The classic trap
Recital 60 clarifies Articles 13 and 14: it is not enough to list purposes, the data subject must actually understand what happens, including the existence of profiling and the consequences of refusing to provide data. The CNPD and CNIL regularly sanction verbose, legalistic privacy notices that drown the user. The EDPB (2018 transparency guidelines) requires information to be concise, transparent, intelligible and easily accessible, which rules out 8000-word walls of text unreadable on mobile.
What this recital concretely requires
- Inform about the existence of processing and its purposes, not just the legal basis.
- Disclose the existence of profiling (scoring, marketing segmentation, algorithmic recommendation) and its practical consequences.
- Indicate whether providing the data is mandatory (contractual, statutory) and what happens upon refusal (cannot subscribe, cannot deliver, etc.).
- Favour standardised icons and, in digital environments, machine-readable icons (structured metadata, schema.org, JSON-LD).
- Calibrate the level of detail to the context: a job application form, an AI chatbot and a connected device do not require the same information layer.
The real transparency test: the 30-second read
A CNPD officer opens your site on a phone and has 30 seconds to grasp: who processes, why, on what basis, where to, with what profiling consequences, and what happens if they refuse. If the answer is not obvious, your information is not fair and transparent within the meaning of recital 60, even if legally everything is there.
How Luxgap automates this risk
Our Luxgap Transparency Layer turns your static privacy notice into a live, multi-channel and audit-ready transparency layer. A specialised AI agent reads your record of processing, your web forms, your Salesforce and HubSpot workflows, your chatbots and your profiling models, then automatically generates layered information (icon, summary, full version) ready to publish, and flags every gap between what is announced to the user and what actually happens in your IT systems.
- Continuously detects new forms, pixels and collection endpoints added to your sites and applications via a lightweight JS snippet, and alerts as soon as a field collects without a matching disclosure.
- Classifies each processing as profiling or automated decision within the meaning of Article 22, and generates the suitable consequence statement (credit refusal, churn score, product recommendation).
- Produces multi-layer information compliant with EDPB 2018 guidelines: standardised icon, 30-second summary, detailed version, with machine-readable JSON-LD markup.
- Automatically indicates the mandatory or optional nature of each collected field by cross-referencing the legal basis declared in the record and contractual or statutory constraints.
- Translates each notice into your audience languages (FR, DE, EN, LU, PT) while preserving legal compliance, with optional human validation by your DPO.
- Generates a time-stamped PDF report, enforceable before the CNPD during an inspection, proving that your disclosures match the real processing operations at a given date.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real pages, with a free blank audit within 48 hours to measure the gap between your current disclosures and your actual processing.
