https://gdprhub.eu/api.php?action=feedcontributions&user=10.90.129.11&feedformat=atomGDPRhub - User contributions [en]2024-03-29T10:54:17ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_56_GDPR&diff=17526Article 56 GDPR2021-07-26T07:17:02Z<p>10.90.129.11: /* Commentary */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 55 GDPR|←]] Article 56 - Competence of the lead supervisory authority [[Article 57 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 56 - Competence of the lead supervisory authority'''</center><br /><br />
<br />
<span id="1">1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.</span><br />
<br />
<span id="2">2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.</span><br />
<br />
<span id="3">3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.</span><br />
<br />
<span id="4">4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).</span><br />
<br />
<span id="5">5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.</span><br />
<br />
<span id="6">6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.</span><br />
<br />
== Relevant Recital==<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div><br />
'''Rectial 36:''' Determination of the Main Establishment<br />
</div><div class="mw-collapsible-content"><br />
The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.<br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 124:''' Lead Authority Regarding Processing in Several Member States</div><br />
<div class="mw-collapsible-content"><br />
<br />
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.<br />
</div></div><div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 125:''' Competences of the Lead Authority</div><br />
<div class="mw-collapsible-content"><br />
The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.<br />
</div></div><div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 125:''' Joint decisions</div><br />
<div class="mw-collapsible-content"><br />
The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.<br />
</div></div><div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 128:''' Information of the Supervisory Authority Regarding Local Processing</div><br />
<div class="mw-collapsible-content"><br />
Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay about the matter. After being informed, the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level. When deciding whether it will handle the case, the lead supervisory authority should take into account whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to handle the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.<br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 128:''' Responsibility Regarding Processing in the Public Interest</div><br />
<div class="mw-collapsible-content"><br />
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.<br />
</div></div><br />
==Commentary==<br />
In cross-border cases, all SAs could potentially be competent according to Article 55. For this reason, Article 56(1) establishes a specific mechanism to solve the conflicting competences of the SAs involved. Article 56(1) identifies the lead SA, which is the SA where the controller or the processor have their main establishment. The lead SA will in principle be in charge to lead the cooperation with other SAs under the cooperation mechanism of Article 60 (also called the “one-stop-shop”).<br />
<br />
Article 56(2) to (6) provides an exception to the cooperation mechanism when the processing at stake has only a local impact (the so-called “local cases”). <br />
<br />
Article 56(2) to (6) provides an exception to the cooperation mechanism when the processing at stake has only a local impact (the so-called “local cases”). <br />
<br />
=== (1) Designation of the lead SA and the cooperation mechanism ===<br />
The cooperation mechanism will be triggered (i) in case of cross border processing, and (ii) when the controller or processor has a main establishment in the EU. In such a case, Article 56(1) lays down the rule for the designation of the lead SA, which will be in charge of the cooperation procedure under Article 60, but also the sole interlocutor of the controller or processor.<br />
<br />
Even in the case of a cross border processing, the cooperation procedure will not apply in three cases: under Article 56(2) (“local cases”), under Article 66 (urgency procedure)<ref>CJEU, 15 June 2021, ''Facebook c. APD'', C-645/19, §§ 58-59</ref> and also under Article 55(2) (processing for public interest or in line with a legal obligation).<ref>See ''Robert,'' « Les autorités de contrôle dans le nouveau règlement général », in Docquir, « Vers un droit européen de la protection des données », margin n° 57-60 (Brussels, Larcier, 2017)</ref> <br />
<br />
<br />
'''''1) Identification of a cross-border processing'''''<br />
<br />
According to the wording of Article 56(1), the competence of the lead SA and the cooperation mechanism of Article 60 will be triggered in the case of a cross-border processing. Assessing whether the processing at stake is cross-border is therefore a first step.<br />
<br />
The definition of cross-border processing is provided by Article 4(23) which stipulates that such a processing:<br />
<br />
''a) takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or''<br />
<br />
''b) takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.''<br />
<br />
In other words, the processing by a controller only established in one Member State ''and'' which substantially only affects the individuals in this Member State will not trigger the one-stop-shop procedure under Article.<br />
<br />
In all other cases, the processing shall be considered as cross-border, if there is at least one establishment of the controller in the EU and if the activities of this establishment are linked to the processing at stake. That consequence was intentional since the legislator wanted to encourage the controllers to be established in the EU to have the benefits of the one-stop-shop mechanisms.<br />
<br />
''Context of the activities''<br />
<br />
The meaning of “the context of the activities” was already developed by the CJEU. The Court built on a broad definition of “establishment” and held that intending to promote and sell advertising space by an establishment in a Member State of a third country undertaking to make the latter profitable is carried out “in the context of the activities” of that establishment.<ref>See CJEU, 13 May 2014, ''Google Spain'', C-131/12; CJEU, 1 October 2015, ''Weltimmo'', C-230/14. </ref> The EDPB also confirmed that this notion should not be interpreted to restrictively considering the view to fulfill the objective of ensuring effective and complete protection.<ref>See EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.1, 12 November 2019, p. 7.</ref> <br />
<br />
''Substantial effect''<br />
<br />
The notion of “substantial effect” on data subjects as mentioned by Article (23)(b) is not defined in the GDPR. In its guidelines (endorsed by the EDPB), the Article 29 Data Protection Working Party considered that the number –even large) of affected individuals in several Member States is not decisive. Rather, the Working Party developed a following, non-exhaustive list of criteria that will be taken into account on a case by case basis.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 4, as endorsed by the EDPB on 25 May 2018.</ref> <br />
<br />
The guidelines suggest to take into account the context of the processing, the type of data, the purpose of the processing and other factor factors, such as potential discrimination, reputational damage, impact on the well-being or involvement of special categories of data.<br />
<br />
<br />
'''''2) Identifying a main establishment'''''<br />
<br />
If a controller or a processor has establishments in more than one Member States, identifying its “main establishment” is the first step to recognize the lead supervisory authority in a cross-border processing. Note that the main establishment is defined for each processing operation. Therefore, there may be several main establishments, for example if the decisions regarding the different processing operations is done by different establishments of the controller.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 5, section 2.1.</ref> <br />
<br />
The Article 29 Working Party stressed that the GDPR does not allow “forum shopping”. It is a role of the SAs to properly define the main establishment of a controller according to objective criteria and subsequently determine the lead authority. According to the A29WP guidelines, “''conclusions cannot be based solely on statements by the organisation under review. The burden of proof ultimately falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and where there is the power to implement such decisions.'' (...) ''The lead supervisory authority, or concerned authorities, can rebut the controller's analysis based on an objective examination of the relevant facts, requesting further information where required''.”<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 7. </ref> The GDPR introduces separate criteria for the main establishment of a processor and of a controller.<br />
<br />
The SAs will cooperate to determine the lead authority. In the event of conflicting views on the lead supervisory authority, the case may be referred to the EDPB under Article 65(1)(b).<br />
<br />
''Notion of establishment''<br />
<br />
Recital 22, following the CJEU ruling in ''Weltimmo'' defines “establishment” as “''the effective and real exercise of activity through stable arrangements''”.<ref>CJEU, 1 October 2015, ''Weltimmo'', C-230/14, par. 31.</ref> The legal form of such arrangements is irrelevant. As the Court further specified, the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.<ref>CJEU, 1 October 2015, ''Weltimmo'', C-230/14, par. 30.</ref> <br />
<br />
<br />
'''''Main establishment of a controller'''''<br />
<br />
''Main Establishment of a controller'' –''place of central administration''<br />
<br />
As a general rule, as per Article 4 (16)(a) GDPR, the main establishment of a controller is the place of its central administration in the Union. This is however a rebuttable presumption, since another establishment can also be the main establishment, according to Article 4(16) GDPR, when ''“the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”''. In other words, in order to determine the main establishment of a controller, it is necessary to first find its place of central administration – “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 5, section 2.1.</ref> <br />
<br />
''Main establishment is not a place of a central administration''<br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to identify the establishment where “''the effective and real exercise of management activities that determine main decisions as to the purposes and means of processing through stable arrangements, take place''”.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 6, section 2.1.1.</ref> The presence and use of technical means and technologies for processing personal data or processing activities do not in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. See Recital 36 GDPR<br />
<br />
The Article 29 Working Party developed a following, not exhaustive list of questions to determine a controller’s main establishment in cases where it is not the place of its central administration in the EU:<br />
<br />
* Where are decisions about the purposes and means of the processing given final “sign off”?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director (or Directors) with overall management responsibility for the cross border processing located?<br />
* Where is the controller or processor registered as a company, if in a single territory?” Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.1. <br />
<br />
