The EDPB publishes new guidelines for personal data protection

April 11, 2023

The European Data Protection Board (EDPB) has recently published, after a public inquiry with different segments of European society, three new guidelines related to the protection of personal data. They are the following:

  1. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
  2. Guidelines 07/2022 on certification as a tool for transfers
  3. Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them

The following is a brief description of each of them:

1.1. GUIDELINES 05/2021 ON THE INTERPLAY BETWEEN THE APPLICATION OF ARTICLE 3 AND THE PROVISIONS ON INTERNATIONAL TRANSFERS AS PER CHAPTER V OF THE GDPR

Given that the GDPR (General Data Protection Regulation) does not define what “transfer of personal data to a third country or to an international organization” is, the EDPB used three cumulative criteria to qualify a processing operation as a transfer. Thus, if the three criteria identified by the EDPB are met, it regards a transfer and Chapter V of the GDPR is applicable. They are:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing;
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); and
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

Thus, the transfer of personal data to a third country or to an international organization may only occur in the context of an adequacy decision by the European Commission (Article 45) or by providing of appropriate safeguards (Article 46).

If the three criteria are not met, Chapter V of the GDPR does not apply, but the controller must comply with the remaining provisions of the GDPR, in particular Article 5 (“Principles relating to the processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of Processing”).

The risks of such personal data processing in a foreign country not complying with the GDPR are especially focused on conflicting national laws or disproportionate government access.

The examples are the highlight of these guidelines. They are an aid in understanding the issue in practical cases, as shown below:

Example 1 – Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR)

Maria, living in Italy, inserts her name, surname and postal address by filling in a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In this case, the data subject (Maria) passes her personal data to the third country company. This does not constitute a transfer of personal data since the data are not passed by an exporter (controller or processor), but directly collected from the data subject by the controller under Article 3(2) GDPR. Thus, Chapter V does not apply to this case. Nevertheless, the third country company will be required to apply the GDPR since its processing operations are subject to Article 3(2).

Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities

Maria, living in Italy, inserts her name, surname and postal address by filling in a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In order to process the orders received by means of the website, the third country company has engaged a non-EEA processor. In this case, the data subject (Maria) passes her personal data to the third country company and this does not constitute a transfer of personal data since the data are directly collected by the controller under Article 3(2) GDPR. Thus, the controller will have to apply the GDPR to the processing of this personal data. As far as it engages a non-EEA processor, such disclosure from the third country company to its non-EEA processor would amount to a transfer, and it will be required to apply Article 28 and Chapter V obligations so as to ensure that the level of protection afforded by the GDPR would not be undermined when data are processed on its behalf by the non-EEA-processor.

Example 3 – Controller in a third country receives data directly from a data subject in the EU (but not under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities

Maria, living in Italy, decides to book a room in a hotel in New York using a form on the hotel website. Personal data are collected directly by the hotel which does not target/monitor individuals in the EEA. In this case, no transfer takes place since data are passed directly by the data subject and directly collected by the controller Also, since no targeting or monitoring activities of individuals in the EEA are taking place by the hotel, the GDPR will not apply, including with regard to any processing activities carried out by non-EEA processors on behalf of the hotel.

Example 4 – Data collected by an EEA platform and then passed to a third country controller

Maria, living in Italy, books a room in a hotel in New York by means of an online EEA travel agency. Maria’s personal data, necessary for booking the hotel, are collected by the EEA online travel agency as a controller and sent to the hotel receiving the data as a separate controller. While passing the personal data to the third country hotel, the EEA travel agency carries out a transfer of personal data and Chapter V GDPR applies.

Example 5 – Controller in the EU sends data to a processor in a third country

Company X established in Austria, acting as controller, provides personal data of its employees or customers to Company Z in a third country, which processes these data as processor on behalf of Company X. In this case, data are provided from a controller, which as regards the processing in question, is subject to the GDPR, to a processor in a third country. Hence, the provision of data will be considered as a transfer of personal data to a third country and therefore Chapter V of the GDPR applies.

Example 6 – Processor in the EU sends data back to its controller in a third country

XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers, all of them data subjects not located in the EU, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and therefore Chapter V applies.

Example 7 – Processor in the EU sends data to a sub-processor in a third country

Company A established in Germany, acting as controller, has engaged B, a French company, as a processor on its behalf. B wishes to further delegate a part of the processing activities that it is carrying out on behalf of A to sub-processor C, a company in a third country, and hence to send the data for this purpose to C. The processing performed by both A and its processor B is carried out in the context of their establishments in the EU and is therefore subject to the GDPR pursuant to its Article 3(1), while the processing by C is carried out in a third country. Hence, the passing of data from processor B to sub-processor C is a transfer to a third country, and Chapter V of the GDPR applies.

Example 8 – Employee of a controller in the EU travels to a third country on a business trip

George, employee of A, a company based in Poland, travels to a third country for a meeting bringing his laptop. During his stay abroad, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This bringing of the laptop and remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller A. Therefore, the transmission is carried out within the same controller A. The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR. It can, however, be noted that in case George, in his capacity as an employee of A, would send or make data available to another controller or processor in the third country, the data flow in question would amount to a transfer under Chapter V; from the exporter (A) in the EU to such importer in the third country.

Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country

The Irish Company X, which is a subsidiary of the parent Company Y in a third country, discloses personal data of its employees to Company Y to be stored in a centralised HR database by the parent company in the third country. In this case the Irish Company X processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. Company X is subject to the GDPR pursuant to Article 3(1) for this processing and Company Y is situated in a third country. The disclosure therefore qualifies as a transfer to a third country within the meaning of Chapter V of the GDPR.

Example 10 – Processor in the EU sends data back to its controller in a third country

Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.

Example 11 – Remote access to data in the EU by a third country processor acting on behalf of EU controllers

A company in a third country (Company Z), with no establishment in the EU, offers services as a processor to companies in the EU. Company Z, acting as processor on behalf of the EU controllers, is remotely accessing, e.g. for support purposes, the data which is stored in the EU. Since Company Z is located in a third country, such remote access results in transfers of data from the EU controllers to their processor (Company Z) in a third country under Chapter V.

Example 12 – Controller in the EU uses a processor in the EU subject to third country legislation

The Danish Company X, acting as controller, engages Company Y established in the EU as a processor on its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y is processing the data of Company X exclusively in the EU and there is no one outside the EU, including the parent Company Z, who has access to the data. Additionally, it follows from the contract between Company X and Company Y that Company Y shall only process the personal data on documented instructions from Company X, unless required to do so by EU or Member State law to which Company Y is subject. Company Y is however subject to third country legislation with extraterritorial effect, which in this case means that Company Y may receive access requests from third country authorities. Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), the disclosure of data from the controller Company X to the processor Company Y does not amount to a transfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility that Company Y receives access requests from third country authorities and should Company Y comply with such request, such disclosure of data would be considered a transfer under Chapter V. Where Company Y complies with a request in violation of the controller’s instructions and thus Article 28 GDPR, Company Y shall be considered an independent controller of that processing under Article 28(10) GDPR. In this situation, the controller Company X should, before engaging the processor, assess these circumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract or legal act governing the processing by the processor.

1.2. GUIDELINES 07/2022 ON CERTIFICATION AS A TOOL FOR TRANSFERS

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organizations. Among these safeguards, certification emerges as a new transfer mechanism (Articles 42(2) and 46(2) (f).

According to Article 44 of the GDPR, any transfer of personal data to third countries or international organizations must comply with the conditions of the remaining provisions of the GDPR in addition to compliance with its Chapter V. Therefore, each transfer must comply, among others, with the data protection principles of Article 5 of the GDPR, comply with Article 6 of the GDPR and with Article 9 of the GDPR in the case of special data categories.

Thus, a two-step test should be applied. As a first step, one must ensure compliance with the general provisions of the GDPR. Then, as a second step, one must comply with the provisions of Chapter V of the GDPR.

Pursuant to Article 46(2)(f) of the GDPR, such appropriate safeguards, such as respecting the rights of data subjects, can be provided by an approved certification mechanism, together with binding and enforceable commitments from the controller or operator in the third country.

The EDPB is empowered to approve EEA-wide certification criteria (European Data Protection Seal) and to provide opinions on Supervisory Authorities’ draft decisions on certification criteria and accreditation requirements of the certification bodies so as to ensure consistency. It is also competent for collating all certification mechanisms and data protection seals and marks in a register and making them publicly available.

