During his navigation, the Internet user must be informed at different times that the site, service or application he is browsing may puncture his personal data. But not all of them comply with this regulatory obligation.
In the happy world of the “Internet”, the General Data Protection Regulation (GDPR) obliges companies that use the personal data of Internet users to provide them with certain information. What is this information and when should you read it during our navigation? Clubic gives you some answers.
When should you be informed about the use of personal data?
The GDPR provides three times when a site, service or application must inform you about the collection of personal data.
- First, the company must inform the user at the time of collection in the case of so-called “direct” collection (this is defined below in the article), or as soon as possible in the case of indirect data collection.
- The Internet user must also be kept informed of the use of his data precisely in the event of a modification of their use.
- Finally, the company is required to regularly inform the Internet user of the use of his personal data. The GDPR refers here to the criterion of transparency.
We spoke above of direct collection and indirect collection of data. A direct collection is carried out through the filling of a form, during an online purchase; signing a contract; the opening of an account or in the event of observation of the activity of the Internet user, such as data related to geolocation, audience measurement or navigation analysis. Indirect collection, on the other hand, concerns data collected from commercial partners.
What information should be exchanged?
By personal data, we mean the surname, first name, identifier, telephone number, etc. You are now familiar with this concept present in our daily navigation. But what is the information that the site, service or application must give you, in case of collection? They are quite numerous, and here again, the GDPR is respected by an increasing number of players, even if some, such as OpenAI and its famous ChatGPT, still have difficulty complying with all its provisions.
- The identity and contact details of the body responsible for processing the data must be communicated.
- The contact details of the data protection officer as well.
- Also, the legal basis of the data processing, which includes the consent of the Internet user in particular.
- The retention period of the data, the recipients or the categories of recipients of the data are also essential elements.
- And the Internet user must be able to be informed of his rights: the possibility of rectifying or erasing his data; withdrawal of consent; access to its data; the possibility of filing a complaint with the CNIL.
Source : Ministry of Economy
4