In the case of a group of undertaking with a headquarter in the EU, the main establishment will be presumed to the decision-making center relating to the processing of personal data.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 7, section 2.1.2.</ref> However, if the decisions relating to the processing are taken by another establishment of the controller in the Union, the later should be considered the main establishment.<ref>For criteria taken into account by the Irish SA to conclude that Twitter had its main establishment in Ireland, see EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, adopted on 9th November 2020, §34, available on <nowiki>https://edpb.europa.eu/sites/default/files/files/file1/edpb_bindingdecision01_2020_en.pdf</nowiki>.</ref> <br />
<br />
Some difficulties may arise when none of the EU establishments are taking decisions about the processing (even with a headquarter in the EU). In such a case, significantly called “borderline cases” by the Article 29 Working Party<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 8, section 2. 2</ref>, the GDPR does not provide for a clear answer. While the GDPR wants to encourage the non EU controller to be established in the EU to benefit from the one-stop-shop, forum shopping should be avoided and it would be too easy to pretend that decision-making is made in the EU while the decisions are actually taken in another establishment outside of the EU. The idea of the one-shop-shop is to provide a single SA as interlocutor for the controller and to facilitate the dialogue with the main establishment taking the decisions on the processing. However, the conclusion of the location of the main establishment cannot be based only on a statement of the organisation under review.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 8, section 2. 2</ref> <br />
<br />
It will indeed always be the SA which should determine where is the main establishment of the controller, who always bear the burden of proof to show evidence that the relevant decisions are taken. The SA can object to the analysis of the controller on the basis of an objective examination of the relevant facts, and on the basis of further information requested to the controller.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 8, section 2. 2</ref> <br />
<br />
<br />
'''''Main establishment of a processor'''''<br />
<br />
''Main establishment is a place of a central administration''<br />
<br />
Similarly to provisions of Article 4(16)(a) regarding the controller, a main establishment of a processor with establishments in more than one Member State is a place of its central administration.<br />
<br />
''There is no central administration in the Union''<br />
<br />
If cases where the processor has no central administration in the Union, the GDPR provides a different alternative than the one applicable to the controller: if the processor does not have a central administration in the Union, its main establishment is the place where the main processing activities take place in the Union (i) in the context of the activities of an establishment of the processor take place and (ii) to the extent that the processor is subject to specific obligations under this Regulation. As Tosoni argues, it introduces two qualifications: the first one “implies that the processing of personal data does not need to be carried out 'by' the relevant establishment itself, rather that it is sufficient if the processing is carried out 'in the context of the activities' of the establishment, and the second confirming the scope of application of the GDPR to processors.<ref>Tosoni, The EU General Data Protection Regulation (GDPR), Article 4(16), p. 235.</ref> <br />
<br />
<br />
'''''Cases involving both the controller and the processor'''''<br />
<br />
In cases involving both the controller and the processor, the competent lead SA remains the SA of the controller, if there is one. In such a case, the SA of the processor will be a concerned SA as per Article 4(22) GDPR. However, this is not the case if the draft decision concerns only the controller. See Recital 36 GDPR. In cases where the processor is acting for several controllers, it may then be subject to the competence of several SAs.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017. WP 244 rev.01, p. 9, section 2.3</ref> <br />
<br />
<br />
'''''Joint controllership'''''<br />
<br />
The GDPR does not address the situation of joint controllership and does not define specific criteria to determine the lead SA. However, according to Article 26(1), the controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation. The Article 29 Working Party considers that agreement between the controller could designate the establishment having the power to implement decisions about the processing with respect to the joint controllership.<ref>Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, as last revised and adopted on 5 April 2017, WP 244 rev.01, p. 8, section 2.1.</ref> This could also be supported by the wording of Recital 79, which implies that the agreement regarding the allocation of responsibilities among controllers should also concern the monitoring and the measures of the SAs. However, this seems in contradiction with the aim expressed by the EDPB to avoid forum shopping.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, adopted on 9 July 2019, p. 30.</ref> <br />
<br />
<br />
'''''3) Identifying the Lead Supervisory Authority'''''<br />
<br />
Article 56(6) provides that that the lead SA shall act as “the sole interlocutor” of the controller or the processor for the processing operations at stake. The lead SA will also lead the cooperation procedure with the SA concerned under Article 60 GPR and adopt a draft decision. According to the CJEU, ''“the competence of the lead supervisory authority for the adoption of a decision finding that such processing is an infringement of […] Regulation 2016/679 constitutes the rule, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception”.''<ref>CJEU, 15 June 2021, ''Facebook c. APD'', C-645/19, § 64.</ref> <br />
<br />
In case of change of main establishment in the course of a cooperation between the SAs, the EDPB considers that “the lead competence can switch to another SA until a final decision is made by the LSA”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, adopted on 9 July 2019, p. 30.</ref> <br />
<br />
Consequently, its competence is not definite until the very end of the procedure.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 920. </ref> The EDPB stressed that to prevent “''forum shopping''”, “''SAs should exercise effective control over the notion of main establishment in order to reduce the risk that controllers or processors artificially change their main establishment for the purpose of changing the competent authority to handle the case''”.<ref>EDPB, Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment, adopted on 9 July 2019, p. 30.</ref> <br />
<br />
In case of “conflicting views” on which of the SA concerned is the lead SA, the EDPB can adopt a decision under the dispute resolution mechanism according to Article 65(1)(b) GDPR. However, in its decision on dispute resolution mechanism regarding the case of Twitter, the EDPB considered “that a disagreement on the competence of the supervisory authority acting as LSA to issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4)”GDPR and falls outside of the scope of Article 4(24) GDPR”.<ref>See in this respect: EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR, 9 November 2020, §52, available on <nowiki>https://edpb.europa.eu/sites/default/files/files/file1/edpb_bindingdecision01_2020_en.pdf</nowiki>.</ref> It seems therefore that the decision on a conflicting view can only be taken within a specific procedure under Article 65(1)(b) and that conflicting views on the lead SA cannot be addressed via a reasoned objection within a procedure under Article 65(1)(a). <br />
<br />
<br />
'''Article 56(2)-(5): Data processing relating only to one Member State'''<br />
<br />
'''Article 56(2)''' introduces an exception to the general competence of the SA of the main establishment. Article 56 which provides that a supervisory authority which is not the lead supervisory authority is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter (i) relates only to an establishment in its own Member State or (ii) substantially affects data subjects only in that Member State. While the intention of the legislator seems to give a clear preference for local cases to be handled by the local SA, the text of the provisions is confusing and not clear.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 921-923.</ref> <br />
<br />
'''Article 56(3)''' In the event of a “local case” under Article 56(2), the supervisory authority should inform the lead SA “without delay” on that matter. The lead SA shall respond within a period of three weeks whether or not it will handle the case. Article 56(3) To take this decision, the lead SA will take into account of the presence of an establishment of the controller or processor in the Member State of which the SA informed it. it is however not clear how this provisions shall apply in practice.<br />
<br />
'''Article 56(4)''' If the lead SA decides to handle the case, then the one-stop-shop procedure introduced in Article 60 is triggered. However, the supervisory authority which informed the lead SA about the subject matter may submit to the LSA a draft for a decision and the LSA shall take utmost account of that draft (Article 56(4)). The local SA remains in a strong position since it can still suggest a draft decision to the lead SA, which is in general competent to issue such decisions. Article 56(2) does not provide any mechanism similar to Article 65(1), according to which the EDPB can decide in case of conflicting views on the lead SA.<br />
<br />
'''Article 56(5)''' If the lead SA decides not to handle the case, Article 56(5) provides that the supervisory authority which raised the exception shall handle it according to Article 61 and 62, those provisions requiring the supervisory authorities to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned.<br />
<br />
<br />
'''Article 56(6): the lead SA as the sole interlocutor of the controller or the processor'''<br />
<br />
Article 56(6) provides that the lead SA will remain the sole interlocutor of the controller or the processor. That means that the communication should exclusively take place with the lead SA, to avoid that the controller or processor would have multiple discussions with several SAs.<br />
<br />
However, while the competence as a general rule of the lead supervisory authority is confirmed in Article 56(6), ''“that authority must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned. In particular, the lead supervisory authority cannot, in the exercise of its competences, as stated in paragraph 53 of the present judgment, eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned''”.<ref>CJEU, 15 June 2021, ''Facebook c. APD'', C-645/19, § 64.</ref> <br />
<br />
Article 56 does not specify whether lead SA remains the sole interlocutor of the controller or processor where the local SA is handling the case under Article 56(5). A pragmatic approach would definitively avoid communication issues with the controller or processor.<ref>''Hijmans'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 56, p. 924.</ref> <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 56 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=Article_60_GDPR&diff=16089Article 60 GDPR2021-05-20T11:13:34Z<p>10.90.129.11: /* Relevant and reasoned objection */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 59 GDPR|←]] Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned [[Article 61 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned'''</center><br /><br />
<br />
<span id="1">1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.</span><br />
<br />
<span id="2">2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.</span><br />
<br />
<span id="3">3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.</span><br />
<br />