The Supervisory Authorities (SAs) approve the certification criteria when the certification mechanism is not a European Data Protection Seal. They might also accredit the certification body, design the certification criteria and issue certification if established by the national law of their Member State.

On the other hand, the National Accreditation Body may accredit third party certification bodies by using ISO 17065 and the SAs additional accreditation requirements, which should be in line with section 2 of these guidelines. In some Member States, the accreditation can be offered as well by the competent SA as well as being carried out by a national accreditation body or by both.

And finally, the Scheme Owner is another important stakeholder. It is an organisation which has set up certification criteria and the methodology requirements according to which conformity is to be assessed. The organisation carrying out the assessments could be the same organisation that has developed and owns the scheme, but there could be arrangements where one organisation owns the scheme, and another (or more than one other) performs the assessments as Certification body.

Furthermore, the data exporter who wants to use a certification as appropriate safeguard according to Article 46 (2) (f) GDPR is notably obliged to verify whether the certification it intends to rely on is effective in light of the characteristics of the intended processing. To that end, the data exporter must check the issued certification in order to verify if the certificate is valid and not expired, if it covers the specific transfer to be carried out and whether the transit of personal data is in the scope of certification, as well as if onward transfers are involved and an adequate documentation is provided on them. Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake.

Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake. Therefore, certification should be based on the assessment of certification criteria according to a mandatory audit methodology.

The following minimum criteria must be considered by the certification mechanism with respect to processing:

  1. the purpose;
  2. the type of entity (controller or operator);
  3. the type of data transferred taking into account whether special categories of personal data as defined in Article 9 GDPR are involved;
  4. the categories of data subjects; and
  5. the countries where the data processing takes place.

With regard to Transparency and the Data subjects’ rights, the certification criteria should:

  1. Require that information on the processing activities should be provided to data subjects, including, where relevant, on the transfer of personal data to a third country or an international organisation (see Articles 12, 13, 14 GDPR);
  2. require that data subjects are guaranteed their rights to access, rectification, erasure, restriction, notification regarding rectification or erasure or restriction, objection to processing, right not to be subject to decisions based solely on automated processing, including profiling, essentially equivalent to those provided for by Articles 15 to 19, 21 and 22 GDPR;
  3. require that an appropriate complaint handling procedure is established by the data importer holding a certification in order to ensure the effective implementation of the data subject rights
  4. require assessing whether and to what extent these rights are enforceable for the data subjects in the relevant third country and any additional appropriate measures that may need to be put in place to enforce them, e.g. requiring that the importer will accept to submit itself to the jurisdiction of and cooperate with the supervisory authority competent for the exporter(s) in any procedures aimed at ensuring compliance with these rights and, in particular, that it agrees to respond to enquiries, submit to audits and comply with the measures adopted by aforementioned supervisory authority, including remedial and compensatory measures.

Additional certification criteria include assessment of third country legislation, general obligations of importers and exporters, rules on onward transfers, redress and enforcement of data subject rights, process and actions for situations in which national legislation prevents compliance with commitments taken as part of certification, dealing with requests for data access by third country authorities and additional safeguards concerning the exporter.

Again, a list of examples of complementary measures to be implemented by the importer in case the transit is included in the scope of the certification is a high point of the guidelines. They are the following:

Use case 1 – Data storage for backup and other purposes that do not require access to data in the clear

Criteria relating to the encryption standards and the security of the decryption key, in particular criteria relating to the legal situation in the third country, must be established. If the importer can be forced to pass on decryption keys, the additional measure cannot be considered effective.

Use case 2 – Transfer of pseudonymised Data

In the case of pseudonymised data, criteria shall be established regarding the security of the additional information necessary to attribute the transferred data to an identified or identifiable person. In particular:

– Criteria regarding the legal situation in the third country. If the importer can be forced to access or use additional data in order to attribute the data to an identified or identifiable person, the measure cannot be considered effective; and

– Criteria relating to the definition of additional information available to third country authorities that might be sufficient to attribute the data to an identified or identifiable person.

Use case 3 – Encryption of data to protect it from access by the public authorities of the third country of the importer when it transits between the exporter and its importer

In the case of encrypted data, any criteria for the security of the transit shall be included. If the importer can be forced to pass on cryptographic keys for decryption or authentication or to modify a component used for transit in such a way that its security properties are undermined, the additional measure cannot be considered effective.

Use case 4 – Protected recipient

In the case of protected recipients, criteria for the limits of the privilege must be defined. The data processing must remain within the limits of the legal privilege. This also applies to processing by (sub)processors and onward transfers, whose recipients must also be privileged.

Another list of examples of complementary measures in case the transit is not covered by the certification and the exporter has to ensure them is equally interesting:

Use case 1 – Transfer of pseudonymised Data

Criteria shall be provided relating to the additional information available to the third country authorities that might be sufficient to attribute the data to an identified or identifiable person.

Use case 2 – Encryption of data to protect it from access by the public authorities of the third country of the importer when it transits between the exporter and its importer

Criteria shall be provided relating to the trustworthiness of the public key certification authority or infrastructure used, the security of the cryptographic keys used for authentication or decryption and the reliability of key management, and the use of properly maintained software without known vulnerabilities. If the importer can be forced to disclose cryptographic keys suitable for decryption or authentication or to modify a component used for transit in order to undermine its security properties, the measure cannot be considered effective.

Use case 3 – Protected recipient

In the case of protected recipients, criteria for the limits of the privilege must be defined. The data processing must remain within the limits of the legal privilege. This also applies to processing by (sub)processors and onward transfers, whose recipients must also be privileged.

1.3. GUIDELINES 03/2022 ON DECEPTIVE DESIGN PATTERNS IN SOCIAL MEDIA PLATFORM INTERFACES: HOW TO RECOGNISE AND AVOID THEM

These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called “deceptive design patterns” in social media interfaces that infringe on GDPR requirements.

Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR serves as a starting point to assess whether a design pattern actually constitutes a “deceptive design pattern”.

The EDPB gives concrete examples of deceptive design pattern types for the following different use cases within this life cycle. They are: the sign-up, i.e. registration process; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; and, finally, closing a social media account.

The deceptive design patterns addressed within these Guidelines result from an interdisciplinary analysis of existing interfaces. They can be divided into the following categories:

  1. Overloading: users are confronted with an avalanche/ large quantity of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of data subject.
  2. Skipping: designing the interface or user journey in a way that the users forget or do not think about all or some of the data protection aspects.
  3. Stirring: affects the choice users would make by appealing to their emotions or using visual nudges.
  4. Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve.
  5. Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve; and
  6. Left in the dark: an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.

As the EDPB already stated, fairness is an overarching principle which requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. If the interface has insufficient or misleading information for users and fulfils the characteristics of deceptive design patterns, it can be classified as unfair processing. The fairness principle has an umbrella function and all deceptive design patterns would not comply with it irrespectively of compliance with other data protection principles.

The first step users need to take in order to have access to a social media platform is signing up by creating an account. As part of this registration process, users are asked to provide their personal data, such as first and last name, email address or sometimes phone number. Users need to be informed about the processing of their personal data and they are usually asked to confirm that they have read the privacy notice and agree to the terms of use of the social media platform. This information needs to be provided in a clear and plain language, so that users are in a position to easily understand it and knowingly agree.

Consent freely given, specific, informed at the registration step. For social media providers who ask for users’ consent for varying purposes of processing, the EDPB Guidelines 05/2020 on consent provide valuable guidance on consent collection. Social media platforms must not circumvent conditions, such as data subjects’ ability to freely give consent, through graphic designs or wording that prevents data subjects from exercising said will. In that regard, Article 7 (2) GDPR states that the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Users of social media platforms can provide consent for ads or special types of analysis during the sign-up process, and at a later stage via the data protection settings. In any event, as Recital 32 GDPR underlines, consent always needs to be provided by a clear affirmative act, so that pre-ticked boxes or inactivity of the users do not constitute consent.

In accordance with Article 7 (3) phrase 1 GDPR, users of social media platforms shall be able to withdraw their consent at any time. Prior to providing consent, users shall also be made aware of the right to withdraw the consent, as required by Article 7 (3) phrase 3 GDPR. In particular, controllers shall demonstrate that users have the possibility to refuse providing consent or to withdraw the consent without any detriment. Users of social media platforms who consent to the processing of their personal data with one click, for example by ticking a box, shall be able to withdraw their consent in an equally easy way. This underlines that consent should be a reversible decision, so that there remains a degree of control for the data subject. The easy withdrawal of consent constitutes a prerequisite of valid consent under Article 7 (3) phrase 4 GDPR and should be possible without lowering service levels. As an example, consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time.

