Mapping Winners – An examination of the requirements posed and the privacy icons selected as part of the 2021 design contest held by the Italian DPA

Category: Legal Design, Privacy, Privacy Icons

written by Lukas Seiling


This blog post is mainly concerned with mapping both requirements and winning visualisations. A second blog post provides an close inspection of selected icons and concepts while also offering suggestions for future competitions.

In March of last year, the Italian Data Protection Authority (Garante per la protezione dei dati personali) called upon “software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in this topic, to send a set of symbols or icons that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.”

This competition marked the first (and fortunately not the last) time a Data Protection Authority in Europe had held a public competition for the design of privacy icons and thus offered an outstanding possibility to take a closer look at the requirements, the selection process, and the winning icon sets.

Information contained in Article 13 and 14 of the GDPR

The only requirement given by the Garante was that the set of symbols should cover “all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR”. While this seems like a rather straightforward task, a look into both Article 13 (Information to be provided where personal data are collected from the data subject) and Article 14 (Information to be provided where personal data have not been obtained from the data subject) reveals more than 20 different concepts with varying levels of abstraction:

  • identity and the contact details of
    • the controller
    • the controller’s representative
    • the data protection officer
  • purposes of the processing for which the personal data are intended
  • legal basis for the processing
  • legitimate interests pursued by the controller or by a third party
  • (categories of) recipients of the personal data
  • transfer of personal data to a third country or international
  • storage period
  • the rights
    • to request access
    • to rectification
    • to erasure of personal data
    • to restriction of processing
    • to objection of processing
    • to data portability
    • to withdraw consent at any time
    • to lodge a complaint with a supervisory authority
  • whether the provision of personal data is statutory/contractual requirement or necessary to enter into a contract
  • automated decision-making, including profiling

With regard to Automated Decision Making (ADM), Article 13 also states that “meaningful information about the logic involved, significance and envisaged consequences of such processing for the data subject” should be part of the information provided to data subjects.
Additionally to the aspects named above, Article 14 requires information about “categories of personal data” as well as the “source of data”.

So far, so complex.

Challenge Accepted

The participants had a little more than two weeks to come up with a set of icons for the aforementioned aspects. During that time, the Garante received an impressive total of 59 entries and appointed an Evaluation Group to select the icon sets that “most met the criteria of completeness and compliance with the content of the regulations”. Afterwards, the remaining entries were ranked based on four criteria:

  • concept (which includes the aspects of effectiveness and conciseness)
  • visual (graphics, readability, clarity)
  • originality
  • inclusiveness (gender equality, non-discrimination)

The four winners were announced in December of last year, with two icon sets – by the origanisational compliance consultancy Athlantic Srl and Design Student Sara Vagni – sharing the first place; followed by the ones created by an association of information security auditors, trainers, and privacy experts, called Osservatorio 679, and the Maastricht European Centre on Privacy and Cybersecurity (ECPC).

The winning icons were made accessible through the Italian Data Protection Authority’s website to be used by anyone under the CreativeCommons license.

Comparing the Winning Sets

Unfortunately, the Garante provides only download links to the various icon sets and pdf documents for an overview individually and no global overview of any sort. To remedy this lack of information, I downloaded all icon sets, which left me with exactly 100 unique icons (35 by Sara Vagni, 32 by Athlantic Srl, 17 by Osservatorio 679 and 16 by the ECPC).

Overview over all items in the selected icon sets, alphabetically ordered

With no additional information provided except for the image file names (which were exclusively in Italian), I translated the individual file names to determine which concepts were pictured by the different icon sets and how their visualisations might differ.

The result is summarised in the table below, showing the winning icons for all concepts from Articles 13 and 14 identified above. Icons that showed only slight deviations from the same underlying concept were excluded to reduce visual clutter.