<span id="4">4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.</span><br />
<br />
<span id="5">5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.</span><br />
<br />
<span id="6">6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.</span><br />
<br />
<span id="7">7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.</span><br />
<br />
<span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span><br />
<br />
<span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span><br />
<br />
<span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span><br />
<br />
<span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span><br />
<br />
<span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span><br />
<br />
== Relevant Recitals==<br />
''You can help us fill this section!''<br />
<br />
== Commentary ==<br />
<br />
=== The Lead Supervisory Authority cooperates with the other Authorities Concerned ===<br />
The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this article in an endeavour to reach consensus. The wording of the provision indicates that a lead supervisory authority has already been identified under Article 56 and that all the requirements set forth therein are met. <br />
<br />
==== Cooperation ====<br />
Article 60(1) obliges the lead authority to cooperate with the other authorities concerned. As soon as it learns of its responsibility under Article 56(1), the lead authority must take the initiative and, as far as it can, investigate which other supervisory authorities in the Member States could be concerned. Article 60 provides for means and specific guidelines on how the cooperation should take place. However, this catalog is not exhaustive; rather, all types of cooperation that are “''in accordance with this article''” are not only permitted but encouraged. Finally, the ''duty to cooperate'' is not one-sided, but naturally applies also the other authorities concerned. <ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, Margin number 6 (Beck 3rd edition 2020)</ref><br />
<br />
==== Consensus ====<br />
The lead authority is obliged to seek ''consensus'' with the other authorities concerned. The black-letter of the law seems to put this obligation specifically on the LSA and not on the other authorities concerned. <ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (1st edition 2019)</ref> Above all, this requires that the supervisory authorities concerned are given sufficient opportunity to present their own legal positions in the procedure pursuant to Article 60(3) GDPR and that their positions are incorporated into the final assessment by the lead supervisory authority.<ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (1st edition 2019)</ref> The above seems to be confirmed by Recital 125 which specifies that "''the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process''".<br />
<br />
===== Information exchange =====<br />
The obligation to cooperate is particularly specified in an ''obligation to provide information to one another''. Effective Union-wide enforcement of the Regulation requires that all supervisory authorities concerned, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the lead supervisory authority is still unclear: the required exchange of information must take place in any case. <br />
<br />
=== Administrative assistance ===<br />
According to Paragraph 2, the lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62. This is especially important in later procedural steps. Before issuing a binding decision, it may be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their own territory towards the main branch and the other branches of the controller or processor.<ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (1st edition 2019)</ref><br />
<br />
=== Procedure ===<br />
Paragraphs 3 to 10 contain a completely new, relatively complex decision-making procedure. This can be divided into two phases: a preparatory phase in which information, drafts and objections are exchanged (Paragraphs 3 to 6) and the actual decision-making stage (Paragraphs 6 to 9). Finally, Paragraph 10 regulates the implementation by those responsible and contract processors.<ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (1st edition 2019)</ref><br />
<br />
The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views. In other words, in accordance with Article 60(1), the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process which eventually results in a draft decision on the case.<br />
<br />
According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs,which then may raise a relevant and reasoned objection within a specific time frame (four weeks). Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks.<br />
<br />
When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a)GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “''relevant and reasoned''” and if so, on all the matters which are the subject of the objection. <br />
<br />
==== Relevant and reasoned objection ====<br />
Article 4(24) GDPR defines “'''''relevant and reasoned objection'''''” as an "''objection to a draft decision as to whether there is an '''infringement of this Regulation''', or whether '''envisaged action''' in relation to the controller or processor complies with this Regulation, which clearly demonstrates the '''significance of the risks''' posed by the draft decision as regards the '''fundamental rights and freedoms''' of data subjects and, where applicable, the '''free flow of personal data''' within the Union''”.<ref>The EDPB provided guidance with respect to the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''” (Article 4(24) GDPR). See, EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 (8.10.2020) ([https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202009_relevant_and_reasoned_obj_en.pdf available here])</ref><br />
<br />
<br />
=== Final decision ===<br />
The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.<br />
<br />
==== Dismissal ====<br />
By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.<br />
<br />
==== Partial dismissal ====<br />
Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof. <br />
<br />
=== Enforcement ===<br />
After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned. <br />
<br />
=== Urgency procedure ===<br />
The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.<br />
<br />
== Decisions ==<br />
→ You can find all related decisions in [[:Category:Article 60 GDPR]]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=GDPRhub_commentary_style_guide&diff=15205GDPRhub commentary style guide2021-04-23T07:37:20Z<p>10.90.129.11: /* Practical tips */</p>
<hr />
<div>This page provides specific guidance on the Commentary. For general information regarding the writing style on the Hub, including on the Commentary, please follow this [https://wiki.noyb.eu/index.php?title=Legal_Writing_Style_Guide guide].<br />
<br />
==General Information for Commentary Articles==<br />
The GDPRhub Commentary features relatively short analysis regarding a GDPR Article. Commentaries should not exceed 4000 words total (including abstract, main text, references and figure legends). They should have an abstract of 50 words or less ("Overview") and no more than 35 references.<br />
==Writing your Commentary Article==<br />
===Overview===<br />
Commentary begins with an introductory paragraph that immediately presents the issues under discussion in a way that captures the reader's interest. The Overview should be general enough to orient the reader not familiar with the specifics of the field being discussed. Here, and throughout the article, the author should avoid the jargon and special terms of his or her field or system.<br />
===Body of the text===<br />
The body of the text should, in the limited space available, develop the discussion in a lively manner. By "lively" we don't mean hype and oversimplification. Rather, the editors seek clear, declarative writing that avoids the passive tense, tangled constructions, and needless detail. Avoid asides that interrupt the flow of the text.<br />
<br />
====Commentary structure====<br />
In general, the commentary should follow the structure of the Article. We prefer an analytical approach. This means that, if possible, we analyse the meaning of the most important sentences included in each paragraph of the Article, and then we move on to the next one, with the same approach. That said in general terms, it is also true that we don't need to be that analytical all the time. In other words, if a paragraph is terribly boring or does not deserve more than five minutes of your time, you don't need to split hairs. A general headline will work just fine.<blockquote>Article 12 makes a good example. The provision is made of 8 paragraphs and each one of them is commented (check the index of contents, [https://gdprhub.eu/Article_12_GDPR here]). However, certain paragraphs (for example 1 and 5) require deeper analysis while others can be grouped in a more general "issue", without further analysis.</blockquote><br />
<br />
====Paragraph numbering====<br />
The Wiki automatically numbers paragraphs once they are given a hierarchy value ("Heading", "Sub-heading 1", "Sub-heading 2", etc). Therefore, there is no need to give a number to each paragraph. If doing so helps you in visualising the structure of the Commentary, do it. Please, remember that no numbers should be given to the paragraphs once the commentary is uploaded on the GDPRhub.<br />
===Citation Style===<br />
<br />
*''Books (monographies)''<br />
**surname(s) of author(s),<br />
**full title,<br />
**publisher ''and'' year in brackets,<br />
**page.<br />
<blockquote><u>Example</u>: Endicott, Administrative Law (OUP 2009), p. 10.</blockquote><br />
<br />
*''Commentaries''<br />
**surname of author(s) [if available], ''in''<br />
**editor if applicable,<br />
**full title,<br />
**Article,<br />
**page or recital.<br />
**publisher ''and'' year in brackets (you may need to also cite 'Edition')<br />
**(if online, provide date of access)<br />
<br />
<blockquote><u>Example</u> (paper): Leupold, Schrems, in Knyrim, Der Datkomm, Article 80, p. 82 [''or'' Rn 49] (Manz 2018), </blockquote><blockquote><u>Example</u> (online): Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 67, Rn 16 (Beck 2018, 2nd ed.) (accessed 22.4.2021)</blockquote><br />
<br />
*''Journal papers''<br />
**surname(s) author(s),<br />
**full title, ''in''<br />
**full name of the journal,<br />
**volume number (if available),<br />
**(year),<br />
**page or page numbers.<br />
**(if online, provide link and date of access)<br />
<blockquote><u>Example</u>: Alison Young, In Defence of Due Deference, in Modern Language Review, 72, (2009), p. 554.</blockquote><br />
<br />
*''EDPB/DPAs guidelines, opinions'' --> name of the authority (EDPB, CNIL, etc.), title, date, page number<br />
<br />
<blockquote><u>Example</u>: EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 12.</blockquote><br />
<br />
*''EDPB, DPA, Court decisions'' --> name of the authority, date, parties, case number, relevant paragraphs (if possible) + link to the GDPRhub summary (if available) [if not available, link to the official decision or reference to the book or journal that features the decision]<br />
**<u>Example</u>: CJEU, 12.7.2005, Schempp, C-403/03, § 19 (available here [LINK])<br />
<br />
==Practical tips==<br />
<br />
* Please, <u>always cite the full work in each footnote</u>. In other words, <u>do not</u> use "op. cit", "ibid", "Idem" and similar;<br />
* Where there are two authors, both should be named; with three or more only the first author's name plus "et al." need be given.<br />
* <u>Do not</u> use footnotes in your word draft. It will be easier for you to upload the file in the Hub and use the "Cite" feature on the Wiki.<br />
<br />
