The mark of an organization’s commitment to data protection is shown through its data protection notice/statement. A robust DP notice is essential. One of the things that a data protection officer is required to monitor is compliance with the DP notice. Unfortunately, some organizations are issuing what can only be termed “Caspar Milquetoast” DP policies. Caspar Milquetoast was a cartoon character who was timid, bland and inoffensive. Obfuscating their data collection and processing activities on the personal data while using the keywords from the GDPR, some controllers are publishing revised DP policies that under-inform or misinform their customers.
The Article 29 Working Party’s recent transparency guidance provides very helpful direction. It states, “Transparency is an overarching obligation under the GDPR … Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data … the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects … The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. In particular the purposes of, and legal basis for, processing the personal data should be clear … WP29 recommends as a transparency best practice ‘that at the point of collection of the personal data in an online context a link to the privacy statement/notice is provided.’”
It further states, “A central consideration of the principle of transparency outlined in these provisions is that the data subject should be able to determine in advance what the scope and consequences of the processing entails … the WP29 position is that controllers should not only provide the prescribed information under Articles 13 and 14, but also separately spell out in unambiguous language what the most important consequences of the processing will be … Such a description of the consequences of the processing should not simply rely on innocuous and predictable ‘best case’ examples of data processing, but should provide an overview of the types of processing that could have the highest impact on the fundamental rights and freedoms of data subjects.”
Clique aqui e leia a matéria completa.