GDPR imposes several obligations among which is the use of a legal basis for the collection and use of personal data.
In parallel, the obligation of information and transparency constitutes one of the key principles of GDPR, in order to guarantee individuals the control over their data, regardless of the processing carried out. A principle that has been the subject of numerous sanctions by the CNIL and European supervisory authorities.
I. Transparency obligation at the heart of the GDPR: legal framework and practical scope
1. The principle : what must be known by the persons concerned?
As explicitly indicated by Article 5 of the GDPR1, any col
lection and use of personal data must belawful, honest and transparent from the perspective of the person concerned. In practice, the requirement for transparency is fulfilled by the comprehensiveness of the information provided to individuals and the manner in which it must be communicated to them. Regarding the latter point, this may relate to both the details of the collection and use of their data, as well as the modalities of exercising their rights (access, rectification, deletion, etc.).
Articles 12, 13 and 14 of the GDPR provide details regarding the information to be transmitted to individuals. Among these, there is the purpose of the processing (the purpose behind the use of data), the legal basis for a processing (the reason why we have the right to collect and use personal data), the period for which data is retained, as well as the rights of individuals (access, rectification, deletion, etc). All of this information is provided in a clear, concise, understandable and easily accessible manner. Furthermore, this information is all the more important in the presence of vulnerable individuals, such as children, or in contexts involving sensitive data (ex : health data), among others, during the creation of health data warehouses (EDS) or for medical research.
Also, GDPR distinguishes two situations: when data is collected directly from the individuals concerned (Art 13) and when it is collected indirectly (Art 14). In the first case, the information is provided at the moment of collection. Conversely, in the second case, it is communicated within a maximum period of one month after the data has been obtained. This distinction aims to ensure that information is always available in a clear and timely manner, regardless of the collection method used.
2. Disclosure obligation: obtaining explicit consent
The information is not only an obligation under the GDPR, it also constitutes a criterion for the validity of legal bases provided for in the GDPR such as “explicit” consent, which is obtained for the processing of certain sensitive data, such as that relating to health (Art. 9(1)(a)).
Indeed, for explicit consent to be valid, it must be “informed.” This means it must be accompanied by a minimum of information so that the person concerned can fully understand to what they are consenting. In this regard, the EDPB/EDPB has specified the minimum information to be provided before collecting this type of consent, in particular2: (i) the identity of the data controller, (ii) the purpose of each processing operation, (iii) the types of data collected, (iv) the existence of a right to withdraw consent and, in certain cases (v and vi) information relating to the use of data in the context of automated individual decision-making or transfers outside the EU.
The EDPB rightly points out that : « (…) Providing information to the data subjects prior to obtaining their consent is essential to enable them to make informed decisions, understand what they are consenting to, and, for example, exercise their right to withdraw their consent. If the data controller does not provide accessible information, user control becomes illusory and the consent will not constitute a valid basis for processing. »3
3. Examples of compliant information support for the persons concerned
- The obligation of information materializes through information supports used by organizations to ensure their transparency. Among these, one finds :
- The privacy policies, which inform individuals about the manner in which their personal data is collected, used, protected by an organization as well as their rights, etc ;
- Supplementary information notes that may provide clarification on a specific data processing, in particular in sensitive contexts such as healthcare research or clinical trials ;
- Health transparency portals who enable patients to understand how their health data is used ;
- The information panels relating to video surveillance informing people of the presence of cameras, monitored areas, the purposes of this surveillance, etc.
Transparency is inseparable from data governance within an organization. To this end, the DPO plays a central role in its implementation. Discover how the DPO can structure a compliant governance thanks to a GDPR audit
II. The practical implementation challenges
The implementation of transparency and information raises considerable practical issues :
1. Accessibility of information: a major challenge for transparency
Making information truly accessible sometimes presents a challenge. In practice, it frequently happens that individuals find themselves overwhelmed by a mass of legal texts or privacy policies, often incomprehensible. This creates a double problem: on the one hand, individuals risk not taking note of important information, and on the other hand, even when they take note of it, they may have difficulty understanding it. For example, an audit conducted by the CNIL revealed that 89% of privacy policies are written in complex, university-level language, making them difficult for the general public to understand4.
Given such findings, solutions have been proposed since 2022 by the CNIL, which had already encouraged the use of clearer and simpler terms in public communications. In April 20225, it reminded that the GDPR requires that information transmitted to the persons concerned be « concise, transparent, understandable and readily accessible, using clear and simple terms » (Article 12). This recommendation proposes to replace certain technical terms with more accessible terms. For example, instead of “case of facts,” it is preferable to use “specific case,” or to replace “data processing” with “use of data.” These simplifications are relevant for communications intended for the general public, such as transparency portals, as well as in responses to requests from individuals exercising their rights.
Furthermore, the CNIL applies this approach itself in its own communications. Since 2021, it has striven to make its documents, such as its news updates and practical guides, more accessible. By using simplified terms, it allows the greatest number of people to understand its recommendations and the rules to follow in relation to the protection of personal data. However, this simplification does not apply to all legal or official documents, such as authorizations or guidelines, where a more technical language remains necessary.
2. The impact of “Dark Patterns” (deceptive interfaces and misleading design) – manipulation of users and a challenge for transparency:
Another major issue is that of “dark patterns,” which are digital interfaces designed to subtly guide, manipulate, or influence users towards choices and decisions that may be detrimental to them or contrary to their interests6. This type of practice is particularly used to complicate the exercise of rights (as the refusal of cookies and online trackers) or to encourage behaviors advantageous to the organization offering the service (as the collection of personal data) at the expense of a compliant information of persons.
For example, on certain online websites, the default option consists of accepting the collection of personal data, while the option to refuse this collection is hidden, less visible or requires several steps to be activated. Indeed, in some cases, transparency is disregarded to allow for online form buttons “Accept” to be more visually highlighted (color, size, layout, etc) in relation to the “Refuse” buttons; these latter being discreetly relayed in a corner or in a less attractive color.
Beyond purely visual aspects, certain manipulations directly affect the clarity of textual information. Thus, the use of ambiguous or vague formulations, which may be subject to multiple interpretations, is a common example. For example, the phrase « By clicking “validate”, you agree to remain connected with us » lack of clarity. A more precise and explicit formulation would be preferable, such as : « By checking the box “validate”, you confirm that you have read and accepted our privacy policy and consent to us using your personal data to respond to your contact request. »
These breaches are not without consequences, as the CNIL frequently sanctions organizations that use this type of consent forms that are not compliant with the obligation of information (Resolutions: SAN-2023-025 of December 29, 2023 – Tagadamedia, SAN-2024-003 of January 31, 2024 – Foriu, SAN-2024-004 of April 4, 2024 – Hubside Store7).
In this context, several best practices can be implemented to avoid any breach of the information obligation. In addition to the best practices related to i) visual neutrality of consent options, ii) typographic uniformity, and iii) the balanced layout of buttons, organizations must ensure the clarity of the information provided. Each actionable element, whether it be buttons or checkboxes, must be accompanied by simple and direct information. Thus, users must be able to express their consent or refusal without effort of interpretation or concentration. The instructions and consequences of each choice must be explicit, ensuring a free and informed decision.
In order to guarantee transparency and clarity of information, it is interesting to highlight the findings of a study conducted by the LINC (Laboratory for Digital and Communication Innovation) of the CNIL8, which analyzed systematically 53,000 pages from approximately 11,000 e-commerce sites. This analysis identified a total of 1,841 cases of “dark patterns” usage, distributed across 15 types and 7 distinct categories :
3. Health Transparency Portal: an example of access to information for patients
A domain where transparency plays a highly important role is that of healthcare. In this regard, commendable initiatives such as “transparency portals” have been developed to allow patients to easily access information relating to the use of their medical data.
According to the CNIL9, The transparency portal is a dedicated space on the website of a data controller and/or its partners, or a dedicated online site, which centralizes and disseminates all information relating to health data processing activities carried out, as well as future reuse projects of said data. This tool ensures continuous information to individuals and guarantees transparency regarding the uses made of the data.
