Personal data controllers should provide clear and easily accessible information about their data collection and processing policies and practices.
- Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
- There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- The General Assembly (...) 7. Calls upon business enterprises: (...) (b) To inform users in a clear and easily accessible way about the collection, use, sharing and retention of their data that may affect their right to privacy and to establish transparency policies, as appropriate.
- States should encourage social media, media, search and recommendation engines and other intermediaries which use algorithms, along with media actors, regulatory authorities, civil society, academia and other relevant stakeholders to engage in open, independent, transparent and participatory initiatives that: – improve the transparency of the processes of online distribution of media content, including automated processes.
- States should encourage social media, media, search and recommendation engines and other intermediaries which use algorithms, along with media actors, regulatory authorities, civil society, academia and other relevant stakeholders to engage in open, independent, transparent and participatory initiatives that: (...) – implement the principle of privacy by design in respect of any automated data processing techniques and ensure that such techniques are fully compliant with the relevant privacy and data protection laws and standards.
- Internet intermediaries should ensure that all terms of service agreements and policies specifying the rights of users and all other standards and practices for content moderation and the processing and disclosure of user data are publicly available in clear, plain language and accessible formats.
- Internet intermediaries should clearly and transparently provide meaningful public information about the operation of automated data processing techniques in the course of their activities, including the operation of algorithms that facilitate searches based on user profiling or the distribution of algorithmically selected and personalised content, such as news. This should include information on which data is being processed, how long the data processing will take, which criteria are used, and for what purpose the processing takes place.
- Internet intermediaries should limit the processing of personal user data to what is necessary in the context of a clearly defined purpose, which is explicitly communicated to all users in a proactive manner. The processing, including collection, retention, aggregation, storage, adaptation, alteration, linking or sharing of personal data shall be based on the free, specific, informed and unambiguous consent of the user, with respect to a specific purpose, or on another legitimate basis laid down by law, as prescribed by Convention 108.
- Users have the right to access their personal data and to obtain correction, deletion and blocking of it. Intermediaries should therefore provide them with relevant information at all stages of processing, using clear and plain language, especially where such information is addressed to children. Moreover, intermediaries should inform users clearly about the conditions under which they may exercise the right to personal data erasure, to object to the processing of data and to withdraw consent provided for the processing of personal data, following which all processing based on the consent of the user should be terminated.
- The Committee of Ministers therefore, under the terms of Article 15.b of the Statute of the Council of Europe, recommends that member States, in consultation with private sector actors and civil society, develop and promote coherent strategies to protect freedom of expression, access to information and other human rights and fundamental freedoms in relation to search engines in line with the Convention for the Protection of Human Rights and Fundamental Freedoms (...), in particular by engaging with search engine providers to carry out the following actions: (...) – enhance transparency in the collection of personal data and the legitimate purposes for which they are being processed; – enable users to access easily, and, where appropriate, to correct or delete their personal data processed by search engine providers; – develop tools to minimise the collection and processing of personal data, including enforcing limited retention periods, adequate irreversible anonymisation, as well as tools for the deletion of data.
- Member States (through the designated authorities) should enforce compliance with the applicable data protection principles, in particular by engaging with search engine providers to carry out the following actions: – ensure that the collection of personal data by search engine providers is minimised. No user’s IP address should be stored when it is not necessary for the pursuit of a legitimate purpose and when the same results can be achieved by sampling or surveying, or by anonymising personal data. Innovative approaches promoting anonymous searches should also be encouraged; – ensure that retention periods are not longer than strictly necessary for the legitimate and specified purposes of the processing. Search engine providers should be in a position to justify with demonstrable reasons the collection and the retention of personal data. Information in this connection should be made publicly available and easily accessible; – ensure that search engine providers apply the most appropriate security measures to protect personal data against unlawful access by third parties and that appropriate data breach notification schemes are in place. Measures should include “end-to-end” encryption of the communication between the user and the search engine provider; – ensure that individuals are informed with regard to the processing of their personal data and the exercise of their rights, in an intelligible form, using clear and plain language, adapted to the data subject. Search engines should clearly inform users up front of all intended uses of their data (emphasising that the initial purpose of such processing is to better respond to their search requests) and respect the user’s right with regar to their personal data. They should inform individuals if their personal data has been compromised.
- The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe, recommends that member States, in consultation with private sector actors and civil society, develop and promote coherent strategies to protect and promote respect for human rights with regard to social networking services, in line with the Convention for the Protection of Human Rights and Fundamental Freedoms (...), in particular by engaging with social networking providers to carry out the following actions: (...) − enhance transparency about data processing, and refraining from illegitimate processing of personal data.
- Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include: a) the fact that personal information is being collected; b) the purposes for which personal information is collected; c) the types of persons or organizations to whom personal information might be disclosed; d) the identity and location of the personal information controller, including information on how to contact them about their practices and handling of personal information; e) the choices and means the personal information controller offers individuals for limiting the use and disclosure of, and for accessing and correcting, their personal information.
- Companies that hold large amounts of users’ data should develop robust and meaningfully transparent privacy policies and processes in consultation with civil society and other stakeholders, consistent with their responsibilities to respect human rights.
- Digital actors should, as relevant, be transparent about the use and any practical impact of any automated tools they use, albeit not necessarily the specific coding by which those tools operate, including inasmuch as those tools affect data harvesting, targeted advertising, and the sharing, ranking and/or removal of content, especially election-related content.