ALF - Legal services in Africa > Articles > Personal data > RGPD – How to inform data subjects?

RGPD – How to inform data subjects?

23 January 2024
Posted by: Kelly HAZAN
Category: Personal data

STARTUPS, LEARN HOW TO INFORM YOUR USERS!

Informing data subjects is mandatory if your startup processes personal data. The RGPD requires clear and precise information. How do I inform the people whose personal data I process? What information do I need to pass on?

1. WHAT OBLIGATIONS DOES THE RGPD IMPOSE?

Pursuant to Articles 13 (direct collection) and 14 (indirect collection) of the RGPD, the data controller has an obligation to inform data subjects of the processing(s) carried out on their personal data when such data is collected directly from the data subject or when the data is collected indirectly (example: public data or on social networks).

2. WHAT INFORMATION MUST THE COMPANY PASS ON TO THE PERSONS CONCERNED?

Pursuant to the RGPD, the information that must appear within an information notice is as follows:

Identity and contact details of the data controller
Where applicable, identity and contact details of the data controller’s representative
If applicable, contact details of the Data Protection Officer (“DPO”)
Purposes of processing
Legal basis for processing (consent, performance of a contract, compliance with a legal obligation, etc.)
Whether the collection of personal data is mandatory or optional and the consequences for the individual in the event of failure to provide data
Where applicable, the legitimate interests of the controller or third party, if the processing is necessary for the purposes of those legitimate interests.
Recipients or categories of recipients of personal data, if any
Details of data transfers to third countries and associated guarantees
Length of time personal data is kept, or criteria for determining this length of time
Mention of each of the rights of data subjects (access, rectification, erasure, limitation of processing, opposition and portability, etc.).
Right to withdraw consent at any time, if applicable
Mention of the right to lodge a complaint with a supervisory authority
Mention of automated decision-making, if any, including profiling
In the case of indirect data collection: categories and source of data collected

Warning : Startups processing the personal data of individuals located in France: beware of the application of article 116 of the French Data Protection Act. This article imposes an information notice on the bottom of forms and questionnaires. This information, often found below contact forms on websites, must specify :

whether answers are mandatory or optional;
the identity of the data controller and, where applicable, that of its representative;
the purpose(s) of the processing for which the data is intended;
the rights of data subjects (e.g., the right to access, rectify and delete their personal data).

3. WHAT FORM CAN THIS INFORMATION TAKE?

While the RGPD does not impose any information medium, these notices must be legible, easily accessible, clear and understandable. For employees, this may take the form of a provision in the employment contract, an e-mail sent individually to each employee, a notice posted on employee information panels, or an information notice on the company intranet or in a file accessible to all employees.

In the case of partners, service providers and shareholders, this may take the form of a notice appearing in contracts, or at the bottom of e-mails, letters or collection forms sent to them.

This information can therefore take the form of :

a Confidentiality policy for the processing of personal data carried out via a website,
an internal policy for employees,
information at the bottom of forms, quotes or emails;
in a personal data protection clause in employment, customer or service provider/supplier contracts.

4. OUR ADVICE

Our advice:

Avoid copying existing privacy policies that are not adapted to the personal data processing carried out by your startup and that are sometimes not updated;
Choose a format that is legible, understandable and easily accessible;
Use simple, clear terms;
Provide information at different stages of the user journey;
Prioritize information and communicate it to the person concerned when their account is created, directly on the registration page;
On the same page, provide a link to a complete information notice (e.g. hypertext link to a Privacy Policy);
Update information notices.

5. WHAT ARE THE PENALTIES?

Personal data protection authorities can carry out remote checks and therefore sanction a startup if its website does not properly inform data subjects!

The penalties under the RGPD for failing to inform data subjects are 4% of the startup’s annual worldwide sales or 20 million euros in fines (whichever is higher).

References :

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Guidelines, recommendations and best practices published by the European Data Protection Committee (EDPS);
Article 29 Working Party (G29) guidelines approved by the EDPS.

Form : I would like to be assisted in my personal data protection compliance project

En remplissant ce formulaire de contact, African Legal Factory recueille et traite vos données à caractère personnel en tant que responsable de traitement afin de répondre à toutes vos interrogations. Vous disposez sur vos données d’un droit d’accès, de rectification, d’opposition, à l’effacement, à la limitation, à la portabilité et de donner des directives sur le sort de vos données après votre décès. Pour plus d’information relative au traitement de vos données personnelles veuillez consulter notre Politique de Confidentialité. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.