top of page


What should the data subject be told about the processing of personal data?

According to the Data Protection Regulation, it should be clear to individuals that personal data concerning them are being processed. In accordance with the principle of transparency, the information and communication relating to the processing of such data should be easily accessible and comprehensible and should use clear and simple language. In order to produce clear information, one must genuinely understand how the company handles the information. Information must always be based on actual data processing - such as defined processing criteria, uses, processes and lifecycle.

The privacy notice should include at least the following information:

  • Contact details of the controller

  • Information to be processed

    • the categories of personal data concerned and where the personal data were obtained (if the data were collected from outside the data subject himself)

  • Purposes of processing, criteria for processing and storage times

    • the purposes of the processing of personal data and the legal basis for the processing

    • legitimate data controller or a third party advantages

    • the retention period of the personal data or, if that is not possible, the criteria for determining this period

    • whether the provision of personal data is a statutory or contractual requirement or a requirement for the conclusion of the contract, and whether the data subject is obliged to provide personal data and the possible consequences of not providing such data;

    • automatic decision-making, e.g. the existence of profiling, and at least in these cases the relevant information on the logic of the processing, as well as the significance of that processing and the possible consequences for the data subject;

  • Transfers and disclosures

    • recipients or groups of recipients of personal data

    • where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organization

  • Rights of the data subject

    • the right of the data subject to request from the controller access to personal data concerning him or her and the right to request the rectification or erasure of such data or to restrict or object to the processing, as well as the right to transfer data from one system to another;

    • the right to withdraw consent

    • the right to lodge a complaint with the supervisory authority

A more detailed table on the implementation of the information obligation can be found on the authority website .

How should the information be documented?

The information document according to the old Finnish Personal Data Act was called the data file description. The GDPR does not take a stipulate the name of the document, but companies use terms such as privacy statements, privacy notices and privacy policies. More important than the name of the document is that the information is easily accessible to the data subject.

The GDPR requires information to be provided in a concise, transparent, easily understandable and accessible form in clear and simple language. Data protection authorities recommend information icons and the use of the so-called layered information, in which the total information is broken down into smaller parts and giving the data subject more detailed information layer by layer. Essentially, key and potentially surprising conditions are easily found on the first layer. Layered information is a particularly good way to handle information on mobile devices.

When should the information be provided?

The information must in principle be provided when personal data is collected from the data subject, i.e. when, for example, the user comes to a website, launches an application, registers for a service or fills in a form. If personal data are collected from a place other than the data subject, the information must be provided within a reasonable time but no later than one month after receipt of the personal data. If personal data are used to communicate with the data subject concerned, the information shall be provided at the latest when the data subject is first contacted or, if personal data are to be transferred to another recipient, at the latest when this data is first transferred.

How can Legal Folks help?

Studies show that comprehensible privacy notices increases consumer confidence in businesses, and therefore it is worth investing in clear and easily accessible information. Particular attention must be paid to information where the processing may be surprising from the data subject's point of view. Information that well implements the principle of transparency can have a significant impact on whether, for example, processing based on a legitimate interest can be considered as not exceeding the fundamental rights and freedoms of the data subject. Thus, good data protection communications can promote business. Iconics has experience in several projects related to the development of data protection communication , and insights into what are the best practices internationally. We are happy to share these lessons learnt with our customers.

bottom of page