🔍

GDPR Transparency & Rights

Jun 16, 2025

Overview

This lecture covers the GDPR’s transparency principle and the main rights granted to data subjects, focusing on how organizations must inform and empower individuals about personal data processing.

Transparency Principle of GDPR

  • The transparency principle ensures individuals know how their personal data is collected, processed, and used.
  • Information for data subjects must be clear, concise, and free of legal jargon.
  • Data subjects must have access to information about personal data processing activities.
  • Organizations must proactively communicate details on processing purposes, legal bases, and data retention.

Privacy Notices

  • Privacy notices inform individuals about data processing and help organizations comply with transparency obligations.
  • Notices should include the data controller’s identity, contact details, and any Data Protection Officer (DPO) information.
  • They must clearly explain the purpose and legal basis for processing personal data.
  • Notices specify data retention periods and criteria for storage duration.
  • An overview of data subject rights, such as access, rectification, erasure, and objection, must be provided.

Layered Notices

  • Layered notices present key information in summary (first layer) and detailed (additional layers) formats.
  • The first layer covers controller identity, processing purposes, and how to get more information.
  • Additional layers offer details on data retention, third-party sharing, and data transfer mechanisms.
  • Layering prevents overwhelming data subjects with information.

Data Subjects' Rights under GDPR

  • Right of Access: Individuals can request details and copies of their processed personal data.
  • Right of Rectification: Subjects can correct inaccurate or incomplete personal data promptly.
  • Right to Erasure ("Right to be Forgotten"): Subjects can request deletion of personal data under certain conditions, like consent withdrawal or unlawful processing.
  • Right to Restriction: Subjects can limit processing if data accuracy is disputed or if there is no legal basis.
  • Right to Object: Individuals can object to processing for marketing or legitimate interests; organizations must respect objections to marketing.
  • Right to Consent and Withdrawal: Consent must be freely given, informed, and specific; it must be easy to withdraw and stop related processing immediately.
  • Right Against Automated Decision-Making: Individuals can know about, challenge, and request human review of automated decisions, including profiling.
  • Right to Data Portability: Subjects can obtain and transfer their data in a machine-readable format.

Restrictions on Rights

  • Article 23 allows certain rights to be restricted for national security, public safety, or criminal investigations, if proportionate and rights are safeguarded.

Key Terms & Definitions

  • Transparency Principle — Obligation to keep individuals informed about personal data processing.
  • Privacy Notice — Document explaining how and why an organization processes personal data.
  • Data Subject — Individual whose personal data is processed.
  • Data Controller — Entity determining how and why personal data is processed.
  • Profiling — Automated processing to evaluate personal aspects of an individual.

Action Items / Next Steps

  • Review organizational privacy notices for clarity, completeness, and compliance.
  • Read GDPR guidelines on data subject rights and transparency requirements.

Full transcript