Establishing a transparency portal is becoming an indispensable component, particularly in the fields of health data warehouses (EDS), as well as within the framework of early access referencing10 in which the CNIL provides that when personal data re-use is contemplated for research or study purposes, patients must be informed via an information note provided at the time of data collection, provided it refers to a transparency portal. This measure is presented as complementary transparency measure, which may avoid the need to repeatedly provide individual information with each new data processing.
The same logic applies to the compassionate access repository11, where the CNIL reaffirms that patients can be informed of subsequent treatments either individually or through a transparency portal mentioned in the initial information note.
4. Insufficient Information Measures: The Case of Amazon France Logistique
Amazon France Logistics was sanctioned by the CNIL for failing to properly inform its temporary workers about the processing of their personal data. Although a privacy policy was made available on the company’s intranet, the CNIL held that this information was insufficient to guarantee that each temporary worker had actually taken note of the essential information before their data was collected.
Thus, the absence of an appropriate active information method has created a situation where they risked not being fully aware of how their data was processed, which constitutes a violation of the GDPR information obligation : « the restricted training notes that the CNIL recommends that the information shall be processed “in the most appropriate manner according to the organization and functioning of the company “. In this instance, she contends that information on the intranet intended for employees working daily in warehouses and not having a vocation to work in an office on a computer, without any incentive to access it, does not constitute a satisfactory information modality. »12
This resolution also highlights the issue of information provided to employees and visitors regarding the use of video surveillance. The information provided was incomplete as the information panels in the warehouses did not include the DPO’s contact details, the data retention period, or the right to lodge a complaint with the CNIL. These omissions were interpreted as a non-compliance with Article 13 of the GDPR, which stipulates that information must be provided in an accessible and transparent manner at the time of data collection.
III. Which obligations for professionals ?
| Information to provide(GDPR obligations) | Article 13 (Case: Direct collection from the person) | Article 14 (Case: Indirect Collection) | Comments |
| Identity and contact details of the data controller | ✅ | ✅ | Common to both articles |
Data Protection Officer (DPO) Contacts) | ✅ | ✅ | If applicable |
| Purposes of processing and legal basis | ✅ | ✅ | Mandatory for any processing |
| Legitimate interests pursued (Art. 6(1)(f)) | ✅ | ✅ | If this database is used |
| Recipients or categories of recipients of the data | ✅ | ✅ | If existing |
| Transfer to a third country or international organization + guarantees | ✅ | ✅ | And means of obtaining a copy of the data |
| Retention period or criteria used | ✅ | ✅ | Necessary in both cases |
| GDPR rights (access, rectification, erasure, objection, portability…) | ✅ | ✅ | All rights must be specified |
| Right to withdraw consent (if applicable) | ✅ | ✅ | If the processing is based on Article 6(1)(a) or 9(2)(a) of the GDPR |
| Right to lodge a complaint with a supervisory authority | ✅ | ✅ | For example, the CNIL |
| Automated decision-making, including profiling (logic, consequences) | ✅ | ✅ | If existing |
| Character of the obligatory or non-obligatory nature of the provision of data and consequences of a refusal | ✅ | ❌ | Specific to Article 13 |
| Categories of data concerned | ❌ | ✅ | Specific to Article 14, but remains possible under Article 13 |
| Source of data (and if issues from public sources) | ❌ | ✅ | Specific to Article 14 |
| Recommendations and best practices for the implementation of the obligation to inform : | |
| Communicate information: | Explanations |
« concise » | + The information is concise, clear, and direct. |
« transparent » | + The information contains the elements relating to the processing operation carried out by the organization (see elements in the previous table).Ex: identity and contact details of the data controller, purposes of processing, personal data collected, retention periods, etc. |
« understandable » | + The information is communicated and drafted in a language understandable by the general public (avoid complex, legal jargon, etc.). For example, in the context of online forms, individuals must be able to express their consent or refusal without effort of concentration or interpretation. The instructions and consequences of each choice must be explicit, promoting informed and free decision-making. + The information materials (such as privacy policies) are structured in a logical manner with clear headings and markers to make the information digestible. |
