. Information must be provided in the most efficient manner possible, using different channels and provided in a layered approach
Information strategy:
How information should be provided depends on the nature of the processing activity, in particular considering how the processing activity is experienced from the perspective of data subjects. Typically for interview activities, data subjects targeted to be interviewed are first contacted with an invitation (directly by email, or indirectly with a newsletter or similar announcement). Then they receive additional information when they accept the invitation, and are once again informed at the start and throughout the interview process – they are informed at three different points, with information that increases in detail level each time. The style and format of the text should match the context of the interview and the data subject’s background. Information should be drafted in such a way that potential participants are both properly informed and convinced to participate in the interview.
Information can be provided at different times, through different channels and using different media – in writing is not necessarily the only way to provide information. Likewise, information should be layered in a manner that resolves the tension between completeness and understandable: Clear and concise information can be provided upfront (the initial layer, offering the most relevant information), and additional information (secondary layers, offering detailed and complete information) can be provided elsewhere – i.e., with a link to a privacy statement.
Information content:
The information that must be provided to data subjects is listed in GDPR articles 12, 13 and 14. Summarizing, these requirements include a description of the purposes of the processing, categories, retention periods, recipients and source of personal data, the legal basis for processing and associated data subject’s rights, the contact details of controllers and DPO, and (if applicable) any international data transfers or automated decision-making processing. To facilitate complying with these obligations, we can list the information that must be provided as follows:
The most important part of provided information, is the information about the processing activity, as it states why the processing is necessary – what the purpose of the project is, why it is important, and fundamentally, why the processing of personal data from data subjects is indeed necessary to reach the purposes. It explains how the processing activities (surveys, interviews, photographs, observations, etc.) plans to use the collected data to reach the (scientific, educational, security related) purposes of the project.
In other words, this describes several steps of the Privacy Scan: It includes a description of the purpose(s) of the project (step 1), that explains what the project is trying to achieve, or the services it meant to provide. This should be followed by a description of the specific personal data processing activities, like interviews, observations or surveys, that are required to reach the goals of the project – thus linking the main goal (i.e., the research goal) with the specific personal data-processing activities (i.e., interviews or surveys).
Next, it should also describe who the (targeted) data subjects are and why they (and their data) are necessary (step 2 and 3), so that data subjects understand why they are specifically invited (targeted) to participate in the project. This information would also be useful for them to assess the relevance of their participation in the processing activity – or whether they need to do something about it, like exercising their data protection rights.
A description of how their data is processed (step 4) is also needed – specifically, for how long (data retention), who has access to it (or will receive the data), and why. Depending on the context and the potential risks involved, it may need to describe the tools and storage involved (to demonstrate that the processing is sufficiently secure and accurate), whether there are any risks involved and if an ethics review assessment has been completed (step 11), if data is going to be exported outside the EU, and why (step 9), and if there is any automated decision-making or profiling involved.
It also lists the people and organizations who are responsible for the processing or are otherwise involved in the project (Step 4 and 8), and how they can be contacted. The contact information of relevant privacy officers (For Geo: privacy-geo@uu.nl), the DPO (For the UU: fg@uu.nl), and the ERB (For Geo: etc-beta-geo@uu.nl) may also be included, if relevant. A link to the UU privacy site (uu.nl/privacy) can also be used instead, as the DPO contact information, and other relevant privacy info are already found by following that link.
If relevant, also mention the possibility (as research data is often useful for purposes beyond the current one) that their data will be hopefully reused in future research projects, including the safeguard implemented to protect their data – describing as much as possible the potential ways their data may be used in future research.
The legal basis of the processing (step 7) should also be mentioned – but there is no need to do so literally. For example, when based on consent, instead of stating “the legal basis is consent”, it is often enough to mention that “participation is voluntary”, or “based on their agreement”, or “based on their consent” – that would be enough to indicate that consent is the legal basis. Likewise, when legitimate or public interest is involved, the reasons (interests) for the processing should be mentioned – “participation is based on the interest [listed interests]” – and when based on contract or legal obligation, the actual contractual or statutory requirement involved should be mentioned. In addition, after referring to the legal basis, it is also necessary to indicate what are their data protection rights and how to exercise them (step 6) – but once again, there is no need to literally copy/paste a list of their rights as listed in the GDPR. It is better to explain in more understandable terms what choices and rights are available to them. For example, it can be mentioned that their consent can be withdrawn, that their participation can be stopped at any time, and that they can use the contact information for any request, suggestion, objection or complaint related to the processing of their data.
Previous: Description of the Processing of Personal Data | Next: Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment