6.6. Personal data

Reflecting about the use of data collected

When it comes to data processing, determining its purpose is mandatory. This purpose always must be associated with a legal basis so that the processing is considered as legal. To design the legal basis, it is recommended to collaborate with a law specialist.

For example, a processing purpose could be 'newsletter sending management'. The website would collect email addresses and process them.

Other processing examples:

• Client database management;
• Order management.

Collecting essential information only

The collection of personal data must be limited to what’s necessary to actually achieve the processing purpose. It is the principle of 'data minimization': Article 5.1.c from GDPR.

Informing users about the use of their data

As soon as data is processed, the principle of transparency must be respected (Art 12 from the GDPR). This principle implies informing people about how their personal data is used.

Information to be provided

Information that should be communicated to users is described by:

• article 13 from the GDPR as for direct data collection;
• article 14 from the GDPR as for indirection collection.

These obligations relate to:

• the identity of the person responsible for data processing (who processes the data?);
• the processing purposes (why are the data processed?)
• the recipients (who is the data shared with?).

Users should understand how their personal data is processed. To do so, information must be:

• Easy to access: users should find it easily;Easy to understand: thanks to the use of simple terms, short sentences, structured information, and so on.

When to inform

Providing the information as soon as data is processed is mandatory. For example, when someone is subscribing to a website.

It is also possible to inform in a more contextual way, while the website or the service is being used. This allows to:

• situate data processing in a specific context of use;
• provide concise information to users;
• remind users that their personal data is processed.

For example, an application that uses geolocation can:

• notify users that data is being processed;
• remind the purpose of the processing;
• offer them to manage their settings.

How to organise the information provided to users

The information provided to users about how data is used must be available on the website at all times. The entirety of the information must be displayed on a page called privacy policy.

In order to make this policy more understandable and easily assimilable, it is possible to use levelled information. A first level of information about processing is given to users (the identity of the person responsible for the processing, purposes, people’s rights). This page contains a link to another page showing the whole required information (e.g. the privacy policy).

The website Données & Design, edited by LINC (French) offers design patterns and examples for:

• structuring the information: by purpose, by data and/or by question and using levels of information;
• providing clarity: giving definitions, examples and/or using videos;
• synthesising: providing summaries and using tables;
• drawing attention: using notifications or icons;
• navigating: using keywords or allowing a simple navigation into contents thanks to an interactive table of contents.

Example

Information by level

The company Juro wanted to revise their information related to personal data. The designer Stefania Passera worked in it to make it simple and accessible. The information is now structured into two levels:

• An overview of the processing, with key information. The readers’ look is guided thanks to the structure and the icons displayed.
• A privacy policy, which navigation, contents and structure have been well made to make it easy to read.

Evolution of data processing

Informing people is mandatory as soon as:

• Data processing is modified in a important manner (for example, with an additional purpose)
• Any specific event happens (for example, data violation)

Information must be durable and easily found. It is also possible to communicate through emails, in-app notifications, and so on.

Being transparent about third party data sharing

If your service shares its users’ personal data with third party operators, being transparent and understandable about this sharing is fundamental. Users should understand:

• Who is going to have access to their personal data;
• For what reason (financial reasons, data exchange, contractual engagement, etc).

Giving people control over their personal data

The principle of transparency also means informing people of their rights, and making it easier for them to exercise them. These rights enable users to keep control of their personal data.

In addition to the right to information, the GDPR provides for up to 7 other rights that the individual can exercise:

• The right to access (Article 15): to find out whether data concerning us is being processed, and to have access to it;
• The right of rectification (Article 16): to modify data;
• The right to object (Article 21): to object to the use of data;
• The right to erasure (Article 17): to allow data to be erased;
• The right to limit (Article 18): to temporarily stop the use of data;
• The right to portability (Article 20): to recover part of one's data (for one's own use or to provide it to another organisation);
• The right to human intervention (Article 22): to be informed of automatic decisions and to allow human intervention. This right concerns automatic decisions that have a legal effect or significantly affect the individual.

Not all rights apply in all cases. This will depend on the legal basis associated with the purpose of the processing. For example, the right to object can only be exercised when the processing:

• If it is necessary for the performance of a task in the public interest, or;
• If it is necessary for the purposes of the legitimate interests pursued by the controller.

Facilitating the exercise of rights

Several procedures apply to the exercise of a right (Article 12). Please note that exercising a right is free of charge.

First and foremost, it's important to facilitate access to the right. This means that people must be able to:

• easily find the place where they can exercise their right;
• easily identify the right person to turn to.