Category Athlantic
identity and the contact details of the controller Owner/Titolare Data Controller/Titolare Trattamento Data Controller/Titolare Del Trattamento
identity and the contact details of the controller‘s representative Representative/Rappresentante Contact Details Of The Data Controller And Representative/Dati Di Contatto Del Titolare E Rappresentante
identity and the contact details of the data protection officer Dpo Rpd/Dpo Rdp Data Protection Officer/Responsabile Protezione Dpo/Dpo Contact Details Of The Data Protection Officer Dpo/Dati Di Contatto Del Responsabile Della Protezione Dei Dati Dpo
processing purposes Purpose/Finalita Purpose/Finalita Trattamento Purpose/Finalita Purpose/Finalita Del Trattamento
legal basis Legal Basis/Base Giuridica Legal Basis/Base Giuridica Trattamento Legal Basis/Base Legale
personal data Personal Data/Dati Personali Personal Data/Dati Personali
categories of personal data Category Data/Categoria Dati Categories Of Data/Categorie Di Dati
source of data Data Source/Fonte Dati Source Of Data/Fonte Dei Dati Data Source/Fonte Del Dato Source Of Data/Fonte Dei Dati
legitimate interests Legitimate Interest/Legittimo Interesse Legitimate Interest/Legittimi Interessi Titolare Legitimate Interest/Legittimo Interesse
(categories of) recipients of the personal data Recipients Of Personal Data/Destinatari
transfer of personal data to a third country or internationally Extra See Transfer/Trasferimento Extra See Data Transfer/Trasferimento Dati Data Transfer/Trasferimento Dati Data Transfer/Trasferimenti Di Dati
storage period Retention Period/Periodo Archiviazione Retention Period/Periodo Di Conservazione Dati Retention Period/Tempi Di Conservazione Retention Period/Periodo Di Conservazione
rights Data Subject Rights General Icon/Diritti Interessato Icona Generica Rights/Diritti Rights Of The Data Subjects/Diritti Dei Soggetti Interessati
to request access Data Access/Accesso Dati Right To Access And Rectification Of Data/Diritto Di Accesso Ai Dati E Rettifica Right to access data/Diritto Accesso Ai Dati
to rectification Modification Of Data/Modifica Dati
to erasure of personal data Erasure/Cancellazione Right To Erasure Of Data Author Sara Vagni Lic Cc By/Diritto Di Cancellazione Dati
to restriction of processing Limitation Of Processing/Limitazione Trattamento
to withdraw consent at any time Revocation Of Consent/Revoca Consenso Right To Withdraw Consent/Diritto Di Revocare Il Consenso Revocation Of Consent/Revoca Consenso Right To Withdraw Consent/Revoca Del Consenso
to lodge a complaint with a supervisory authority Complaint/Reclamo Complaint/Diritto Di Proporre Reclamo Complaint/Reclamo Submission Of A Complaint To A Supervisory Authority/Proposizione Di Un Reclamo A Unтащautorita╠а Di Controllo
to object to processing Objections To Processing/Opposizione Trattamento
to portability of personal data Portability/Portabilita
provision of personal data is statutory/ contractual requirement
or necessary to enter into a contract
Necessary Contribution/Conferimento Necessario Mandatory Data/Dati Obbligatori Obligation to provide data/Obbligo Conferimento Provision Of Data For A Legal Or Contractual Obligation/Conferimento Dei Dati Per Un Obbligo Legale O Contrattuale
automated decision-making, Automated Decisions/Decisioni Automatizzate Automated Process/Processo Automatizzato Profiling Automated Processing/Profilazione Trattamento Automatizzato Automated Decision Making Process Profiling/Processo Decisionale Automatizzato Profilazione
including profiling Profiling/Profilazione


Still, all icon sets included at least two 2 icons not covered by Articles 13 and 14. For the sake of a complete analysis, these “surplus concepts” and their corresponding visualisations are shown below.


Category Athlantic
Consent Giving Consent To Processing/Prestare Il Consenso Al Trattamento
Data Subject Interested Party/Interessato Interested Party/Interessato
Data Processor External Responsible Party/Responsabile Esterno Data Processor/Responsabile Trattamento
Data Recipients Data Recipients/Destinatari Dati Data Recipients/Destinatari Dei Dati
EU Representative Eu Representative/Rappresentante Ue
Supervisory Authority Supervisory Authority/Autoritе Di Controllo
Common Data Common Data/Dati Comuni Common Data/Dati Comuni
Sensitive Data Sensitive Data/Dati Particolari Sensitive Data/Dati Particolari
Judicial Data Judicial Data/Dati Giudiziari Judicial Data/Dati Giudiziari
Optional Data Optional Data/Dati Facoltativi
Necessary Data Required Data/Dati Necessari
Indirect Source of Data Indirect Source Of Data/Fonte Indiretta Dei Dati
Dissemination Dissemination/Diffusione
Communication Communication/Comunicazione
Further Purposes Further Purposes/Ulteriori Finalitе Further Purposes/Ulteriori Finalita - А Del Trattamento
Ongoing Generic Data Processing Ongoing Generic Data Processing/Trattamento Dati Generico In Corso
Balancing Interests Balancing Interests/Bilanciamento Interessi


So, what do we make of this?

At first glance, it is obvious that no icon set is complete in the sense that it covers all aspects named in Articles 13 and 14. It is also apparent that the different icon sets use varying visual styles, influencing their legibility and comprehensibility. When comparing icons for the same concept, visualisations and symbols shared between icon sets can point us to areas of conceptual agreement. In contrast, different visualisations might reveal concepts that are especially difficult to visualise or not clearly defined.

You can use these ideas to look at the icons above and make up your mind about their effectiveness and possible limitations. Alternatively, you can take a look at this follow-up blog post in which I apply different evaluation criteria to closely examine the winning icons regarding the concepts they refer to and propose some suggestions for future contests.

Either way, I’ll leave you with an icon set that has thus far gone unmentioned: Antonio Ravenna (in cooperation with LT42) received a special mention for their icon set “because of its informational efficacy and the originality of its graphic solutions”. For me, it’s a reminder that digital infrastructures are not exclusively used by consenting adults but children also.
It is therefore crucial to communicate information about digital actors, processes and rights in ways that take the recipients’ experience into account and provide them with applicable concepts that allow for a better understanding and thus more autonomous decisions.

overview over all icons proposed by Antonio Ravenna