<blockquote>Example: "''Articles 39(1)(d) and (e) lay down the DPO’s obligations in relation to the supervisory authorities. For example, the DPO could facilitate cooperation of the organisation in prior consultation procedures or DPA investigations.'' [6. Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 67, Rn 16 (Beck 2018, 2nd ed.) (accessed 22.4.2021)]"</blockquote></div>10.90.129.11https://gdprhub.eu/index.php?title=ICO_-_FS50819531&diff=7512ICO - FS508195312020-01-20T19:34:16Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |ICO - FS50819531<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]<br />
|-<br />
|Authority:||[[ICO (UK)]]<br />
[[Category:ICO (UK)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]<br />
[[Category: United Kingdom]]<br />
|-<br />
|Relevant Law:||<br />
[[Article 4 GDPR#1|Article 4(1) GDPR]]<br />
[[Category:Article 4(1) GDPR]]<br />
<br />
[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] <br />
[[Category:Article 5(1)(a) GDPR]]<br />
<br />
[[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] <br />
[[Category:Article 6(1)(f) GDPR]]<br />
<br />
[http://www.legislation.gov.uk/ukpga/2018/12/section/3 Section 3(2) DPA] <br />
<br />
[http://www.legislation.gov.uk/ukpga/2000/36/contents 40(2) FOIA]<br />
|-<br />
|Type:||Complaint<br />
|-<br />
|Outcome:||Rejected<br />
|-<br />
|Decided:||28.10.2019<br />
[[Category:2019]]<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||none<br />
|-<br />
|Parties:||[https://www.pendle.gov.uk/ Pendle Borough Council] Vs. anonymous<br />
|-<br />
|National Case Number:||FS50819531<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:English]]<br />
English<br />
|-<br />
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616170/fs50819531.pdf ICO (EN)]<br />
|}<br />
ICO issued a decision regarding access to third party personal data. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant has requested a copy of an inspection report named kennels to the Pendle Borough Council (the Council). The Council refused as it considered it to be third party personal data under 40(2) of the Freedom of Information Act (FOIA). The complainant challenged the decision before the ICO. <br />
<br />
===Dispute===<br />
Is the information personal data? Would disclosure contravene GDPR principles ? Which are the legitimate interest at stake? Is disclosure necessary? <br />
<br />
===Holding===<br />
The ICO confirmed that the requested information was considered to be personal data pursuant to Section 3(2) of the Data Protection Act (DPA) and Article 4(1) GDPR. Pursuant to the FOIA and the GDPR, the ICO balanced the right to information and the protection of the personal data at issue in order to assess if the disclosure would contravene Article (1)(a) GDPR principle. It found that the access to information request did not override the third party right to privacy. The ICO found that the refusal of disclosure was justified and it was legitimate to withhold the information under section 40(2) of the FOIA by virtue of section 40(3A)(a) for transparency purposes. <br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English official version==<br />
<pre><br />
to be completed.. <br />
</pre></div>10.90.129.11https://gdprhub.eu/index.php?title=ICO_-_FER0851659&diff=7511ICO - FER08516592020-01-20T19:32:56Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |ICO - FER0851659<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]<br />
|-<br />
|Authority:||[[ICO (UK)]]<br />
[[Category:ICO (UK)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]<br />
[[Category: United Kingdom]]<br />
|-<br />
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]]<br />
[[Category:Article 4(1) GDPR]]<br />
<br />
[[Article 9 GDPR]] <br />
[[Category:Article 9 GDPR]]<br />
<br />
[[Article 10 GDPR]] <br />
[[Category:Article 10 GDPR]]<br />
<br />
[http://www.legislation.gov.uk/uksi/2004/3391/contents/made Regulation 5(3) EIR]<br />
|-<br />
|Type:||Complaint<br />
|-<br />
|Outcome:||Rejected<br />
|-<br />
|Decided:||01.11.2019<br />
[[Category:2019]]<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||none<br />
|-<br />
|Parties:||[https://www.canterbury.gov.uk/ Canterbury City Council]<br />
|-<br />
|National Case Number:||FER0851659<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:English]]<br />
English<br />
|-<br />
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616232/fer0851659.pdf ICO (EN)]<br />
|} <br />
<br />
The ICO issued a decision related to disclosure of information held by public authorities which was likely to include personal data.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant has requested the disclosure of information about third-parties´ complaints concerning his property. Canterbury City Council withheld the information as disclosure would imply the unjustified communication of such third parties. Thus, the disclosure would have breached the GDPR principles. The complainant challenged the decision before the ICO. <br />
<br />
===Dispute=== <br />
<br />
===Holding=== <br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English official version==<br />
<pre><br />
to be completed.. <br />
</pre></div>10.90.129.11https://gdprhub.eu/index.php?title=ICO_-_FS50839431&diff=7502ICO - FS508394312020-01-20T18:56:35Z<p>10.90.129.11: </p>
<hr />
<div>[[Category:2019]]<br />
[[Category:Article 12(5) GDPR]]<br />
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |ICO - FS50839431<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]<br />
|-<br />
|Authority:||[[ICO (UK)]]<br />
[[Category:ICO (UK)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]<br />
[[Category: United Kingdom]]<br />
|-<br />
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]] <br />
[[Category:Article 4(1) GDPR]]<br />
<br />
[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] <br />
[[Category:Article 5(1)(a) GDPR]]<br />
<br />
[[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]<br />
[[Category:Article 6(1)(f) GDPR]]<br />
<br />
[http://www.legislation.gov.uk/ukpga/2018/12/section/3 Section 3(2) DPA] <br />
<br />
[http://www.legislation.gov.uk/ukpga/2000/36/contents 40(2) FOIA]<br />
|-<br />
|Type:||Complaint<br />
|-<br />
|Outcome:||Rejected<br />
|-<br />
|Decided:||1.11.2019<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||None<br />
|-<br />
|Parties:||University of Leicester Vs. anonymous<br />
|-<br />
|National Case Number:||FS50839431<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:English]]<br />
English<br />
|-<br />
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616248/fs50839431.pdf ICO (EN)]<br />
|} <br />
The ICO issued a decisions regarding refusal to access to third party personal data.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant has requested information from University of Leicester about external examiners for the department of engineering between the years 2010 to 2018. The University withheld the information, citing section 40(2) (personal information) of the FOIA. <br />
<br />
The complainant challenged the decision before the ICO. <br />
<br />
===Dispute===<br />
The Commissioner considers the scope of her investigation to be to establish whether the Universityis entitled to withhold the requested information under section 40(2) of the FOIA. <br />
<br />
===Holding===<br />
As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act. <br />
<br />
According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA.<br />
<br />
The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject".<br />
<br />
The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests.<br />
<br />
The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interests.<br />
<br />
In carrying out the assessment under (iii) it is necessary to consider the impact of disclosure in terms of harm or distress, the reasonable expectations of the individual as well as whether the information is already in the public domain.<br />
<br />
Within the University’s response to the Commissioner’s enquiries, it outlined that at the time of the request, the external examiners for that academic year had also been the external examiners for the previous two academic years. Therefore, the University argued, any student who had concerns about any conflicts of interest an external examiner might have had,would already have had two years in which to complain.<br />
<br />
Based on the above factors, the Commissioner has determined that there is insufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The Commissioner therefore considers that there is no Article 6 basis for processing and so the disclosure of the information would not be lawful.<br />
<br />
In conclusion, the ICO decided that the University was entitled to rely on the exemption at section 40(2) FOIA.<br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English official version==<br />
<pre><br />
to be completed.. <br />
</pre></div>10.90.129.11https://gdprhub.eu/index.php?title=ICO_-_FS50777458&diff=7491ICO - FS507774582020-01-20T18:07:21Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |ICO - FS50777458<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]<br />
|-<br />
|Authority:||[[ICO (UK)]]<br />
[[Category:ICO (UK)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]<br />
[[Category: United Kingdom]]<br />
|-<br />
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]] <br />
[[Category:Article 4(1) GDPR]]<br />
<br />
[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] <br />
[[Category:Article 5(1)(a) GDPR]]<br />
<br />
[[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] <br />
[[Category:Article 6(1)(f) GDPR]]<br />
<br />
[http://www.legislation.gov.uk/ukpga/2018/12/section/3 Section 3(2) DPA] <br />
<br />
[http://www.legislation.gov.uk/ukpga/2000/36/contents 40(2) FOIA]<br />
|-<br />
|Type:||Complaint<br />
|-<br />
|Outcome:||Upheld<br />
|-<br />
|Decided:||7.11.2019<br />
[[Category:2019]]<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||none<br />
|-<br />
|Parties:||Wales Interpretation and Translation Service Vs. anonymous<br />
|-<br />
|National Case Number:||FS50777458<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:English]]<br />
English<br />
|-<br />
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616299/fs50777458-1.pdf ICO (EN)]<br />
|} <br />
The ICO issued a decision on the necessity of a disclosure of information hold by a public entity to satisfy the legitimate public interests of accountability and transparency. <br />
<br />
==English Summary==<br />
===Facts===<br />
The complainant requested copies of minutes of the Wales Interpretation and Translation Service´ meetings. The Cardiff Council provided him with redacted copies. In particular, the names of the attendees were omitted. In substantiating its response, the Cardiff Council cited section 40(2) and section 43(2) of the FOIA. The complainant filled a complaint with the ICO because he wanted to have access to such information. <br />
<br />
===Dispute===<br />
The first step for the Commissioner is to determine whether the exception set forth in Articles 40(2) and 43(2) FOIA apply to the case. <br />
<br />
===Holding===<br />
As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act. <br />
<br />
According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA. <br />
<br />
The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject". <br />
<br />
The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests. <br />
<br />
The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that, as an advocate for the local deaf community, the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interests whose names were redacted. In doing so, it is necessary to consider inter alia the impact of disclosure. <br />
<br />
In the Commissioner’s view, a key issue is whether the individuals concerned have a reasonable expectation that their information will not be disclosed. It is also important to consider whether disclosure would be likely to result in unwarranted damage or distress to that individual. <br />
<br />
Each individual is representing their employer organisation on an important body for the local deaf community. Moreover, the Commissioner has been unable to identify any specific harm or distress that disclosure may cause. <br />
