Informing data subjects

02 July 2024

Organizations that process personal data to develop AI models or systems must inform concerned data subjects. The CNIL specifies the obligations in this regard.

 

This how-to sheet is open for public consultation until October the 1st 2024. More information.
This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.

Ensuring the transparency of processing

The principle of transparency requires organizations that process personal data to inform data subjects so that they understand why and how their data will be used and can exercise their rights (rights of opposition, access, rectification, etc.).

This principle applies to any processing of personal data, regardless of whether the data is:

  • directly collected from the data subjects: for example, in the context of a contract with voluntary actors to create a training dataset, when providing a service, in the context of a relationship between a citizen and a public body, etc.;
     
  • or indirectly collected: for example, when data is collected on the Internet via file downloads, using web scraping tools or using application programming interfaces (APIs) made available by online platforms to re-users; when the information is obtained from institutional or business partners such as data brokers, or by reusing an existing dataset, etc.

Note: if the organization processing the data has not directly collected the personal data from the data subjects, it may be exempted from informing data subjects individually if such information is impossible in practice or would require disproportionate efforts.

What information should I provide?


When should the information be provided?


How do I provide the information?


Cases where the provision of individual information is not mandatory


Best practices for more transparency on development processing