Again the examples make understanding deceptive media standards easier. They are:

Example 1

Variation A: In the first step of the sign-up process, users are required to choose between different options for their registration. They can either provide an email address or a phone number. When users choose the email address, the social media provider still tries to convince users to provide the phone number, by declaring that it will be used for account security, without providing alternatives on the data that could be or was already provided by the users. Concretely, several windows pop up throughout the sign-up process with a field for the phone number, along with the explanation “We’ll use your [phone] number for account security”. Although users can close the window, they get overloaded and give up by providing their phone number. Variation B: Another social media provider repeatedly asks users to provide the phone number every time they log into their account, despite the fact that users previously refused to provide it, whether this was during the sign-up process or at the last log-in.

Example 2

A social media platform uses an information or a question mark icon to incite users to take the “optional” action currently asked for. However, rather than just provide information to users who expect help from these buttons, the platform prompts users to accept importing their contacts from their email account by repeatedly showing a pop-up saying “Let’s do it”.

Example 3

When registering to a social media platform via desktop browser, users are invited to also use the platform’s mobile application. During what looks like another step in the sign-up process, users are invited to discover the app. When they click on the icon, expecting to be referred to an application store, they are asked instead to provide their number to receive a text message with the link to the app.

Example 4

The social media platform asks users to share their geolocation by stating: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!”

Example 5

Social media provider incentivises users to encourage them to share more personal data than actually required by prompting users to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!

Example 6

The part of the sign-up process where users are asked to upload their picture contains a “?” button. Clicking on it reveals the following message: “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me’.”

Example 7

During the sign-up process, users who click on the “skip” buttons to avoid entering certain kind of data are shown a pop-up window asking “Are you sure?” By questioning their decision and therefore making them doubt it, social media provider incites users to review it and disclose these kinds of data, such as their gender, contact list or picture. In contrast, users who choose to directly enter the data do not see any message asking to reconsider their choice.

Example 8

Immediately after completing the registration, users are only able to access data protection information by calling up the general menu of the social media platform and browse the submenu section that includes a link to “privacy and data settings”. Upon a visit to this page, a link to the privacy policy is not visible at first glance. Users have to notice, in a corner of the page, a tiny icon pointing to the privacy policy, which means that users can hardly notice where the information to the data protection related policies are.

Example 9

In this example, when users enter their birthdate, they are invited to choose with whom to share this information. Whereas less invasive options are available, the option “share it with everyone” is selected by default, meaning that everyone, i.e. registered users as well as any internet users, will be able to see the users’ birthdate.

Example 10

Users are not provided with any links to data protection information once they have started the sign-up process. Users cannot find this information as none is provided anywhere in the sign-up interface, not even in the footer.

Example 11

During the sign-up process, users can consent to the processing of their personal data for advertising purposes and they are informed that they can change their choice whenever they want once registered on the social media by going to the privacy policy. However, once users have completed the registration process and they go to the privacy policy, they find no means or clues on how to withdraw their consent for this processing.

Example 12

In this example, the information related to data sharing gives a highly positive outlook of the processing by highlighting the benefits of sharing as many data as possible. Coupled to the illustration representing the photograph of a cute animal playing with a ball, this Emotional Steering can give users the illusion of safety and comfort with regard to the potential risks of sharing some kind of information on the platform. On the other hand, information given on how to control the publicity of one’s data is not clear. First it is said that users can set their sharing preference any time they want. Then, however, the last sentence indicates that this is not possible once something has already been posted on the platform. Those pieces of Conflicting Information leave users unsure of how to control the publicity of their data.

Example 13

Information related to data subject rights is spread across the privacy notice. Although different data subject rights are explained in the section “Your options”, the right to lodge a complaint and the exact contact address is stated only after several sections and layers referring to different topics. The privacy notice therefore partly leaves out contact details at stages where this would be desirable and advisable.

Example 14

The privacy policy is not divided into different sections with headlines and content. There are more than 70 pages provided. However, there is no navigation menu on the side or the top to allow users to easily access the section they are looking for. The explanation of the self-created term “creation data” is contained in a footnote on page 67.

Example 15

A privacy notice describes part of a processing in a vague and imprecise way, as in this sentence: “Your data might be used to improve our services”. Additionally, the right of access to personal data is applicable to the processing as based on Article 15 (1) GDPR but is mentioned in such a way that it is not clear to users what it allows them to access: "You can see part of your information in your account and by reviewing what you've posted on the platform."

Example 16

Variation A: The social media platform is available in Croatian as the language of users’ choice (or in Spanish as the language of the country they are in), whereas all or certain information on data protection is available only in English. Variation B: Each time users call up certain pages, such as the help page, these automatically switch to the language of the country users are in, even if they have previously selected a different language.

Example 17

On its platform, the social media provider makes available a document called “helpful advice” that also contains important information about the exercise of data subject rights. However, the privacy policy does not contain any link or other hint to this document. Instead, it mentions that more details are available in the Q&A section of the website. Users expecting information about their rights in the privacy policy will therefore not find these explanations there and will have to navigate further and search through the Q&A section.

Example 18

In its privacy policy, a social media provider offers many hyperlinks to pages with further information on specific topics. However, there are several parts in the privacy policy containing only general statements that it is possible to access more information, without saying where or how.

Example 19

With regard to deceptive design patterns, the challenge for controllers in this constellation is to integrate this information into the online system in such a way that it can be easily perceived and does not lose its clarity and comprehensibility, even though Article 12 (1) phrase 1 GDPR does not refer directly to Article 26 (2) phrase 2 GDPR.

Example 20

The controller only refers to actions of a third party. A given data breach was originated by a third party (e.g. a processor) and that therefore no security breach occurred. The controller also highlights some good practices that have nothing to do with the actual breach. The controller declares the severity of the data breach in relation to itself or to a processor, rather than in relation to the data subject.

Example 21

Through a data breach on a social media platform, several sets of health data were accidentally accessible to unauthorised users. The social media provider only informs users that “special categories of personal data” were accidentally made public.

Example 22

The controller only provides vague details when identifying the categories of personal data affected. E.g. the controller refers to documents submitted by users without specifying what categories of personal data these documents include and how sensitive they were.

Example 23

When reporting the breach, the controller does not sufficiently specify the category of the affected data subjects. E.g., the controller only mentions that concerned data subjects were students, but the controller does not specify whether the data subjects are minors or groups of vulnerable data subjects.

Example 24

A controller declares that personal data was made public through other sources when it notifies the breach to the Supervisory Authority and to the data subject. Therefore, the data subject considers that there was no security breach.

Example 25

The controller reports through texts that contain a lot of non-relevant information and omit the relevant details. In security breaches that affect access credentials and other types of data, the controller declares that the data is encrypted or hashed, while this is only the case for passwords.

Example 26

The interface uses a toggle switch to allow users to give or withdraw consent. However, the way the toggle is designed does not make it clear in which position it is and if users have given consent or not. Indeed, the position of the toggle does not match the colour. If the toggle is on the right side, which is usually associated with the activation of the feature (“switch on”), the colour of the switch is red, which usually signifies that a feature is turned off. Conversely, when the switch is on the left side, usually meaning the feature is turned off, the toggle background colour is green, which is normally associated with an active option.

Example 27

The social media provider gives contradictory information to users: Although the information first asserts that contacts are not imported without consent, a pop-up information window simultaneously explains how contacts will be imported anyway.

Example 28

Users browse their social media feed. While doing so, they are shown advertisements. Intrigued by one ad and curious about the reasons it is shown to them, they click on a “?” sign available on the right bottom corner of the ad. It opens a pop-in window that explains why users see this particular ad and lists the targeting criteria. It also informs users that they can withdraw their consent to targeted advertisement and provides a link to do so. When users click on this link, they are redirected to an entirely different website giving general explanations on what consent is and how to manage it.

Example 29

In the part of the social media account where users can share thoughts, pictures, etc., they are asked to confirm that they would like to share this content once they have typed it in or uploaded it. Users can choose between a button saying “Yes, please.” and another one saying “No, thank you.” However, once users decide against sharing the content with others by clicking on the second button, the content is published on their social media account.