<br />
Based on the above factors, the Commissioner has determined that there is sufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The commissioner therefore considers that there is an Article 6 basis for processing (in this case article 6(1)(f). Moreover, the Commissioner specifies that Cardiff Council has failed to demonstrate that the exemption at section 40(2) is engaged. <br />
<br />
<u>U</u>nder Article 43(2) FOIA (prejudice to commercial interests) information is exempt from disclosure if its disclosure would or would be likely to prejudice the commercial interests of any person (including the public authority holding it). The Cardiff Council states that “information sought is too commercially sensitive” and that that releasing the information may affect the working relationship between the Council and the third parties which may prejudice the best value achieved by the council. <br />
<br />
The Commissioner asked the Council to provide full arguments specifying why it considers that the exemption is engaged and pointed out that this should include details of whose commercial interests it believes would be prejudiced in the event of disclosure and details of the nature of the prejudice itself. The Commissioner wrote to the Council pointing out these omissions and notes that it merely repeated the arguments in its previous response. She therefore has no alternative but to conclude that section 43(2) is not engaged in respect of the withheld information. <br />
<br />
In light of the above, the Commissioner required the public authority to provide a copy of the full, unredacted minutes to the complainant. <br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English official version==<br />
<pre><br />
to be completed.. <br />
</pre></div>10.90.129.11https://gdprhub.eu/index.php?title=ICO_-_FS50777458&diff=7490ICO - FS507774582020-01-20T18:05:30Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |ICO - FS50777458<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]<br />
|-<br />
|Authority:||[[ICO (UK)]]<br />
[[Category:ICO (UK)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]<br />
[[Category: United Kingdom]]<br />
|-<br />
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]] <br />
[[Category:Article 4(1) GDPR]]<br />
<br />
[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] <br />
[[Category:Article 5(1)(a) GDPR]]<br />
<br />
[[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] <br />
[[Category:Article 6(1)(f) GDPR]]<br />
<br />
[http://www.legislation.gov.uk/ukpga/2018/12/section/3 Section 3(2) DPA] <br />
<br />
[http://www.legislation.gov.uk/ukpga/2000/36/contents 40(2) FOIA]<br />
|-<br />
|Type:||Complaint<br />
|-<br />
|Outcome:||Upheld<br />
|-<br />
|Decided:||7.11.2019<br />
[[Category:2019]]<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||none<br />
|-<br />
|Parties:||Wales Interpretation and Translation Service Vs. anonymous<br />
|-<br />
|National Case Number:||FS50777458<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:English]]<br />
English<br />
|-<br />
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616299/fs50777458-1.pdf ICO (EN)]<br />
|} <br />
The ICO issued a decision on the necessity of a disclosure of information hold by a public entity to satisfy the legitimate public interests of accountability and transparency. <br />
<br />
==English Summary==<br />
===Facts===<br />
The complainant requested copies of minutes of the Wales Interpretation and Translation Service´ meetings. The Cardiff Council provided him with redacted copies. In particular, the names of the attendees were omitted. In substantiating its response, the Cardiff Council cited section 40(2) and section 43(2) of the FOIA. The complainant filled a complaint with the ICO because he wanted to have access such information. <br />
<br />
===Dispute===<br />
The first step for the Commissioner is to determine whether the exception set forth in Articles 40(2) and 43(2) FOIA apply to the case. <br />
<br />
===Holding===<br />
As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act. <br />
<br />
According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA. <br />
<br />
The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject". <br />
<br />
The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests. <br />
<br />
The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that, as an advocate for the local deaf community, the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interests whose names were redacted. In doing so, it is necessary to consider inter alia the impact of disclosure. <br />
<br />
In the Commissioner’s view, a key issue is whether the individuals concerned have a reasonable expectation that their information will not be disclosed. It is also important to consider whether disclosure would be likely to result in unwarranted damage or distress to that individual. <br />
<br />
Each individual is representing their employer organisation on an important body for the local deaf community. Moreover, the Commissioner has been unable to identify any specific harm or distress that disclosure may cause. <br />
<br />
Based on the above factors, the Commissioner has determined that there is sufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The commissioner therefore considers that there is an Article 6 basis for processing (in this case article 6(1)(f). Moreover, the Commissioner specifies that Cardiff Council has failed to demonstrate that the exemption at section 40(2) is engaged. <br />
<br />
<u>U</u>nder Article 43(2) FOIA (prejudice to commercial interests) information is exempt from disclosure if its disclosure would or would be likely to prejudice the commercial interests of any person (including the public authority holding it). The Cardiff Council states that “information sought is too commercially sensitive” and that that releasing the information may affect the working relationship between the Council and the third parties which may prejudice the best value achieved by the council. <br />
<br />
The Commissioner asked the Council to provide full arguments specifying why it considers that the exemption is engaged and pointed out that this should include details of whose commercial interests it believes would be prejudiced in the event of disclosure and details of the nature of the prejudice itself. The Commissioner wrote to the Council pointing out these omissions and notes that it merely repeated the arguments in its previous response. She therefore has no alternative but to conclude that section 43(2) is not engaged in respect of the withheld information. <br />
<br />
In light of the above, the Commissioner required the public authority to provide a copy of the full, unredacted minutes to the complainant. <br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English official version==<br />
<pre><br />
to be completed.. <br />
</pre></div>10.90.129.11https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=7488Article 12 GDPR2020-01-20T16:45:41Z<p>10.90.129.11: /* (8) Information to be presented by the icons */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 11 GDPR|←]] Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject [[Article 13 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<center>'''Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject'''</center><span id="1"> 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.</span><br />
<br />
<span id="2"> 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.</span><br />
<br />
<span id="3"> 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.</span><br />
<br />
<span id="4"> 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.</span><br />
<br />
<span id="5"> 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:</span><br />
<br />
:<span id="5a"> (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or</span><br />
:<span id="5b">(b) refuse to act on the request.</span><br />
<br />
<span id=""> The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.</span><br />
<br />
<span id="6"> 6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.</span><br />
<br />
<span id="7"> 7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.</span><br />
<br />
<span id="8"> 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r39"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 39:''' Lawful and fair processing</div><br />
<div class="mw-collapsible-content"><br />
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.<br />
</div></div><br />
<br />
<span id="r57"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 57:''' Processing which does not require identification</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r58"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 58:''' Requirements, form and structure of the information</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r59"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div><br />
<div class="mw-collapsible-content"><br />
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.<br />
</div></div><br />
<br />
<span id="r60"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 60:''' Information provision </div><br />
<div class="mw-collapsible-content"><br />
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.<br />
</div></div><br />
<br />
<span id="r64"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 64:''' Verification of the data subject's identity</div><br />
<div class="mw-collapsible-content"><br />
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.<br />
</div></div><br />
<br />
==Commentary==<br />
<br />
===(1) Requirements of the information in the GDPR===<br />
In describing the general requirements of the information to be provided to the user, paragraph 1 refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions exhaust all the cases of communication and information provided by the controller to the data subject. <br />
<br />
It follows that, no matter whether the information refers to a forthcoming processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. <br />
<br />
====Conciseness====<br />
Controllers should present the information/communication in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. <br />
<br />
The use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues<br />
<br />
====Transparency====<br />
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39). <br />
<br />
In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.<br />
<br />
====Intelligibility====<br />
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.<br />
<br />
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.<br />
<br />
====Easily accessible form====<br />
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).<br />
<br />
====Clear and plain language====<br />
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. <br />
<br />
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<br />
<br />
====Forms of the information====<br />
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).<br />
<br />
However, the GDPR also allows for other, unspecified “means” including electronic means to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them.<br />
<br />
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.<br />
<br />
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).<br />
<br />
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient assurance. <br />
<br />
===(2) Exercise of rights===<br />
The exercise of rights by the data subject is considered as one of the peculiar aspects of the new discipline. Only a full recognition of your rights makes it possible for the data subject to control your personal data. This objective requires a broad protection that the legislator provides by defining a discipline aimed at facilitating the exercise of rights by the user. <br />
<br />
===(3) Time limit===<br />
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject<br />
<br />
===(4) No actions taken by the controller===<br />
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.<br />
