The GDPR principles include a requirement on Data Controllers to be ‘transparent’ about the Personal data processing that we do, and for this to include specific and explicit explanations about the purposes of this processing.
This is supported by the GDPR rights to be informed about the processing when data is being collected directly by us, and when it is being collected indirectly (i.e. from another organisation)
The law says that the act of informing a Data Subject requires the following information to be made available:
The required information should be made available to the Data Subject:
Where we obtain data directly from the Data Subject this is usually done by asking them to fill in a form (manually or on a website), obtained verbally (we write or make audio/ video recordings of information given) or we take photographs. In advance of or at the time that these events are occurring, we need to make available the information that allows a Data Subject to make a decision about whether they are comfortable with how we intend to process their data.
This information must be presented in a way that is:
“concise, transparent, intelligible and [in an] easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”