Visit fondia.com
The content concerns Finnish legislation.
 

Information Obligation of the Controller

The controller must inform data subjects about the processing of their personal data, at least the following:

  • Their identity and contact details

  • The contact details of the data protection officer, if appointed

  • The purposes and legal basis for the processing of personal data,

  • The categories of personal data and retention period of personal data,

  • Information on regular disclosures and transfers of personal data outside the EU/EEA,

  • Information on the automated decision-making, including profiling, used in the processing; and

  • Data subjects' rights, including the right to lodge a complaint with a supervisory authority

The data subject must be informed when their data is collected, and they must have easy access to information about the processing of data throughout the processing period.

The information should be provided in an easily understandable format, in clear and simple language. What constitutes sufficiently clear and simple language depends on the data subjects to whom the information is intended. For example, information intended for children should take into account their linguistic development. The information should also be transparent, meaning that a truthful and comprehensive description of the processing of personal data should be provided.

In order to comply with the information obligation, the controller may create a privacy policy, for example. There are no formal requirements for a privacy policy, and it may be in the form of a comic strip if this is appropriate for the context and sufficient information about the processing of data can be conveyed through the comic strip. Typically, however, privacy policies are drafted in a list format.