<br />
===(5) Free of charge===<br />
Under [[Article 12 GDPR#5|Article 12(5)]], data controllers cannot generally charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). This aspect of transparency also means that any information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.<br />
<br />
====Exceptions====<br />
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable expense contribution ([[Article 12 GDPR#5|Article 12(5)]]). This is clearly an exception to the rule which, as such, must be interpreted restrictively.<br />
<br />
If the request is not manifestly unfounded or repetitive, the controller cannot charge any fee, regardless of whether it was provided for in the contract terms. GDPR rights are very personal rights and cannot be assigned from the data subject by accepting an electronically signed contract.<br />
<br />
====Burden of proof====<br />
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.<br />
<br />
===(6) Verifying the data subject===<br />
The identification of the data subject is one of the most delicate aspects of the Regulation. In many cases, in fact, the controller rejects users' requests because of alleged problems related to their identification. <br />
<br />
From a strictly conceptual point of view, the question is simple: all processing of personal data presupposes the existence of a given subject to which rights are obviously assigned. Consequently, the controller is obliged to respect the rights in case of request. The problem arises when the controller has to verify the correspondence between the person exercising the right and the person to whom the data belong. In these cases, it is possible that the applicant disguises his/her identity and pretends to be data subject, with the risk that, in case of acceptance, the data may be communicated to unauthorized persons. <br />
<br />
If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21, additional information may be asked to confirm the identity. In doing so, the controller may use "all reasonable measures" (Recital 64) including contacting them via known contact details, such as a phone number or a postal address. <br />
<br />
In the context of online services, the authentication of the data subject can be pursued by providing a procedure for certifying the digital identification - for example, by sending a secret code, or a link containing a unique token, to the email address used for the registration.<br />
<br />
===(7) Standardised icons===<br />
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of information addressed to the public or to data subjects is especially important in the online environment.<br />
<br />
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.<br />
<br />
===(8) Code of icons===<br />
In line with Recital 166 the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 12 GDPR]]<br />
<br />
==References==<br />
<references />→ [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)]<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=7486Article 12 GDPR2020-01-20T16:31:05Z<p>10.90.129.11: /* References */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 11 GDPR|←]] Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject [[Article 13 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<center>'''Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject'''</center><span id="1"> 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.</span><br />
<br />
<span id="2"> 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.</span><br />
<br />
<span id="3"> 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.</span><br />
<br />
<span id="4"> 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.</span><br />
<br />
<span id="5"> 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:</span><br />
<br />
:<span id="5a"> (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or</span><br />
:<span id="5b">(b) refuse to act on the request.</span><br />
<br />
<span id=""> The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.</span><br />
<br />
<span id="6"> 6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.</span><br />
<br />
<span id="7"> 7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.</span><br />
<br />
<span id="8"> 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r39"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 39:''' Lawful and fair processing</div><br />
<div class="mw-collapsible-content"><br />
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.<br />
</div></div><br />
<br />
<span id="r57"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 57:''' Processing which does not require identification</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r58"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 58:''' Requirements, form and structure of the information</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r59"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div><br />
<div class="mw-collapsible-content"><br />
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.<br />
</div></div><br />
<br />
<span id="r60"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 60:''' Information provision </div><br />
<div class="mw-collapsible-content"><br />
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.<br />
</div></div><br />
<br />
<span id="r64"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 64:''' Verification of the data subject's identity</div><br />
<div class="mw-collapsible-content"><br />
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.<br />
</div></div><br />
<br />
==Commentary==<br />
<br />
===(1) Requirements of the information in the GDPR===<br />
In describing the general requirements of the information to be provided to the user, paragraph 1 refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions exhaust all the cases of communication and information provided by the controller to the data subject. <br />
<br />
It follows that, no matter whether the information refers to a forthcoming processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. <br />
<br />
====Conciseness====<br />
Controllers should present the information/communication in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. <br />
<br />
The use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues<br />
<br />
====Transparency====<br />
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39). <br />
<br />
In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.<br />
<br />
====Intelligibility====<br />
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.<br />
<br />
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.<br />
<br />
====Easily accessible form====<br />
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).<br />
<br />
====Clear and plain language====<br />
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. <br />
<br />
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<br />
<br />
====Forms of the information====<br />
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).<br />
<br />
However, the GDPR also allows for other, unspecified “means” including electronic means to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them.<br />
<br />
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.<br />
<br />
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).<br />
<br />
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient assurance. <br />
<br />
===(2) Exercise of rights===<br />
The exercise of rights by the data subject is considered as one of the peculiar aspects of the new discipline. Only a full recognition of your rights makes it possible for the data subject to control your personal data. This objective requires a broad protection that the legislator provides by defining a discipline aimed at facilitating the exercise of rights by the user. <br />
<br />
===(3) Time limit===<br />
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject<br />
<br />
===(4) No actions taken by the controller===<br />
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.<br />
<br />
===(5) Free of charge===<br />
Under [[Article 12 GDPR#5|Article 12(5)]], data controllers cannot generally charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). This aspect of transparency also means that any information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.<br />
<br />
====Exceptions====<br />
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable expense contribution ([[Article 12 GDPR#5|Article 12(5)]]). This is clearly an exception to the rule which, as such, must be interpreted restrictively.<br />
<br />
If the request is not manifestly unfounded or repetitive, the controller cannot charge any fee, regardless of whether it was provided for in the contract terms. GDPR rights are very personal rights and cannot be assigned from the data subject by accepting an electronically signed contract.<br />
<br />
====Burden of proof====<br />
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.<br />
<br />
===(6) Verifying the data subject===<br />
The identification of the data subject is one of the most delicate aspects of the Regulation. In many cases, in fact, the controller rejects users' requests because of alleged problems related to their identification. <br />
<br />
From a strictly conceptual point of view, the question is simple: all processing of personal data presupposes the existence of a given subject to which rights are obviously assigned. Consequently, the controller is obliged to respect the rights in case of request. The problem arises when the controller has to verify the correspondence between the person exercising the right and the person to whom the data belong. In these cases, it is possible that the applicant disguises his/her identity and pretends to be data subject, with the risk that, in case of acceptance, the data may be communicated to unauthorized persons. <br />
<br />
If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21, additional information may be asked to confirm the identity. In doing so, the controller may use "all reasonable measures" (Recital 64) including contacting them via known contact details, such as a phone number or a postal address. <br />
<br />
In the context of online services, the authentication of the data subject can be pursued by providing a procedure for certifying the digital identification - for example, by sending a secret code, or a link containing a unique token, to the email address used for the registration.<br />
<br />
===(7) Standardised icons===<br />
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of information addressed to the public or to data subjects is especially important in the online environment.<br />
<br />
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.<br />
<br />
===(8) Information to be presented by the icons===<br />
The GDPR assigns responsibility for the development of a code of icons to the Commission but ultimately the European Data Protection Board may, either at the request of the Commission or of its own accord, provide the Commission with an opinion on such icons.49 WP29 recognises that, in line with Recital 166, the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 12 GDPR]]<br />
<br />
==References==<br />
<references />→ [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)]<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=7485Article 12 GDPR2020-01-20T16:26:56Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 11 GDPR|←]] Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject [[Article 13 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<center>'''Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject'''</center><span id="1"> 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.</span><br />
<br />
<span id="2"> 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.</span><br />
<br />
<span id="3"> 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.</span><br />
<br />
<span id="4"> 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.</span><br />
<br />
