Mapping Winners – An examination of the requirements posed and the privacy icons selected as part of the 2021 design contest held by the Italian DPA
written by Lukas Seiling
This blog post is mainly concerned with mapping both requirements and winning visualisations. A second blog post provides an close inspection of selected icons and concepts while also offering suggestions for future competitions.
In March of last year, the Italian Data Protection Authority (Garante per la protezione dei dati personali) called upon “software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in this topic, to send a set of symbols or icons that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.”
This competition marked the first (and fortunately not the last) time a Data Protection Authority in Europe had held a public competition for the design of privacy icons and thus offered an outstanding possibility to take a closer look at the requirements, the selection process, and the winning icon sets.
Information contained in Article 13 and 14 of the GDPR
The only requirement given by the Garante was that the set of symbols should cover “all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR”. While this seems like a rather straightforward task, a look into both Article 13 (Information to be provided where personal data are collected from the data subject) and Article 14 (Information to be provided where personal data have not been obtained from the data subject) reveals more than 20 different concepts with varying levels of abstraction:
- identity and the contact details of
- the controller
- the controller’s representative
- the data protection officer
- purposes of the processing for which the personal data are intended
- legal basis for the processing
- legitimate interests pursued by the controller or by a third party
- (categories of) recipients of the personal data
- transfer of personal data to a third country or international
- storage period
- the right
s- to request access
- to rectification
- to erasure of personal data
- to restriction of processing
- to objection of processing
- to data portability
- to withdraw consent at any time
- to lodge a complaint with a supervisory authority
- whether the provision of personal data is statutory/contractual requirement or necessary to enter into a contract
- automated decision-making, including profiling
With regard to Automated Decision Making (ADM), Article 13 also states that “meaningful information about the logic involved, significance and envisaged consequences of such processing for the data subject” should be part of the information provided to data subjects.
Additionally to the aspects named above, Article 14 requires information about “categories of personal data” as well as the “source of data”.
So far, so complex.
Challenge Accepted
The participants had a little more than two weeks to come up with a set of icons for the aforementioned aspects. During that time, the Garante received an impressive total of 59 entries and appointed an Evaluation Group to select the icon sets that “most met the criteria of completeness and compliance with the content of the regulations”. Afterwards, the remaining entries were ranked based on four criteria:
- concept (which includes the aspects of effectiveness and conciseness)
- visual (graphics, readability, clarity)
- originality
- inclusiveness (gender equality, non-discrimination)
The four winners were announced in December of last year, with two icon sets – by the origanisational compliance consultancy Athlantic Srl and Design Student Sara Vagni – sharing the first place; followed by the ones created by an association of information security auditors, trainers, and privacy experts, called Osservatorio 679, and the Maastricht European Centre on Privacy and Cybersecurity (ECPC).
The winning icons were made accessible through the Italian Data Protection Authority’s website to be used by anyone under the CreativeCommons license.
Comparing the Winning Sets
Unfortunately, the Garante provides only download links to the various icon sets and pdf documents for an overview individually and no global overview of any sort. To remedy this lack of information, I downloaded all icon sets, which left me with exactly 100 unique icons (35 by Sara Vagni, 32 by Athlantic Srl, 17 by Osservatorio 679 and 16 by the ECPC).
With no additional information provided except for the image file names (which were exclusively in Italian), I translated the individual file names to determine which concepts were pictured by the different icon sets and how their visualisations might differ.
The result is summarised in the table below, showing the winning icons for all concepts from Articles 13 and 14 identified above. Icons that showed only slight deviations from the same underlying concept were excluded to reduce visual clutter.
| Category | Athlantic Srl |
Sara Vagni |
Observatory 679 |
ECPC |
|---|---|---|---|---|
| identity and the contact details of the controller |  |
 |
 |
|
| identity and the contact details of the controller‘s representative |  |
 |
||
| identity and the contact details of the data protection officer |  |
 |
 |
 |
| processing purposes |  |
 |
 |
 |
| legal basis |  |
 |
 |
|
| personal data |  |
 |
||
| categories of personal data |  |
 |
||
| source of data |  |
 |
 |
 |
| legitimate interests |  |
 |
 |
|
| (categories of) recipients of the personal data |  |
|||
| transfer of personal data to a third country or internationally |  |
 |
 |
 |
| storage period |  |
 |
 |
 |
| rights |  |
 |
 |
|
| to request access |  |
 |
 |
|
| to rectification |  |
|||
| to erasure of personal data |  |
 |
||
| to restriction of processing |  |
|||
| to withdraw consent at any time |  |
 |
 |
 |
| to lodge a complaint with a supervisory authority |  |
 |
 |
 |
| to object to processing |  |
|||
| to portability of personal data |  |
|||
| provision of personal data is statutory/ contractual requirement or necessary to enter into a contract |
 |
 |
 |
 |
| automated decision-making, |  |
 |
 |
 |
| including profiling |  |
Still, all icon sets included at least two 2 icons not covered by Articles 13 and 14. For the sake of a complete analysis, these “surplus concepts” and their corresponding visualisations are shown below.
| Category | Athlantic Srl |
Sara Vagni |
Observatory 679 |
ECPC |
|---|---|---|---|---|
| Consent |  |
|||
| Data Subject |  |
 |
||
| Data Processor |  |
 |
||
| Data Recipients |  |
 |
||
| EU Representative |  |
|||
| Supervisory Authority |  |
|||
| Common Data |  |
 |
||
| Sensitive Data |  |
 |
||
| Judicial Data |  |
 |
||
| Optional Data |  |
|||
| Necessary Data |  |
|||
| Indirect Source of Data |  |
|||
| Dissemination |  |
|||
| Communication |  |
|||
| Further Purposes |  |
 |
||
| Ongoing Generic Data Processing |  |
|||
| Balancing Interests |  |
So, what do we make of this?
At first glance, it is obvious that no icon set is complete in the sense that it covers all aspects named in Articles 13 and 14. It is also apparent that the different icon sets use varying visual styles, influencing their legibility and comprehensibility. When comparing icons for the same concept, visualisations and symbols shared between icon sets can point us to areas of conceptual agreement. In contrast, different visualisations might reveal concepts that are especially difficult to visualise or not clearly defined.
You can use these ideas to look at the icons above and make up your mind about their effectiveness and possible limitations. Alternatively, you can take a look at this follow-up blog post in which I apply different evaluation criteria to closely examine the winning icons regarding the concepts they refer to and propose some suggestions for future contests.
Either way, I’ll leave you with an icon set that has thus far gone unmentioned: Antonio Ravenna (in cooperation with LT42) received a special mention for their icon set “because of its informational efficacy and the originality of its graphic solutions”. For me, it’s a reminder that digital infrastructures are not exclusively used by consenting adults but children also.
It is therefore crucial to communicate information about digital actors, processes and rights in ways that take the recipients’ experience into account and provide them with applicable concepts that allow for a better understanding and thus more autonomous decisions.
