Fairness and transparency are the principles of personal data processing

Fairness and transparency are the principles of personal data processing

By what other way, if not by transparent regulations, citizens' credibility in processing personal data can be increased? It is precisely the transparent and fair regulations introduced by GDPR that are intended to increase the protection of the customer when providing personal data. So, how is transparency in the handling of personal data guaranteed?

Specific and clear communication

Information on the processing of personal data must be clear, understandable and transparent.

Business entity (web, e-commerce, seller ...) must provide information about the processing of personal data in the simplest form.

As per Article 12 of the GDPR, the information shall also be:

• Concise, transparent, understandable and easily accessible.
• In written or electronic form. At the request of the data subject, consent may be given orally.
• Consent must be free of charge.

Form of consent

As we mentioned, there are more ways to provide this data processing information. The first one is, for example, signing a contract or checking the box when registering. They may also be pop-ups on websites that need to be confirmed. However, the entity itself may request another type of verification of its consent. It may be an oral form (telephone) or personal contact. In addition, specific applications may include camera recordings, QR codes, video alerts or SMS or email.

Announcing at the right time

The timeframe in which the personal data of the data subjects are manipulated is also a condition for the transparent processing of personal data. The whole process begins at the moment before or at the moment of processing, gathering such information. In terms of time, information on the processing of personal data must therefore be provided before or at the moment when the personal data were obtained (filling in the form). If this information is captured indirectly, obtained from other sources, information on the collection of personal data must be provided within one month at the latest. However, the time is usually shorter and begins when the data subject is first contacted. It should be noted that if the processing of personal data is ongoing, the controller should repeatedly inform the entities of the scope and reason for the processing of personal data.

Obligations of the controller and possible exemptions

Each coin always has two sides, and so it with new GDPR policy too. What does the controller have to do and what can he do?

• It shall provide the data subject with information on his or her rights. The data subject must allow these rights to be exercised as easily as possible and all procedures should be proportionate in the relationship between the controller and the data subject.
• When obtaining information directly, the controller must clearly demonstrate and substantiate what information it received from the data subject, when it was received, and at the same time demonstrate that it has not been altered. The controller must ensure that the information is up-to-date and complete.
• Certain exceptions may apply to indirect acquisition. The obligation to provide data does not arise from the rule if it is proved that such provision is not possible. By this we mean cases such as archiving, statistical purposes or historical research. The same is true if the granting of the grant would require a disproportionate effort and would jeopardize or hinder their processing.