<span id="5"> 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:</span><br />
<br />
:<span id="5a"> (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or</span><br />
:<span id="5b">(b) refuse to act on the request.</span><br />
<br />
<span id=""> The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.</span><br />
<br />
<span id="6"> 6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.</span><br />
<br />
<span id="7"> 7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.</span><br />
<br />
<span id="8"> 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r39"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 39:''' Lawful and fair processing</div><br />
<div class="mw-collapsible-content"><br />
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.<br />
</div></div><br />
<br />
<span id="r57"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 57:''' Processing which does not require identification</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r58"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 58:''' Requirements, form and structure of the information</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div><br />
<br />
<span id="r59"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div><br />
<div class="mw-collapsible-content"><br />
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.<br />
</div></div><br />
<br />
<span id="r60"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 60:''' Information provision </div><br />
<div class="mw-collapsible-content"><br />
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.<br />
</div></div><br />
<br />
<span id="r64"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div>'''Recital 64:''' Verification of the data subject's identity</div><br />
<div class="mw-collapsible-content"><br />
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.<br />
</div></div><br />
<br />
==Commentary==<br />
<br />
===(1) Requirements of the information in the GDPR===<br />
In describing the general requirements of the information to be provided to the user, paragraph 1 refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions exhaust all the cases of communication and information provided by the controller to the data subject. <br />
<br />
It follows that, no matter whether the information refers to a forthcoming processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. <br />
<br />
====Conciseness====<br />
Controllers should present the information/communication in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. <br />
<br />
The use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues<br />
<br />
====Transparency====<br />
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39). <br />
<br />
In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.<br />
<br />
====Intelligibility====<br />
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.<br />
<br />
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.<br />
<br />
====Easily accessible form====<br />
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).<br />
<br />
====Clear and plain language====<br />
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. <br />
<br />
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<br />
<br />
====Forms of the information====<br />
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).<br />
<br />
However, the GDPR also allows for other, unspecified “means” including electronic means to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them.<br />
<br />
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.<br />
<br />
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).<br />
<br />
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient assurance. <br />
<br />
===(2) Exercise of rights===<br />
The exercise of rights by the data subject is considered as one of the peculiar aspects of the new discipline. Only a full recognition of your rights makes it possible for the data subject to control your personal data. This objective requires a broad protection that the legislator provides by defining a discipline aimed at facilitating the exercise of rights by the user. <br />
<br />
===(3) Time limit===<br />
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject<br />
<br />
===(4) No actions taken by the controller===<br />
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.<br />
<br />
===(5) Free of charge===<br />
Under [[Article 12 GDPR#5|Article 12(5)]], data controllers cannot generally charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). This aspect of transparency also means that any information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.<br />
<br />
====Exceptions====<br />
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable expense contribution ([[Article 12 GDPR#5|Article 12(5)]]). This is clearly an exception to the rule which, as such, must be interpreted restrictively.<br />
<br />
If the request is not manifestly unfounded or repetitive, the controller cannot charge any fee, regardless of whether it was provided for in the contract terms. GDPR rights are very personal rights and cannot be assigned from the data subject by accepting an electronically signed contract.<br />
<br />
====Burden of proof====<br />
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.<br />
<br />
=== (6) Verifying the data subject ===<br />
The identification of the data subject is one of the most delicate aspects of the Regulation. In many cases, in fact, the controller rejects users' requests because of alleged problems related to their identification. <br />
<br />
From a strictly conceptual point of view, the question is simple: all processing of personal data presupposes the existence of a given subject to which rights are obviously assigned. Consequently, the controller is obliged to respect the rights in case of request. The problem arises when the controller has to verify the correspondence between the person exercising the right and the person to whom the data belong. In these cases, it is possible that the applicant disguises his/her identity and pretends to be data subject, with the risk that, in case of acceptance, the data may be communicated to unauthorized persons. <br />
<br />
If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21, additional information may be asked to confirm the identity. In doing so, the controller may use "all reasonable measures" (Recital 64) including contacting them via known contact details, such as a phone number or a postal address. In the context of online services, the authentication of the data subject can be pursued by providing a procedure for certifying the digital identification - for example, by sending a secret code, or a link containing a unique token, to the email address used for the registration.<br />
<br />
===(7) Standardised icons===<br />
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of information addressed to the public or to data subjects is especially important in the online environment.<br />
<br />
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.<br />
<br />
===(8) Information to be presented by the icons===<br />
The GDPR assigns responsibility for the development of a code of icons to the Commission but ultimately the European Data Protection Board may, either at the request of the Commission or of its own accord, provide the Commission with an opinion on such icons.49 WP29 recognises that, in line with Recital 166, the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 12 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=6677Article 12 GDPR2020-01-17T17:39:52Z<p>10.90.129.11: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 11 GDPR|←]] Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject [[Article 13 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<center>'''Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject'''</center><span id="1"> 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.</span><br />
<br />
<span id="2"> 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.</span><br />
<br />
<span id="3"> 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.</span><br />
<br />
<span id="4"> 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.</span><br />
<br />
<span id="5"> 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:</span><br />
<br />
:<span id="5a"> (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or</span><br />
:<span id="5b">(b) refuse to act on the request.</span><br />
<br />
<span id=""> The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.</span><br />
<br />
<span id="6"> 6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.</span><br />
<br />
<span id="7"> 7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.</span><br />
<br />
<span id="8"> 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r39"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 39:''' Lawful and fair processing</div><br />
<div class="mw-collapsible-content"><br />
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.<br />
</div></div></span><br />
<br />
<span id="r57"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 57:''' Processing which does not require identification</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div></span><br />
<br />
<span id="r58"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 58:''' Requirements, form and structure of the information</div><br />
<div class="mw-collapsible-content"><br />
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.<br />
</div></div></span><br />
<br />
<span id="r59"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div><br />
<div class="mw-collapsible-content"><br />
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.<br />
</div></div></span><br />
<br />
<span id="r60"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 60:''' Information provision </div><br />
<div class="mw-collapsible-content"><br />
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.<br />
</div></div></span><br />
<br />
<span id="r64"><br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div>'''Recital 64:''' Verification of the data subject's identity</div><br />
<div class="mw-collapsible-content"><br />
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.<br />
</div></div></span><br />
<br />
==Commentary==<br />
<br />
=== (1) Requirements of the information in the GDPR ===<br />
In describing the general requirements of the information to be provided to the user, paragraph 1 refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions exhaust all the cases of communication and information provided by the controller to the data subject. <br />
<br />
It follows that, no matter whether the information refers to a forthcoming processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. <br />
<br />
==== Conciseness ====<br />
Controllers should present the information/communication in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. <br />
<br />
The use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues<br />
<br />
==== Transparency ====<br />
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39). <br />
<br />
In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.<br />
<br />
==== Intelligibility ====<br />
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.<br />
<br />
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.<br />
<br />
==== Easily accessible form ====<br />
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).<br />
<br />
==== Clear and plain language ====<br />
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. <br />
<br />
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<br />
<br />
==== Forms of the information ====<br />
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).<br />
<br />
However, the GDPR also allows for other, unspecified “means” including electronic means to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them.<br />
<br />
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.<br />
<br />
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).<br />
<br />
