of 27 April 2016

on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)

Any processing of personal data should be lawful and fair. It should be transparent to individuals.

The controller should provide the data subject with any additional information that is necessary to guarantee fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Where personal data are collected from the data subject, the data subject should also be informed whether he/she is obliged to provide the personal data and the consequences if he/she does not. This information may be provided in combination with standardized icons to provide a clearly visible, understandable and readable meaningful overview of the intended processing. Icons should be machine-readable if they are in electronic format.

The principle of transparency requires all information relating to the processing of such personal data to be easily accessible and easy to understand and formulated in a clear and simple manner. That principle concerns in particular:

·         the identity and contact details of the controller and, where applicable, the controller’s representative;

·         contact details of any responsible person;

·         the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;

·         where processing is based on Article 6 (1). 1, par. (f) the legitimate interests pursued by the controller or a third party;

·         recipients or categories of recipients of personal data, if any;

·         if applicable, information that the controller intends to transfer personal data to a third country or international organization

In addition to the following information, the controller shall provide the data subject, when collecting personal data, with the additional information necessary to ensure fair and transparent processing:

  • the storage period of personal data or, if this is not possible, the criteria for determining it (personal data should be adequate, relevant and limited to the extent necessary for the purposes for which it is processed). This requires, in particular, ensuring that the period during which such personal data is stored is limited to the necessary extent. Personal data should only be processed if the purpose of the processing could not be achieved by other means under reasonable conditions. In order to ensure that personal data are not kept longer than necessary, the controller should set time limits for deletion or periodic review.
  • the existence of the right to request from the controller access to personal data concerning the data subject and the right to rectify or delete or restrict processing, or the right to object to processing, as well as the right to data portability;
  • where processing is based on Article 6 (1) type (a) or based on Article 9 (2) type (a) (processing of personal data with the consent of the data subject), the existence of the right to withdraw his consent at any time without prejudice to the lawfulness of the processing based on the consent granted prior to its withdrawal;
  • the right to lodge a complaint with the supervisory authority;
  • information on whether the provision of personal data is a legal or contractual requirement, or a requirement needed for the conclusion of the contract, whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing such data,
  • the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4) and in such cases, meaningful information on the procedure used, as well as the meaning and anticipated consequences of such processing for the data subject.

All information intended for the public or for the data subject must be concise, easily accessible and easy to understand, formulated in a clear and simple manner and, in addition, easily visually perceptible. Such information could be provided electronically, for example when reaching the public via a website. Of course, it is also important to have them physically, ready for inspection by the persons concerned at any time.All appropriate measures shall be taken to ensure that incorrect data are corrected or erased. Personal data should be processed in such a way as to ensure adequate security and confidentiality of personal data, including the prevention of unauthorized access to or use of personal data and equipment used for processing.