« easily accessible » | + Use the most appropriate means (modalities) of communication based on the specific features of your organization and how it operates.For example, informing employees who work daily in the field and who have no vocation to work on a computer, without any incentive to do so, does not constitute a satisfactory means of information according to the CNIL. It would be more appropriate to use individual means of information such as by email electronic. + Access to information must be readily accessible.For example, a user must be able to find the privacy policy of a website from all the important pages of the website or the application in just a few clicks (for example, in the footer or in the navigation menus). Also, it must be made visible at the moment the data is collected (for example, during the registration or activation of a service), with a direct link so that users can consult it before entering their personal data. |
« in clear and simple terms » | + Use of jargon/language and simplified terms in your documents and information materials (e.g. privacy policy, transparency portal, information note) by replacing, for example, the term “data processing” with “use of data”. Here, the term “processing” has a broad meaning as it refers to numerous actions and operations carried out on personal data (use, storage, deletion, extraction, modification, etc). Whereas the notion of “use” refers more specifically to the direct exploitation of data within a certain context and purpose. |
Aumans Avocats: specialists in IT/Data, data protection and outsourcing of the DPO
Ensuring clear and compliant information according to GDPR requirements is not an option, but a legal obligation. Given the increasing complexity of personal data processing, a rigorous and secure approach to transparency is indispensable to limit legal risks and protect your organization’s reputation.
At Aumans Avocats , we supportsassist companies, associations and public bodies in the concrete implementation of their information obligations, the drafting of customized disclosures, the compliance of their privacy policies, or still the management of requests from concerned parties. Our expertise in data protection law guarantees a pragmatic and legally sound approach.
Need an audit of your information assets or support in the context of an RGPD project ?
Contact Aumans Avocats to benefit from tailored support, compliant with CNIL recommendations and industry best practices.
Sources :
- https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – Regulation (EU) 2016/679 concerning the protection of natural persons with regard to the processing of personal data (GDPR) ↩︎
- https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_fr.pdf – EDPB/CEPD, May 5, 2020, Guidelines 5/2020 on Consent within the scope of the GDPR, page 18, point 64 ↩︎
- Ibid, page 17, point 62 ↩︎
- https://www.cnil.fr/fr/design-trompeur-les-resultats-de-laudit-du-global-privacy-enforcement-network – CNIL, Deceptive Design: The Results of the Global Privacy Enforcement Network Audit ↩︎
- https://www.cnil.fr/fr/information-des-personnes-la-cnil-encourage-lemploi-de-termes-plus-clairs-pour-le-grand-public – CNIL, Information of individuals: The CNIL encourages the use of clearer terms for the public ↩︎
- https://linc.cnil.fr/dark-patterns-quelle-grille-de-lecture-pour-les-reguler – CNIL (LINC), Dark patterns : what framework to regulate them ? ↩︎
- https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049051422 – CNIL, Decision SAN-2023-025 of December 29, 2023 (Tagadamedia)
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049231950 – CNIL, Decision SAN-2024-003 of January 31, 2024 (Foriu)
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049382214 – CNIL, Decision SAN-2024-004 of April 4, 2024 (Hudbiside.Store) ↩︎ - https://linc.cnil.fr/dark-patterns-quelle-grille-de-lecture-pour-les-reguler – CNIL (LINC), Dark patterns : what framework to regulate them ? ↩︎
- https://www.cnil.fr/fr/demande-dautorisation-dans-le-domaine-de-la-sante-hors-recherche-les-informations-fournir-et-les – CNIL, Authorization Request in the Health Sector (excluding research): Information to provide and grant criteria ↩︎
- https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046542586 – CNIL, Decision No. 2022-107 of September 22, 2022, adopting a framework (early access) ↩︎
- https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046542576 – CNIL, Decision No. 2022-106 of September 22, 2022, adopting a framework (compassionate access authorization) ↩︎
- https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000048989272 – CNIL, Decision SAN-2023-021 of December 27, 2023 (Amazon France Logistique) ↩︎