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient assurance. <br />
<br />
=== (2) Exercise of rights ===<br />
The exercise of rights by the data subject is considered as one of the peculiar aspects of the new discipline. Only a full recognition of your rights makes it possible for the data subject to control your personal data. This objective requires a broad protection that the legislator provides by defining a discipline aimed at facilitating the exercise of rights by the user. <br />
<br />
=== (3) Time limit ===<br />
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject<br />
<br />
=== (4) No actions taken by the controller ===<br />
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.<br />
<br />
=== (5) Free of charge ===<br />
Under [[Article 12 GDPR#5|Article 12(5)]], data controllers cannot generally charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). This aspect of transparency also means that any information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.<br />
<br />
==== Exceptions ====<br />
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable expense contribution.<br />
<br />
Pursuant to [[Article 12 GDPR#5|Article 12(5)]], the controller may refuse the request, or claim a fee for expenses, only if the request is deemed to be manifestly unfounded or excessive, in particular because it is repetitive. This is clearly an exception to the rule which, as such, must be interpreted restrictively.<br />
<br />
Consequently, if the request is not manifestly unfounded or repetitive, the Controller cannot charge any fee, regardless of whether it was provided for in the contract terms. GDPR rights are in fact very personal rights and cannot be assigned from the data subject by accepting an electronically signed contract term.<br />
<br />
==== Burden of proof ====<br />
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.<br />
<br />
=== (6) Verifying the data subject === NB: Extract from a BOOK - need to be summarised and changed<br />
<br />
If the controller has reasonable doubts concerning the identity of a natural person making a request pursuant to GDPR, Articles 15 to 21, the controller may ask for additional information necessary to confirm the identity of the data subject. <br />
<br />
Background of this controller's right is the possible risk of unauthorised third parties trying to exercise rights of data subjects. A reasonable doubt may be given, e.g. if a request is made via an unknown email address or user account. In such cases controllers are permitted but not required to request information as proof of identity before meeting the requests.<br />
<br />
Should it turn out that the requesting party was not the data subject concerned, providing information to that person may be considered an illegal transfer of personal data which can be penalised under GDPR, Article 83, para 4 with administrative fines up to 20,000,000 EUR or 4 % of the total worldwide annual turnover of the controller. Documentation of the incoming requests, controller's measures taken to investigate the lawfulness of the request including requestor's identity, and the measures taken to fulfil such requests will be of the essence to establish sufficient proof for controller's GDPR compliance. <br />
<br />
To verify the requesting person's identity, the controller may, according to GDPR, recital 64, use "all reasonable measures", in particular in the context of online services and online identifiers. Such reasonable measures may include contacting the data subject at its known postal address or, in the context of online services, certifying a digital identification of the data subject, for example through authentication mechanisms, such as the same credentials, used by the data subject to log-in to the online service offered by the controller.<br />
<br />
Requesting a copy of the data subject's passport might exceed the appropriate extent, as the document provides more information that is usually needed. In some Member States, such as in Germany, national law does not allow copying the data subject's passport and the use of such copies for identification purposes unless this is explicitly allowed under any other applicable law. In view of the very general wording of GDPR, Article 12, para 6 (“additional information necessary to confirm the identity of the data subject”), it is unclear whether this rule would be accepted as a statutory authorisation to make copies of a passport.<br />
<br />
=== (7) Standardised icons ===<br />
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of information addressed to the public or to data subjects is especially important in the online environment.<br />
<br />
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.<br />
<br />
=== (8) Information to be presented by the icons ===<br />
The GDPR assigns responsibility for the development of a code of icons to the Commission but ultimately the European Data Protection Board may, either at the request of the Commission or of its own accord, provide the Commission with an opinion on such icons.49 WP29 recognises that, in line with Recital 166, the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 12 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
<br />
[[Category:GDPR Articles]]</div>10.90.129.11https://gdprhub.eu/index.php?title=Data_Protection_in_Italy&diff=6587Data Protection in Italy2020-01-17T15:21:17Z<p>10.90.129.11: /* Constitutional Court */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
!colspan="2"|Data Protection in Italy [[Category:Country Overview]]<br />
|-<br />
|colspan="2"|[[File:it.png|center|250px]]<br />
|-<br />
| Data Protection Authority: || [[Garante per la protezione dei dati personali (Italy)]]<br />
|-<br />
| National Implementation Law (Original): || [https://www.garanteprivacy.it/codice Codice in materia di protezione dei dati personali]<br />
|-<br />
| English Translation of National Implementation Law: || n/a<br />
|-<br />
| Official Language(s): || Italian<br />
|-<br />
| National Legislation Database(s): || [https://www.normattiva.it/ Link]<br />
|-<br />
| English Legislation Database(s): || n/a<br />
|-<br />
| National Decision Database(s): || [http://www.italgiure.giustizia.it/ Link]<br />
|}<br />
<br />
==Legislation==<br />
===History===<br />
The first organic regulation of the Italian data protection framework was provided by law [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/28335 n. 675/96], implementing [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC]. <br />
<br />
Law n. 675/96 has then been replaced by Legislative Decree 196/2003 ([https://www.gazzettaufficiale.it/atto/vediMenuHTML?atto.dataPubblicazioneGazzetta=2003-07-29&atto.codiceRedazionale=003G0218&tipoSerie=serie_generale&tipoVigenza=originario Codice in materia di protezione dei dati personali] or the "Code"), which has defined the core of privacy in Italy for more than two decades.<br />
<br />
===National constitutional protections===<br />
The Italian Constitution does not expressly refer to a right to privacy or data protection. However, building on Articles 14 (inviolability of domicile) and 15 (confidentiality of correspondence), both the Constitutional Court (Dec. n. 81/1993) and the Supreme Court of Cassation (Dec. n. n. 2129/1975 - Soraya) have regularly defined the privacy as a fundamental human right.<br />
<br />
===National GDPR implementation law===<br />
In Italy the GDPR is implemented by the ''Codice in materia di protezione dei dati personali''. Following the introduction of the GDPR, the Code has undergone a considerable modification by Legislative Decree 101/18. The adaptation decree repealed most of the previous provisions and integrated the national legislation with the new Regulation.<br />
<br />
==== Age of consent ====<br />
Under Article 2-quinquies of the Code, a child over the age of fourteen may consent to the processing of his/her personal data in relation to the direct offer of services of the Information Society. Without prejudice to Article 8(1) GDPR, for child under the age of fourteen, consent is only valid if provided by the person exercising parental responsibility.<br />
<br />
==== Freedom of Speech ====<br />
The Code contains a specific discipline regarding the processing of personal data for journalistic purposes.<br />
<br />
In particular, Article 137 of the Code provides that personal data, including those referred to in Articles 9 and 10 of the Regulation, may also be processed without the consent of the data subject, provided that the deontological rules referred to in Article 139 of the Code are respected.<br />
<br />
On 29 November 2018, the Garante adopted the [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9067692 Regole deontologiche relative al trattamento di dati personali nell’esercizio dell’attività giornalistica]. <br />
<br />
==== Employment context ====<br />
The Privacy Code contains specific rules on the processing of data in the context of the employment relationship.<br />
<br />
In application of Article 88 of the GDPR, Article 111 of the Code provides that such data shall be processed in accordance with the rules of ethics referred to in Article 139 of the Code. These rules have not yet been adopted.<br />
<br />
Article 113 of the Code prohibits any investigation or processing of data or pre-selection of workers, even with their consent, on the basis of personal beliefs, trade union or political affiliation, etc.. <br />
<br />
Article 114 of the Code refers to Statuto dei lavoratori and sets a general prohibition to use audio-visual and other technical equipment for purposes of controlling the activity of employees. <br />
<br />
Article 115 protects the working conditions, integrity and personality of the domestic or remote worker.<br />
<br />
==== Research ====<br />
In accordance with Article 105 of the Code, personal data processed for statistical or scientific research purposes may not be used to take decisions or measures relating to the data subject, nor for other purposes. <br />
<br />
Statistical and scientific research purposes must be clearly determined and made known to the data subject, in the manner set out in Articles 13 and 14 of the Regulation, including in relation to the provisions of the relevant code of ethics (see also Article 106, paragraph 2, letter b) of the Code).<br />
<br />
====Other relevant national provisions and laws====<br />
''You can help us fill this section!''<br />
<br />
===National ePrivacy Law===<br />
Italy has implemented Directive 2002/58/EC (as amended by Directive 2009/136/EC) mainly in Articles are 121 - 132-quater of the Code. <br />
<br />
Cookies are regulated in Article 122 of the Code.<br />
<br />
Spam Emails and other types of advertisement are regulated in Article 130 of the Code.<br />
<br />
==Data Protection Authority==<br />
The Italian Data Protection Authority (''Garante per la protezione dei dati personali'') is the national data protection authority for Italy.<br />
<br />
→ Details see [[Garante per la protezione dei dati personali (Italy)]]<br />
<br />
==Judicial protection==<br />
===Civil Courts===<br />
Disputes concerning the protection of personal data are held before a civil court. The competent court is alternatively the one of the place where the data controller resides or has its seat or the court of the place of residence of the data subject.<br />
<br />
The appeal against the DPA's decision including those issued following a complaint of the interested party, is proposed, under penalty of inadmissibility, within thirty days from the date of communication of the measure or within sixty days if the claimant resides abroad.<br />
<br />
===Administrative Courts===<br />
''You can help us fill this section!''<br />
<br />
===Constitutional Court===<br />
The Italian Constitutional Court does not have a particular jurisdiction over the data protection framework. The Court can of course invalidate any national legislative act violating the Constitution, also by means of a violation of the European Law.</div>10.90.129.11