Example 30

A cookie banner on the social media platform states “For delicious cookies, you only need butter, sugar and flour. Check out our favourite recipe here [link]. We use cookies, too. Read more in our cookie policy [link].”, along with an “okay” button.

Example 31

Users want to manage the permissions given to the social media platform based on consent. They have to find a page in the settings related to those specific actions and wish to disable the sharing of their personal data for research purposes. When users click on the box to untick it, nothing happens at the interface level and they get the impression that the consent cannot be withdrawn.

Example 32

A social media provider works with third parties for the processing of its users’ personal data. In its privacy policy, it provides the list of those third parties without providing a link to each of their privacy policies, merely telling users to visit the third parties websites in order to get information on how these entities process data and to exercise their rights.

Example 33

A social media provider does not provide a direct opt-out from a targeted advertisement processing even though the consent (opt-in) only requires one click.

Example 34

Information to withdraw consent is available from a link only accessible by checking every section of their account and information associated to advertisements displayed on the social media feed.

Example 35

In this example, when users create their account, they are asked if they accept their data to be processed to get personalised advertising. In case users do not consent at sign-up to this use of their data, they regularly see – while using the social network – the prompting box illustrated above, asking if they want personalised ads. This box is blocking them in their use of the social network. Being displayed on a regular basis, this Continuous prompting is likely to fatigue users into consenting to personalised advertisement.

Example 36

Users are likely to not know what to do when a social media platform’s menu contains multiple tabs dealing with data protection: “data protection”, “safety”, “content”, “privacy”, “your preferences”.

Example 37

User X switches off the use of their geolocation for advertisement purpose. After clicking on the toggle allowing to do so, a message appears saying “We've turned off your geolocation, but your location will still be used.”

Example 38

Related topics, such as the settings on data sharing by the social media provider with third parties and vice versa, are not made available in the same or close spaces, but rather in different tabs of the settings menu.

Example 39

Throughout the social media platform, nine out of ten data protection setting options are presented in the following order:

– most restrictive option (i.e. sharing the least data with others);

– limited option, but not as restrictive as the first one; and

– least restrictive option (i.e. sharing the most data with others).

Users of this platform are used to their data protection settings being presented in this order. However, this order is not applied at the last setting where the choice of visibility of users’ birthdays is instead shown in the following order:

– Show my whole birthday: 15 January 1929 (= least restrictive option);

– Show only day and month: 15 January (= limited option, but not the most restrictive one); and

– Do not show others my birthday (= most restrictive option).

Example 40

Between the data visibility options “visible to me”, “to my closest friends” “to all my connections”, and “public”, the middle option “to all my connections” is pre-set. This means that all users connected to them can see their contributions, as well as all information entered for signing-up to the social media platform, such as their email address or birthdate.

Example 41

In this example, when users want to manage the visibility of their data, they have to go in the “privacy preference” tab. The information for which they can set their preference is listed there. However, the way that information is displayed does not make it obvious how to change the settings. Indeed, users have to click on the current visibility option in order to access a dropdown menu from which they can select the option they prefer.

Example 42

The data protection settings are difficult to find in the user account, as on the first level, there is no menu chapter with a name or heading that would lead in that direction. Users must look up other submenus such as “Security”.

Example 43

Changing the setting is hindered since in the social media platform’s desktop version, the “save” button for registering their changes is not visible with all the options, but only at the top of the submenu. Users are likely to overlook it and wrongly assume their settings are saved automatically, therefore moving to another page without clicking on the "save" button. This problem does not occur in the app and mobile versions. Therefore, it creates additional confusion for users moving from the mobile/app to the desktop version, and can make them think they can only change their settings in the mobile version or the app.

Example 44

Users click on “exercise my right of access” in the privacy notice, but are redirected to their profile instead, which does not provide any features related to exercising the right.

Example 45

When clicking on a link related to the exercise of data subject rights, the following information is not provided in the state’s official language(s) of the users’ country, whereas the service is. Instead, users are redirected to a page in English.

Example 46

The social media platform does not explicitly state that users in the EU have the right to lodge a complaint with a supervisory authority, but only mentions that in some – without mentioning which – countries, there are data protection authorities which the social media provider cooperates with regarding complaints.

Example 47

Here, information related to data protection rights is available on at least four pages. Even though the privacy policy informs on all the rights, it does not redirect to the relevant pages for each of them. Conversely, when users visit their account, they will not find any information on some of the rights they can exercise. This Privacy Maze forces users to dig through many pages in order to find where to exercise each right and, depending on their browsing, they might not be aware of all the rights they have.

Example 48

In this example, users wish to update some of their personal data but do not find a way to do it in their account. They click on a link redirecting them to the Question & Answer page where they enter their question. Several results appear, some related to the rights of access and deletion. After checking all results, they click on the link available in the “How to access your data” page. It redirects them to the privacy policy. There, they find information on additional rights. After reading this information, they click on the link associated with the exercise of the right to rectification which redirects them to the user account. Unsatisfied, they go back to the privacy policy and click on a general link “Send us a request”. This brings users to their privacy dashboard. As none of the available options seem to match their need, users eventually go to the “exercise of other rights” page where they finally find a contact address.

Example 49

The paragraph under the subtitle “right to access” in the privacy policy explains that users have the right to obtain information under Article 15 (1) GDPR. However, it only mentions users’ possibility to receive a copy of their personal data. There is no direct link visible to exercise the copy component of the right of access under Article 15 (3) GDPR. Rather, the first three words in “You can have a copy of your personal data” are slightly underlined. When hovering over these words with the users’ mouse, a small box is displayed with a link to the settings.

Example 50

The social media platform offers different versions (desktop, app, mobile browser). In each version, the settings (leading to access/objection etc.) are displayed with a different symbol, leaving users who switch between versions confused.

Example 51

When users choose to delete the name and place of their high school or the reference to an event they attended and shared, a second window pops up asking to confirm that choice (“Do you really want to do so? Why do you want to do this?”).

Example 52

Users are looking for the right to erasure. They have to call up the account settings, open a sub-menu called “privacy”, and have to scroll all the way down to find a link to delete the account.

Example 53

On the first information level, information is given to users highlighting only the negative, discouraging consequences of deleting their accounts (e.g. "you'll lose everything forever" or "your friends will forget you").

Example 54

When users delete their account, they are not informed about the time their data will be kept once the account is deleted. Even worse, at no point in the whole deletion process users are advised about the fact that “some of the personal data” might be stored even after deleting an account. They need to look for the information by themselves, across the different information sources available.

Example 55

Users can only delete their account through links named “See you” or “Deactivate” available in their account.

Example 56

In the process of deleting their account, users are provided with two options to choose from: To delete their account or to pause it. By default, the pausing option is selected.

Example 57

After clicking on “Delete my account”, users are presented with the option to download their data, implemented as the right to portability, before deleting the account. When clicking to download their information, users are redirected on a download information page. However, once users have chosen what and how to download their data, they are not redirected to the deletion process.

Example 58

In this example, users first see a confirmation box to erase their account after having clicked on the corresponding link or button in their account. Even though there is some Emotional Steering in this box, this step can be seen as a security measure in order for users not to delete their account following a mis-click in their account. However, when users click on the “Delete my account” button, they are confronted with a second box asking them to textually describe the reason they want to leave the account. As long as they have not entered something in the box, they cannot delete their account as the button associated with the action is inactive and greyed out. This practice makes the erasure of an account Longer than Necessary, especially as asking users to produce a text describing why they want to leave an account requires extra effort and time and should not be mandatory to delete one’s account.

Example 59

The social media provider makes it mandatory for users to answer a question about their reasons for wishing to erase their account, through a selection of answers from a drop-down menu. It appears to users that answering this question (apparently) enables them to achieve the action they want, i.e. to delete the account. Once an answer is selected, a pop-up window appears, showing users a way of solving the issue stated in their answer. The question-answer process therefore slows down users in their account erasure process.

Example 60

On the social media platform XY, the link to deactivate or delete the account is found in the “Your XY Data” tab.

Example 61

The actual tab to erase an account is found in the section “delete a function of your account”.

In conclusion, the three guidelines are examples of good practices to guide society in general.

No items found.

RECENT POSTS

LINKEDIN FEED

Newsletter

Register your email and receive our updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Newsletter

Register your email and receive our updates-

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Licks Attorneys' Government Affairs & International Relations Blog

Doing Business in Brazil: Political and economic landscape

Licks Attorneys' COMPLIANCE Blog

The EDPB publishes new guidelines for personal data protection

No items found.

