Personal data shall be processed in a transparent manner that is understandable to the data subject (Article 5 (1a)).
The manner in which a service operates, and all relevant data processed in relation to an individual shall be identified and disclosed. It has to be stressed that disclosure and expulsion are a continuous requirement for the service. The core challenge is therefore to provide an interface that discloses information to the data subject, to fulfill transparency and traceability as required.
Technical Solution Approach
Three technical aspects have to be taken into account in order to meet the requirements of transparency and traceability:
- Overview of collected data: even before using the service, the provider must deliver a list of all data that is possibly collected by a service. For this aspect, the technical solution approach of Information Obligation (6) is recommended for implementation.
- Disclosure of stored data: Refer to the technical solution of the pattern Right of Access.
- Disclosure of data processing: this aspect is the utmost challenge. Ideally, all cloud processes relevant to the data subject should be disclosed in a transparent manner. In addition to the privacy statement, the disclosure of code (open source) can provide technically perceptive individuals with a deeper understanding of the way data is processed. At the very least, however, the provider should answer the key questions of the following checklist before collecting the d
- Have the questions of the checklist Information Obligation (6) been answered?
- Does the declaration of service contain procedures for processing of personal data?
- Is an explanation provided, that describes how collected data is handled and how a possible transfer of the data (to third parties) is handled?