CookieKIT.it

Left in the Dark - Conflicting Information (Annex checklist 4.6.2)
next
Example 12: In this example, the information related to data sharing gives a highly positive outlook of the processing by highlighting the benefits of sharing as many data as possible. Coupled to the illustration representing the photograph of a cute animal playing with a ball, this Emotional Steering can give users the illusion of safety and comfort with regard to the potential risks of sharing some kind of information on the platform. On the other hand, information given on how to control the publicity of one’s data is not clear. First it is said that users can set their sharing preference any time they want. Then, however, the last sentence indicates that this is not possible once something has already been posted on the platform. Those pieces of Conflicting Information leave users unsure of how to control the publicity of their data.

Left in the Dark - Ambiguous Wording or Information (Annex checklist 4.6.3)
next
Example 15: A privacy notice describes part of a processing in a vague and imprecise way, as in this sentence: “Your data might be used to improve our services”. Additionally, the right of access to personal data is applicable to the processing as based on Article 15 (1) GDPR but is mentioned in such a way that it is not clear to users what it allows them to access: "You can see part of your information in your account and by reviewing what you've posted on the platform".

Left in the dark - Language discontinuity (Annex checklist 4.6.1)
next
Example 16: Variation A: The social media platform is available in Croatian as the language of users’ choice (or in Spanish as the language of the country they are in), whereas all or certain information on data protection is available only in English.

Left in the dark - Language discontinuity (Annex checklist 4.6.1)
next
Variation B: Each time users call up certain pages, such as the help pages, these automatically switch to the language of the country users are in, even if they have previously selected a different language.

Left in the Dark - Conflicting Information (Annex checklist 4.6.2)
next
Example 20: • The controller only refers to actions of a third party, that the data breach was originated by a third party (e.g. a processor) and that therefore no security breach occurred. The controller also highlights some good practices that have nothing to do with the actual breach. • The controller declares the severity of the data breach in relation to itself or to a processor, rather than in relation to the data subject.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 21: Through a data breach on a social media platform, several sets of health data were accidentally accessible to unauthorised users. The social media provider only informs users that “special categories of personal data” were accidentally made public

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 22: The controller only provides vague details when identifying the categories of personal data affected, e. g. the controller refers to documents submitted by users without specifying what categories of personal data these documents include and how sensitive they were.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 23: When reporting the breach, the controller does not sufficiently specify the category of the affected data subjects, e. g. the controller only mentions that concerned data subjects were students, but the controller does not specify whether the data subjects are minors or groups of vulnerable data subjects.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 24: A controller declares that personal data was made public through other sources when it notifies the breach to the Supervisory Authority and to the data subject. Therefore, the data subject considers that there was no security breach.

Conflicting Information - Left in the Dark (Annex 4.6.2)
next
Example 26: The interface uses a toggle switch to allow users to give or withdraw consent. However, the way the toggle is designed does not make it clear in which position it is and if users have given consent or not. Indeed, the position of the toggle does not match the colour. If the toggle is on the right side, which is usually associated with the activation of the feature (“switch on”), the colour of the switch is red, which usually signifies that a feature is turned off. Conversely, when the switch is on the left side, usually meaning the feature is turned off, the toggle background colour is green, which is normally associated with an active option.

Conflicting Information - Left in the Dark (Annex 4.6.2)
next
Example 27: The social media provider gives contradictory information to users: Although the information first asserts that contacts are not imported without consent, a pop-up information window simultaneously explains how contacts will be imported anyway.

Left in the dark - Conflicting information (Annex checklist 4.6.2)
next
Example 36: User X switches off the use of their geolocation for advertisement purpose. After clicking on the toggle allowing to do so, a message appears saying “We've turned off your geolocation, but your location will still be used.”

Left in the Dark - Language Discontinuity (Annex checklist 4.6.1)
next
Example 37: Related topics, such as the settings on data sharing by the social media provider with third parties and vice versa, are not made available in the same or close spaces, but rather in different tabs of the settings menu.

Left in the dark - Language discontinuity (Annex checklist 4.6.1)
next
Example 44: When clicking on a link related to the exercise of data subject rights, the following information is not provided in the state’s official language(s) of the users’ country, whereas the service is. Instead, users are redirected to a page in English.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 45: The social media platform does not explicitly state that users in the EU have the right to lodge a complaint with a supervisory authority, but only mentions that in some - without mentioning which - countries, there are data protection authorities which the social media provider cooperates with regarding complaints.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 53: When users delete their account, they are not informed about the time their data will be kept once the account is deleted. Even worse, at no point in the whole deletion process users are advised about the fact that “some of the personal data” might be stored Adopted - version for public consultation 56 even after deleting an account. They need to look for the information by themselves, across the different information sources available.

Left in the dark - Ambiguous wording or information (Annex checklist 4.6.3)
next
Example 54: Users can only delete their account through links named “See you” or “Deactivate” available in their account.