The exercise of certain rights can be integrated into the user experience by:

• offering intuitive ways of exercising a right;
• being clear about the scope of the action.

For example:

• An account modification page lets you exercise your right to rectification.
• A 'Delete account' button lets you exercise your right to erasure.

Integrating the exercise of a right into a service interface does not replace more formal exercise methods (e.g. email to the DPO, dedicated contact form). Besides, the exercise of certain rights cannot be integrated into the process. It is therefore important to think holistically about how rights are exercised, and to guide people in exercising them.

Example of settings are documented on the LINC Data & Design (French) website:

• To combine information and action;
• To provide a dashboard;
• To provide feedback on user actions.

Information on the follow-up of your rights.

Exercising your rights means to inform you on what happens once your request has been made.
For example, indicate that the request is being processed and give an approximate response time:

• In simple cases, this should not exceed one month.
• In complex cases, the response time can be extended to two months. In this case, the reasons for the extension must be explained.

Promoting interoperability through data portability

The right to portability (Art. 20 of the GDPR) allows people to recover their data, for personal use or to transfer it to another service.

In an ethical approach, facilitating portability means that people are not 'prisoners' of one platform. Users can then choose the platform that gives them the best conditions.

The right to portability can be exercised:

• if the data processing is based on the individual's consent or a contract (purchase history, contact details, data from a connected object, etc.).
• on data actively produced or generated by the individual (for example, a manually constructed playlist). ‘Inferred' data is not covered by this right (e.g. personalised recommendations).

Data must be supplied:

• in a structured, machine-readable format. Open formats such as CSV or JSON are particularly well-suited to portability. PDF, on the other hand, does not meet these criteria.
• securely (e.g. protected by authentication or password). A public download link is not secure: other people could download the data.

Obtaining consent

Consent is one of the legal bases provided for by the GDPR (Article 6, par.1.a). It authorises the processing of personal data. It is compulsory for certain processing operations, specifically regulated by law:

• commercial canvassing, governed by the French Post and Electronic Communications Code (French);
• processing of biometric data (sensitive, unique and permanent data, such as DNA, fingerprints, voice, etc.).

Example

Obtaining consent

In this LINC case study, customers can indicate whether they wish to receive personalised offers by email. They can select offers from:

• the platform of which they are a customer;
• the platform's partners.
  This method of expressing consent is particularly visual and clear.

Terms of consent

For consent to be considered valid, it must respect 4 principles:

• free: the person can accept or refuse to give consent. If they refuse, they must not suffer any negative consequences (e.g. degraded service experience);
• specific: the request for consent concerns a single use of the data. The individual must be able to accept or refuse consent for each purpose;
• unambiguous: the individual must take an active action to signify his or her agreement. For example, ticking a box or clicking on an 'I accept' button. Inaction on the part of the individual does not constitute consent to the processing of his or her data. For example, failure to reply to an email requesting consent;
• informed: the individual must clearly understand what he or she is consenting to. The principle of transparency must also be respected.

Furthermore, the individual has the right to withdraw consent at any time. This should be as simple as giving consent (no extra steps). For example, if a person has ticked a box to give consent, all they have to do is untick it to withdraw it, without a confirmation message.

Practical tips for obtaining consent

Examples of how to collect consent are provided on the LINC Data & Design website. They show how to:

• make sure that consent procedures are accessible (inclusion);
• use different levels of information;
• combine information and action;
• provide a dashboard.

Careful selection of statistical analysis tools

The different analysis tools

Statistical analyses are commonplace. In particular, they enable us to assess the traffic or the performance of a digital service. These statistical analyses are generally carried out by depositing trackers, such as cookies or invisible pixels.

A careful selection of tools and their settings can help to:

• ensure greater respect for personal privacy, by collecting as little information as possible;
• benefit from an exemption from the need to obtain consent, and simplify the interface. After all, it will no longer be necessary to ask for consent.

Exemption is possible if the tool is set up to:

• produce anonymous statistical data;
• define a purpose strictly limited to statistical analysis of the site.

Privacy-preserving analysis parameters

The table below summarises the points to bear in mind for each type of statistic.

GDPR-compliant tools

Some tools transfer data to the United States. This practice is currently non-compliant with the GDPR.

Google Analytics, for example, is one of the tools not to be used. In 2022, the CNIL highlighted this tool's non-compliance with the GDPR (French). Organisations using Google Analytics have been put on notice.

The CNIL has published a list of tools (French) and parameterization guides for producing privacy-friendly statistics.