The European Data Protection Board (EDPB) has recently published, after a public inquiry with different segments of European society, three new guidelines related to the protection of personal data. They are the following:

  1. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
  2. Guidelines 07/2022 on certification as a tool for transfers
  3. Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them

The following is a brief description of each of them:

1.1. GUIDELINES 05/2021 ON THE INTERPLAY BETWEEN THE APPLICATION OF ARTICLE 3 AND THE PROVISIONS ON INTERNATIONAL TRANSFERS AS PER CHAPTER V OF THE GDPR

Given that the GDPR (General Data Protection Regulation) does not define what “transfer of personal data to a third country or to an international organization” is, the EDPB used three cumulative criteria to qualify a processing operation as a transfer. Thus, if the three criteria identified by the EDPB are met, it regards a transfer and Chapter V of the GDPR is applicable. They are:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing;
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); and
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

Thus, the transfer of personal data to a third country or to an international organization may only occur in the context of an adequacy decision by the European Commission (Article 45) or by providing of appropriate safeguards (Article 46).

If the three criteria are not met, Chapter V of the GDPR does not apply, but the controller must comply with the remaining provisions of the GDPR, in particular Article 5 (“Principles relating to the processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of Processing”).

The risks of such personal data processing in a foreign country not complying with the GDPR are especially focused on conflicting national laws or disproportionate government access.

The examples are the highlight of these guidelines. They are an aid in understanding the issue in practical cases, as shown below:

Example 1 – Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR)

Maria, living in Italy, inserts her name, surname and postal address by filling in a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In this case, the data subject (Maria) passes her personal data to the third country company. This does not constitute a transfer of personal data since the data are not passed by an exporter (controller or processor), but directly collected from the data subject by the controller under Article 3(2) GDPR. Thus, Chapter V does not apply to this case. Nevertheless, the third country company will be required to apply the GDPR since its processing operations are subject to Article 3(2).

Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities

Maria, living in Italy, inserts her name, surname and postal address by filling in a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In order to process the orders received by means of the website, the third country company has engaged a non-EEA processor. In this case, the data subject (Maria) passes her personal data to the third country company and this does not constitute a transfer of personal data since the data are directly collected by the controller under Article 3(2) GDPR. Thus, the controller will have to apply the GDPR to the processing of this personal data. As far as it engages a non-EEA processor, such disclosure from the third country company to its non-EEA processor would amount to a transfer, and it will be required to apply Article 28 and Chapter V obligations so as to ensure that the level of protection afforded by the GDPR would not be undermined when data are processed on its behalf by the non-EEA-processor.

Example 3 – Controller in a third country receives data directly from a data subject in the EU (but not under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities

Maria, living in Italy, decides to book a room in a hotel in New York using a form on the hotel website. Personal data are collected directly by the hotel which does not target/monitor individuals in the EEA. In this case, no transfer takes place since data are passed directly by the data subject and directly collected by the controller Also, since no targeting or monitoring activities of individuals in the EEA are taking place by the hotel, the GDPR will not apply, including with regard to any processing activities carried out by non-EEA processors on behalf of the hotel.

Example 4 – Data collected by an EEA platform and then passed to a third country controller

Maria, living in Italy, books a room in a hotel in New York by means of an online EEA travel agency. Maria’s personal data, necessary for booking the hotel, are collected by the EEA online travel agency as a controller and sent to the hotel receiving the data as a separate controller. While passing the personal data to the third country hotel, the EEA travel agency carries out a transfer of personal data and Chapter V GDPR applies.

Example 5 – Controller in the EU sends data to a processor in a third country

Company X established in Austria, acting as controller, provides personal data of its employees or customers to Company Z in a third country, which processes these data as processor on behalf of Company X. In this case, data are provided from a controller, which as regards the processing in question, is subject to the GDPR, to a processor in a third country. Hence, the provision of data will be considered as a transfer of personal data to a third country and therefore Chapter V of the GDPR applies.

Example 6 – Processor in the EU sends data back to its controller in a third country

XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers, all of them data subjects not located in the EU, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and therefore Chapter V applies.

Example 7 – Processor in the EU sends data to a sub-processor in a third country

Company A established in Germany, acting as controller, has engaged B, a French company, as a processor on its behalf. B wishes to further delegate a part of the processing activities that it is carrying out on behalf of A to sub-processor C, a company in a third country, and hence to send the data for this purpose to C. The processing performed by both A and its processor B is carried out in the context of their establishments in the EU and is therefore subject to the GDPR pursuant to its Article 3(1), while the processing by C is carried out in a third country. Hence, the passing of data from processor B to sub-processor C is a transfer to a third country, and Chapter V of the GDPR applies.

Example 8 – Employee of a controller in the EU travels to a third country on a business trip

George, employee of A, a company based in Poland, travels to a third country for a meeting bringing his laptop. During his stay abroad, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This bringing of the laptop and remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller A. Therefore, the transmission is carried out within the same controller A. The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR. It can, however, be noted that in case George, in his capacity as an employee of A, would send or make data available to another controller or processor in the third country, the data flow in question would amount to a transfer under Chapter V; from the exporter (A) in the EU to such importer in the third country.

Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country

The Irish Company X, which is a subsidiary of the parent Company Y in a third country, discloses personal data of its employees to Company Y to be stored in a centralised HR database by the parent company in the third country. In this case the Irish Company X processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. Company X is subject to the GDPR pursuant to Article 3(1) for this processing and Company Y is situated in a third country. The disclosure therefore qualifies as a transfer to a third country within the meaning of Chapter V of the GDPR.

Example 10 – Processor in the EU sends data back to its controller in a third country

Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.

Example 11 – Remote access to data in the EU by a third country processor acting on behalf of EU controllers

A company in a third country (Company Z), with no establishment in the EU, offers services as a processor to companies in the EU. Company Z, acting as processor on behalf of the EU controllers, is remotely accessing, e.g. for support purposes, the data which is stored in the EU. Since Company Z is located in a third country, such remote access results in transfers of data from the EU controllers to their processor (Company Z) in a third country under Chapter V.

Example 12 – Controller in the EU uses a processor in the EU subject to third country legislation

The Danish Company X, acting as controller, engages Company Y established in the EU as a processor on its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y is processing the data of Company X exclusively in the EU and there is no one outside the EU, including the parent Company Z, who has access to the data. Additionally, it follows from the contract between Company X and Company Y that Company Y shall only process the personal data on documented instructions from Company X, unless required to do so by EU or Member State law to which Company Y is subject. Company Y is however subject to third country legislation with extraterritorial effect, which in this case means that Company Y may receive access requests from third country authorities. Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), the disclosure of data from the controller Company X to the processor Company Y does not amount to a transfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility that Company Y receives access requests from third country authorities and should Company Y comply with such request, such disclosure of data would be considered a transfer under Chapter V. Where Company Y complies with a request in violation of the controller’s instructions and thus Article 28 GDPR, Company Y shall be considered an independent controller of that processing under Article 28(10) GDPR. In this situation, the controller Company X should, before engaging the processor, assess these circumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract or legal act governing the processing by the processor.

1.2. GUIDELINES 07/2022 ON CERTIFICATION AS A TOOL FOR TRANSFERS

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organizations. Among these safeguards, certification emerges as a new transfer mechanism (Articles 42(2) and 46(2) (f).

According to Article 44 of the GDPR, any transfer of personal data to third countries or international organizations must comply with the conditions of the remaining provisions of the GDPR in addition to compliance with its Chapter V. Therefore, each transfer must comply, among others, with the data protection principles of Article 5 of the GDPR, comply with Article 6 of the GDPR and with Article 9 of the GDPR in the case of special data categories.

Thus, a two-step test should be applied. As a first step, one must ensure compliance with the general provisions of the GDPR. Then, as a second step, one must comply with the provisions of Chapter V of the GDPR.

Pursuant to Article 46(2)(f) of the GDPR, such appropriate safeguards, such as respecting the rights of data subjects, can be provided by an approved certification mechanism, together with binding and enforceable commitments from the controller or operator in the third country.

The EDPB is empowered to approve EEA-wide certification criteria (European Data Protection Seal) and to provide opinions on Supervisory Authorities’ draft decisions on certification criteria and accreditation requirements of the certification bodies so as to ensure consistency. It is also competent for collating all certification mechanisms and data protection seals and marks in a register and making them publicly available.

