GDPR Requirements
At the time of the collection of personal data, all information must be communicated to the data subject (Article 13 (1), (2) + Article 14 (1), (2)).
Resulting Challenge
According to the EU-GDPR guidelines, the information must be understandable, easily accessible and communicated in clear and simple language in a written or electronic declaration to the data subject. However, awareness of the privacy statement must be a mandatory requirement for successful use of digital services. In addition, the data protection declaration must always be (even after the information has been provided) and easy to find (through max. 2 steps).
Technical Solution Approach
The data protection declaration must be shown to the affected person as text/image symbols in the application before the user registers. The subsequent registration may only be possible after the successful knowledge of the data protection declaration has been recorded. During use, the data protection declaration must be easy to find in the user interface at any time.
Checklist:
- Does the notification provide the following information: Name, contact details of the person responsible for data collection, contact details of the data protection officer, purposes of data processing and their legal basis, recipient of personal data, intention to transfer to a third country, duration of storage, right of access, rectification, deletion, limitation, revocation and complaint to a regulatory authority?
- Provision of personal data required by law or by contract?
- Do you use profiling? If so, notification of logic and implications involved?
- Is the data protection declaration easy to understand and easy to find at any time?