The Supervisory Authorities (SAs) approve the certification criteria when the certification mechanism is not a European Data Protection Seal. They might also accredit the certification body, design the certification criteria and issue certification if established by the national law of their Member State.

On the other hand, the National Accreditation Body may accredit third party certification bodies by using ISO 17065 and the SAs additional accreditation requirements, which should be in line with section 2 of these guidelines. In some Member States, the accreditation can be offered as well by the competent SA as well as being carried out by a national accreditation body or by both.

And finally, the Scheme Owner is another important stakeholder. It is an organisation which has set up certification criteria and the methodology requirements according to which conformity is to be assessed. The organisation carrying out the assessments could be the same organisation that has developed and owns the scheme, but there could be arrangements where one organisation owns the scheme, and another (or more than one other) performs the assessments as Certification body.

Furthermore, the data exporter who wants to use a certification as appropriate safeguard according to Article 46 (2) (f) GDPR is notably obliged to verify whether the certification it intends to rely on is effective in light of the characteristics of the intended processing. To that end, the data exporter must check the issued certification in order to verify if the certificate is valid and not expired, if it covers the specific transfer to be carried out and whether the transit of personal data is in the scope of certification, as well as if onward transfers are involved and an adequate documentation is provided on them. Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake.

Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake. Therefore, certification should be based on the assessment of certification criteria according to a mandatory audit methodology.

The following minimum criteria must be considered by the certification mechanism with respect to processing:

  1. the purpose;
  2. the type of entity (controller or operator);
  3. the type of data transferred taking into account whether special categories of personal data as defined in Article 9 GDPR are involved;
  4. the categories of data subjects; and
  5. the countries where the data processing takes place.

With regard to Transparency and the Data subjects’ rights, the certification criteria should:

  1. Require that information on the processing activities should be provided to data subjects, including, where relevant, on the transfer of personal data to a third country or an international organisation (see Articles 12, 13, 14 GDPR);
  2. require that data subjects are guaranteed their rights to access, rectification, erasure, restriction, notification regarding rectification or erasure or restriction, objection to processing, right not to be subject to decisions based solely on automated processing, including profiling, essentially equivalent to those provided for by Articles 15 to 19, 21 and 22 GDPR;
  3. require that an appropriate complaint handling procedure is established by the data importer holding a certification in order to ensure the effective implementation of the data subject rights
  4. require assessing whether and to what extent these rights are enforceable for the data subjects in the relevant third country and any additional appropriate measures that may need to be put in place to enforce them, e.g. requiring that the importer will accept to submit itself to the jurisdiction of and cooperate with the supervisory authority competent for the exporter(s) in any procedures aimed at ensuring compliance with these rights and, in particular, that it agrees to respond to enquiries, submit to audits and comply with the measures adopted by aforementioned supervisory authority, including remedial and compensatory measures.

Additional certification criteria include assessment of third country legislation, general obligations of importers and exporters, rules on onward transfers, redress and enforcement of data subject rights, process and actions for situations in which national legislation prevents compliance with commitments taken as part of certification, dealing with requests for data access by third country authorities and additional safeguards concerning the exporter.

Again, a list of examples of complementary measures to be implemented by the importer in case the transit is included in the scope of the certification is a high point of the guidelines. They are the following:

Use case 1 – Data storage for backup and other purposes that do not require access to data in the clear

Criteria relating to the encryption standards and the security of the decryption key, in particular criteria relating to the legal situation in the third country, must be established. If the importer can be forced to pass on decryption keys, the additional measure cannot be considered effective.

Use case 2 – Transfer of pseudonymised Data

In the case of pseudonymised data, criteria shall be established regarding the security of the additional information necessary to attribute the transferred data to an identified or identifiable person. In particular:

– Criteria regarding the legal situation in the third country. If the importer can be forced to access or use additional data in order to attribute the data to an identified or identifiable person, the measure cannot be considered effective; and

– Criteria relating to the definition of additional information available to third country authorities that might be sufficient to attribute the data to an identified or identifiable person.

Use case 3 – Encryption of data to protect it from access by the public authorities of the third country of the importer when it transits between the exporter and its importer

In the case of encrypted data, any criteria for the security of the transit shall be included. If the importer can be forced to pass on cryptographic keys for decryption or authentication or to modify a component used for transit in such a way that its security properties are undermined, the additional measure cannot be considered effective.

Use case 4 – Protected recipient

In the case of protected recipients, criteria for the limits of the privilege must be defined. The data processing must remain within the limits of the legal privilege. This also applies to processing by (sub)processors and onward transfers, whose recipients must also be privileged.

Another list of examples of complementary measures in case the transit is not covered by the certification and the exporter has to ensure them is equally interesting:

Use case 1 – Transfer of pseudonymised Data

Criteria shall be provided relating to the additional information available to the third country authorities that might be sufficient to attribute the data to an identified or identifiable person.

Use case 2 – Encryption of data to protect it from access by the public authorities of the third country of the importer when it transits between the exporter and its importer

Criteria shall be provided relating to the trustworthiness of the public key certification authority or infrastructure used, the security of the cryptographic keys used for authentication or decryption and the reliability of key management, and the use of properly maintained software without known vulnerabilities. If the importer can be forced to disclose cryptographic keys suitable for decryption or authentication or to modify a component used for transit in order to undermine its security properties, the measure cannot be considered effective.

Use case 3 – Protected recipient

In the case of protected recipients, criteria for the limits of the privilege must be defined. The data processing must remain within the limits of the legal privilege. This also applies to processing by (sub)processors and onward transfers, whose recipients must also be privileged.

1.3. GUIDELINES 03/2022 ON DECEPTIVE DESIGN PATTERNS IN SOCIAL MEDIA PLATFORM INTERFACES: HOW TO RECOGNISE AND AVOID THEM

These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called “deceptive design patterns” in social media interfaces that infringe on GDPR requirements.

Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR serves as a starting point to assess whether a design pattern actually constitutes a “deceptive design pattern”.

The EDPB gives concrete examples of deceptive design pattern types for the following different use cases within this life cycle. They are: the sign-up, i.e. registration process; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; and, finally, closing a social media account.

The deceptive design patterns addressed within these Guidelines result from an interdisciplinary analysis of existing interfaces. They can be divided into the following categories:

  1. Overloading: users are confronted with an avalanche/ large quantity of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of data subject.
  2. Skipping: designing the interface or user journey in a way that the users forget or do not think about all or some of the data protection aspects.
  3. Stirring: affects the choice users would make by appealing to their emotions or using visual nudges.
  4. Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve.
  5. Obstructing: an obstruction or blocking of users in their process of getting informed or managing their data by making the action hard or impossible to achieve; and
  6. Left in the dark: an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.

As the EDPB already stated, fairness is an overarching principle which requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. If the interface has insufficient or misleading information for users and fulfils the characteristics of deceptive design patterns, it can be classified as unfair processing. The fairness principle has an umbrella function and all deceptive design patterns would not comply with it irrespectively of compliance with other data protection principles.

The first step users need to take in order to have access to a social media platform is signing up by creating an account. As part of this registration process, users are asked to provide their personal data, such as first and last name, email address or sometimes phone number. Users need to be informed about the processing of their personal data and they are usually asked to confirm that they have read the privacy notice and agree to the terms of use of the social media platform. This information needs to be provided in a clear and plain language, so that users are in a position to easily understand it and knowingly agree.

Consent freely given, specific, informed at the registration step. For social media providers who ask for users’ consent for varying purposes of processing, the EDPB Guidelines 05/2020 on consent provide valuable guidance on consent collection. Social media platforms must not circumvent conditions, such as data subjects’ ability to freely give consent, through graphic designs or wording that prevents data subjects from exercising said will. In that regard, Article 7 (2) GDPR states that the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Users of social media platforms can provide consent for ads or special types of analysis during the sign-up process, and at a later stage via the data protection settings. In any event, as Recital 32 GDPR underlines, consent always needs to be provided by a clear affirmative act, so that pre-ticked boxes or inactivity of the users do not constitute consent.

In accordance with Article 7 (3) phrase 1 GDPR, users of social media platforms shall be able to withdraw their consent at any time. Prior to providing consent, users shall also be made aware of the right to withdraw the consent, as required by Article 7 (3) phrase 3 GDPR. In particular, controllers shall demonstrate that users have the possibility to refuse providing consent or to withdraw the consent without any detriment. Users of social media platforms who consent to the processing of their personal data with one click, for example by ticking a box, shall be able to withdraw their consent in an equally easy way. This underlines that consent should be a reversible decision, so that there remains a degree of control for the data subject. The easy withdrawal of consent constitutes a prerequisite of valid consent under Article 7 (3) phrase 4 GDPR and should be possible without lowering service levels. As an example, consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time.

Again the examples make understanding deceptive media standards easier. They are:

Example 1

Variation A: In the first step of the sign-up process, users are required to choose between different options for their registration. They can either provide an email address or a phone number. When users choose the email address, the social media provider still tries to convince users to provide the phone number, by declaring that it will be used for account security, without providing alternatives on the data that could be or was already provided by the users. Concretely, several windows pop up throughout the sign-up process with a field for the phone number, along with the explanation “We’ll use your [phone] number for account security”. Although users can close the window, they get overloaded and give up by providing their phone number. Variation B: Another social media provider repeatedly asks users to provide the phone number every time they log into their account, despite the fact that users previously refused to provide it, whether this was during the sign-up process or at the last log-in.

Example 2

A social media platform uses an information or a question mark icon to incite users to take the “optional” action currently asked for. However, rather than just provide information to users who expect help from these buttons, the platform prompts users to accept importing their contacts from their email account by repeatedly showing a pop-up saying “Let’s do it”.

Example 3

When registering to a social media platform via desktop browser, users are invited to also use the platform’s mobile application. During what looks like another step in the sign-up process, users are invited to discover the app. When they click on the icon, expecting to be referred to an application store, they are asked instead to provide their number to receive a text message with the link to the app.

Example 4

The social media platform asks users to share their geolocation by stating: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!”

Example 5

Social media provider incentivises users to encourage them to share more personal data than actually required by prompting users to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!

Example 6

The part of the sign-up process where users are asked to upload their picture contains a “?” button. Clicking on it reveals the following message: “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me’.”

Example 7

During the sign-up process, users who click on the “skip” buttons to avoid entering certain kind of data are shown a pop-up window asking “Are you sure?” By questioning their decision and therefore making them doubt it, social media provider incites users to review it and disclose these kinds of data, such as their gender, contact list or picture. In contrast, users who choose to directly enter the data do not see any message asking to reconsider their choice.

Example 8

Immediately after completing the registration, users are only able to access data protection information by calling up the general menu of the social media platform and browse the submenu section that includes a link to “privacy and data settings”. Upon a visit to this page, a link to the privacy policy is not visible at first glance. Users have to notice, in a corner of the page, a tiny icon pointing to the privacy policy, which means that users can hardly notice where the information to the data protection related policies are.

Example 9

In this example, when users enter their birthdate, they are invited to choose with whom to share this information. Whereas less invasive options are available, the option “share it with everyone” is selected by default, meaning that everyone, i.e. registered users as well as any internet users, will be able to see the users’ birthdate.

Example 10

Users are not provided with any links to data protection information once they have started the sign-up process. Users cannot find this information as none is provided anywhere in the sign-up interface, not even in the footer.

Example 11

During the sign-up process, users can consent to the processing of their personal data for advertising purposes and they are informed that they can change their choice whenever they want once registered on the social media by going to the privacy policy. However, once users have completed the registration process and they go to the privacy policy, they find no means or clues on how to withdraw their consent for this processing.

Example 12

In this example, the information related to data sharing gives a highly positive outlook of the processing by highlighting the benefits of sharing as many data as possible. Coupled to the illustration representing the photograph of a cute animal playing with a ball, this Emotional Steering can give users the illusion of safety and comfort with regard to the potential risks of sharing some kind of information on the platform. On the other hand, information given on how to control the publicity of one’s data is not clear. First it is said that users can set their sharing preference any time they want. Then, however, the last sentence indicates that this is not possible once something has already been posted on the platform. Those pieces of Conflicting Information leave users unsure of how to control the publicity of their data.

Example 13

Information related to data subject rights is spread across the privacy notice. Although different data subject rights are explained in the section “Your options”, the right to lodge a complaint and the exact contact address is stated only after several sections and layers referring to different topics. The privacy notice therefore partly leaves out contact details at stages where this would be desirable and advisable.

Example 14

The privacy policy is not divided into different sections with headlines and content. There are more than 70 pages provided. However, there is no navigation menu on the side or the top to allow users to easily access the section they are looking for. The explanation of the self-created term “creation data” is contained in a footnote on page 67.

Example 15

A privacy notice describes part of a processing in a vague and imprecise way, as in this sentence: “Your data might be used to improve our services”. Additionally, the right of access to personal data is applicable to the processing as based on Article 15 (1) GDPR but is mentioned in such a way that it is not clear to users what it allows them to access: "You can see part of your information in your account and by reviewing what you've posted on the platform."

Example 16

Variation A: The social media platform is available in Croatian as the language of users’ choice (or in Spanish as the language of the country they are in), whereas all or certain information on data protection is available only in English. Variation B: Each time users call up certain pages, such as the help page, these automatically switch to the language of the country users are in, even if they have previously selected a different language.

Example 17

On its platform, the social media provider makes available a document called “helpful advice” that also contains important information about the exercise of data subject rights. However, the privacy policy does not contain any link or other hint to this document. Instead, it mentions that more details are available in the Q&A section of the website. Users expecting information about their rights in the privacy policy will therefore not find these explanations there and will have to navigate further and search through the Q&A section.

Example 18

In its privacy policy, a social media provider offers many hyperlinks to pages with further information on specific topics. However, there are several parts in the privacy policy containing only general statements that it is possible to access more information, without saying where or how.

Example 19

With regard to deceptive design patterns, the challenge for controllers in this constellation is to integrate this information into the online system in such a way that it can be easily perceived and does not lose its clarity and comprehensibility, even though Article 12 (1) phrase 1 GDPR does not refer directly to Article 26 (2) phrase 2 GDPR.

Example 20

The controller only refers to actions of a third party. A given data breach was originated by a third party (e.g. a processor) and that therefore no security breach occurred. The controller also highlights some good practices that have nothing to do with the actual breach. The controller declares the severity of the data breach in relation to itself or to a processor, rather than in relation to the data subject.

Example 21

Through a data breach on a social media platform, several sets of health data were accidentally accessible to unauthorised users. The social media provider only informs users that “special categories of personal data” were accidentally made public.

Example 22

The controller only provides vague details when identifying the categories of personal data affected. E.g. the controller refers to documents submitted by users without specifying what categories of personal data these documents include and how sensitive they were.

Example 23

When reporting the breach, the controller does not sufficiently specify the category of the affected data subjects. E.g., the controller only mentions that concerned data subjects were students, but the controller does not specify whether the data subjects are minors or groups of vulnerable data subjects.

Example 24

A controller declares that personal data was made public through other sources when it notifies the breach to the Supervisory Authority and to the data subject. Therefore, the data subject considers that there was no security breach.

Example 25

The controller reports through texts that contain a lot of non-relevant information and omit the relevant details. In security breaches that affect access credentials and other types of data, the controller declares that the data is encrypted or hashed, while this is only the case for passwords.

Example 26

The interface uses a toggle switch to allow users to give or withdraw consent. However, the way the toggle is designed does not make it clear in which position it is and if users have given consent or not. Indeed, the position of the toggle does not match the colour. If the toggle is on the right side, which is usually associated with the activation of the feature (“switch on”), the colour of the switch is red, which usually signifies that a feature is turned off. Conversely, when the switch is on the left side, usually meaning the feature is turned off, the toggle background colour is green, which is normally associated with an active option.

Example 27

The social media provider gives contradictory information to users: Although the information first asserts that contacts are not imported without consent, a pop-up information window simultaneously explains how contacts will be imported anyway.

Example 28

Users browse their social media feed. While doing so, they are shown advertisements. Intrigued by one ad and curious about the reasons it is shown to them, they click on a “?” sign available on the right bottom corner of the ad. It opens a pop-in window that explains why users see this particular ad and lists the targeting criteria. It also informs users that they can withdraw their consent to targeted advertisement and provides a link to do so. When users click on this link, they are redirected to an entirely different website giving general explanations on what consent is and how to manage it.

Example 29

In the part of the social media account where users can share thoughts, pictures, etc., they are asked to confirm that they would like to share this content once they have typed it in or uploaded it. Users can choose between a button saying “Yes, please.” and another one saying “No, thank you.” However, once users decide against sharing the content with others by clicking on the second button, the content is published on their social media account.

Example 30

A cookie banner on the social media platform states “For delicious cookies, you only need butter, sugar and flour. Check out our favourite recipe here [link]. We use cookies, too. Read more in our cookie policy [link].”, along with an “okay” button.

Example 31

Users want to manage the permissions given to the social media platform based on consent. They have to find a page in the settings related to those specific actions and wish to disable the sharing of their personal data for research purposes. When users click on the box to untick it, nothing happens at the interface level and they get the impression that the consent cannot be withdrawn.

Example 32

A social media provider works with third parties for the processing of its users’ personal data. In its privacy policy, it provides the list of those third parties without providing a link to each of their privacy policies, merely telling users to visit the third parties websites in order to get information on how these entities process data and to exercise their rights.

Example 33

A social media provider does not provide a direct opt-out from a targeted advertisement processing even though the consent (opt-in) only requires one click.

Example 34

Information to withdraw consent is available from a link only accessible by checking every section of their account and information associated to advertisements displayed on the social media feed.

Example 35

In this example, when users create their account, they are asked if they accept their data to be processed to get personalised advertising. In case users do not consent at sign-up to this use of their data, they regularly see – while using the social network – the prompting box illustrated above, asking if they want personalised ads. This box is blocking them in their use of the social network. Being displayed on a regular basis, this Continuous prompting is likely to fatigue users into consenting to personalised advertisement.

Example 36

Users are likely to not know what to do when a social media platform’s menu contains multiple tabs dealing with data protection: “data protection”, “safety”, “content”, “privacy”, “your preferences”.

Example 37

User X switches off the use of their geolocation for advertisement purpose. After clicking on the toggle allowing to do so, a message appears saying “We've turned off your geolocation, but your location will still be used.”

Example 38

Related topics, such as the settings on data sharing by the social media provider with third parties and vice versa, are not made available in the same or close spaces, but rather in different tabs of the settings menu.

Example 39

Throughout the social media platform, nine out of ten data protection setting options are presented in the following order:

– most restrictive option (i.e. sharing the least data with others);

– limited option, but not as restrictive as the first one; and

– least restrictive option (i.e. sharing the most data with others).

Users of this platform are used to their data protection settings being presented in this order. However, this order is not applied at the last setting where the choice of visibility of users’ birthdays is instead shown in the following order:

– Show my whole birthday: 15 January 1929 (= least restrictive option);

– Show only day and month: 15 January (= limited option, but not the most restrictive one); and

– Do not show others my birthday (= most restrictive option).

Example 40

Between the data visibility options “visible to me”, “to my closest friends” “to all my connections”, and “public”, the middle option “to all my connections” is pre-set. This means that all users connected to them can see their contributions, as well as all information entered for signing-up to the social media platform, such as their email address or birthdate.

Example 41

In this example, when users want to manage the visibility of their data, they have to go in the “privacy preference” tab. The information for which they can set their preference is listed there. However, the way that information is displayed does not make it obvious how to change the settings. Indeed, users have to click on the current visibility option in order to access a dropdown menu from which they can select the option they prefer.

Example 42

The data protection settings are difficult to find in the user account, as on the first level, there is no menu chapter with a name or heading that would lead in that direction. Users must look up other submenus such as “Security”.

Example 43

Changing the setting is hindered since in the social media platform’s desktop version, the “save” button for registering their changes is not visible with all the options, but only at the top of the submenu. Users are likely to overlook it and wrongly assume their settings are saved automatically, therefore moving to another page without clicking on the "save" button. This problem does not occur in the app and mobile versions. Therefore, it creates additional confusion for users moving from the mobile/app to the desktop version, and can make them think they can only change their settings in the mobile version or the app.

Example 44

Users click on “exercise my right of access” in the privacy notice, but are redirected to their profile instead, which does not provide any features related to exercising the right.

Example 45

When clicking on a link related to the exercise of data subject rights, the following information is not provided in the state’s official language(s) of the users’ country, whereas the service is. Instead, users are redirected to a page in English.

Example 46

The social media platform does not explicitly state that users in the EU have the right to lodge a complaint with a supervisory authority, but only mentions that in some – without mentioning which – countries, there are data protection authorities which the social media provider cooperates with regarding complaints.

Example 47

Here, information related to data protection rights is available on at least four pages. Even though the privacy policy informs on all the rights, it does not redirect to the relevant pages for each of them. Conversely, when users visit their account, they will not find any information on some of the rights they can exercise. This Privacy Maze forces users to dig through many pages in order to find where to exercise each right and, depending on their browsing, they might not be aware of all the rights they have.

Example 48

In this example, users wish to update some of their personal data but do not find a way to do it in their account. They click on a link redirecting them to the Question & Answer page where they enter their question. Several results appear, some related to the rights of access and deletion. After checking all results, they click on the link available in the “How to access your data” page. It redirects them to the privacy policy. There, they find information on additional rights. After reading this information, they click on the link associated with the exercise of the right to rectification which redirects them to the user account. Unsatisfied, they go back to the privacy policy and click on a general link “Send us a request”. This brings users to their privacy dashboard. As none of the available options seem to match their need, users eventually go to the “exercise of other rights” page where they finally find a contact address.

Example 49

The paragraph under the subtitle “right to access” in the privacy policy explains that users have the right to obtain information under Article 15 (1) GDPR. However, it only mentions users’ possibility to receive a copy of their personal data. There is no direct link visible to exercise the copy component of the right of access under Article 15 (3) GDPR. Rather, the first three words in “You can have a copy of your personal data” are slightly underlined. When hovering over these words with the users’ mouse, a small box is displayed with a link to the settings.

Example 50

The social media platform offers different versions (desktop, app, mobile browser). In each version, the settings (leading to access/objection etc.) are displayed with a different symbol, leaving users who switch between versions confused.

Example 51

When users choose to delete the name and place of their high school or the reference to an event they attended and shared, a second window pops up asking to confirm that choice (“Do you really want to do so? Why do you want to do this?”).

Example 52

Users are looking for the right to erasure. They have to call up the account settings, open a sub-menu called “privacy”, and have to scroll all the way down to find a link to delete the account.

Example 53

On the first information level, information is given to users highlighting only the negative, discouraging consequences of deleting their accounts (e.g. "you'll lose everything forever" or "your friends will forget you").

Example 54

When users delete their account, they are not informed about the time their data will be kept once the account is deleted. Even worse, at no point in the whole deletion process users are advised about the fact that “some of the personal data” might be stored even after deleting an account. They need to look for the information by themselves, across the different information sources available.

Example 55

Users can only delete their account through links named “See you” or “Deactivate” available in their account.

Example 56

In the process of deleting their account, users are provided with two options to choose from: To delete their account or to pause it. By default, the pausing option is selected.

Example 57

After clicking on “Delete my account”, users are presented with the option to download their data, implemented as the right to portability, before deleting the account. When clicking to download their information, users are redirected on a download information page. However, once users have chosen what and how to download their data, they are not redirected to the deletion process.

Example 58

In this example, users first see a confirmation box to erase their account after having clicked on the corresponding link or button in their account. Even though there is some Emotional Steering in this box, this step can be seen as a security measure in order for users not to delete their account following a mis-click in their account. However, when users click on the “Delete my account” button, they are confronted with a second box asking them to textually describe the reason they want to leave the account. As long as they have not entered something in the box, they cannot delete their account as the button associated with the action is inactive and greyed out. This practice makes the erasure of an account Longer than Necessary, especially as asking users to produce a text describing why they want to leave an account requires extra effort and time and should not be mandatory to delete one’s account.

Example 59

The social media provider makes it mandatory for users to answer a question about their reasons for wishing to erase their account, through a selection of answers from a drop-down menu. It appears to users that answering this question (apparently) enables them to achieve the action they want, i.e. to delete the account. Once an answer is selected, a pop-up window appears, showing users a way of solving the issue stated in their answer. The question-answer process therefore slows down users in their account erasure process.

Example 60

On the social media platform XY, the link to deactivate or delete the account is found in the “Your XY Data” tab.

Example 61

The actual tab to erase an account is found in the section “delete a function of your account”.

In conclusion, the three guidelines are examples of good practices to guide society in general.

No items found.