Article 12 GDPR: Difference between revisions
Line 250: | Line 250: | ||
==== Shall facilitate ==== | ==== Shall facilitate ==== | ||
The use of the term "facilitate" implies a proactive approach by the controller, who must take any action and implement any measure to ease the exercise of GDPR rights.<ref>''Paal, Hennemann'', in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).</ref> The Regulation does not define the notion of “''facilitation''”, but warns the controller that “''modalities should be provided for facilitating the exercise of the data subject's rights.''”<ref>This includes “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''” (Recital 59). </ref> These “''modalities''” should cover the whole range of activities necessary to fully address a request. <blockquote><u>EDPB</u>: Specifically, "''the controller should always be able to demonstrate, that the way to handle the request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR).''" [F'''N, Access, 16'''] </blockquote> | The use of the term "facilitate" implies a proactive approach by the controller, who must take any action and implement any measure to ease the exercise of GDPR rights.<ref>''Paal, Hennemann'', in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).</ref> The Regulation does not define the notion of “''facilitation''”, but warns the controller that “''modalities should be provided for facilitating the exercise of the data subject's rights.''”<ref>This includes “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''” (Recital 59). </ref> These “''modalities''” should cover the whole range of activities necessary to fully address a request. <blockquote><u>EDPB</u>: Specifically, "''the controller should always be able to demonstrate, that the way to handle the request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR).''" [F'''N, Access, 16'''] </blockquote>Data subjects should be allowed to reach the controller and its DPO “''in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)''”.<ref>The WP29 also points out that, “''[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided''”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref> Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensuring the request is handled by the appropriate department. <blockquote><u>EDPB</u>: [T]he EDPB recommends, as good practice, that controllers introduce, where possible, mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with such requests. In order to facilitate the exercise of data subjects’ rights. </blockquote>Covered by the obligation to facilitate the request is any preliminary activity that the controller is required to perform in order to respond. This certainly includes the data subject authentication phase. In particular, all practices that tend to make user authentication more complex than strictly necessary are incompatible with the obligation to facilitate.<blockquote><u>EDPB</u>: The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at identifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).</blockquote>Any subsequent interaction that the controller feels it must have with the data subject in order to complete the request must also be facilitated. This dynamic, however, must once again be marked by the principle of fairness and must not result in unnecessary "ping-pongs" whose only goal is to prevent the data subject from obtaining the response. <blockquote>EDPB: It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full. </blockquote><s>Finally, controllers must facilitate users in providing them with the final response. by using simple and clear language and layouts. The correlation with the principle of transparency is clear. A concise, comprehensive, easily accessible response inevitably facilitates the data subject, not only in immediately understanding the response, but also in enabling him or her to guide his or her future choices, such as filing an Article 77 GDPR complaint.</s><blockquote><s>EDPB: Therefore, in order to facilitate the exercise of data subjects’ rights in line with Art. 12(2), the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation. In any event, the principle of transparent processing requires that the informat ion on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice). [36]</s> | ||
<s>Example: Take the case of a user who has requested full access to their data via email. After receiving the request, the controller learns that the amount of information is very high and likely not transmissible via email. In accordance with its obligation to facilitate the request, the controller may provide a dedicated internet page through which the user can select the part of the processing to which it is directed. The user can then choose the desired option for the controller to address the request.</s></blockquote> | |||
==== Data subject requests always addressed unless identification is impossible ==== | ==== Data subject requests always addressed unless identification is impossible ==== |
Revision as of 16:17, 22 March 2023
Legal Text
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- (b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Relevant Recitals
Commentary
Article 12 GDPR ensures the efficient exercise of the data subject’s rights. To do so, it regulates clarity and accessibility standards regarding communications with the data subject. It also lays down procedural rules with regard to the flow of information between the data subject and the controller. This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures.[1]
EDPB Guidelines: on this Article, please see Transparency - WP29
(1) Requirements of information in the GDPR
Article 12(1) GDPR requires controllers to take appropriate measures to provide any information or communication under Articles 13, 14, 15 to 22 and 34 GDPR[2] in a manner, that is concise, transparent, intelligible and easily accessible, using clear and plain language.
Appropriate measures
A measure is 'appropriate' when it allows the controller to provide (i) complete information in (ii) a clear form. These two requirements are inextricably linked. Concise, transparent, complete and ultimately clear information can only result from an orderly, non-excessive, well-interconnected data processing system. In other words, the complexity of the processing does not authorise any derogation to the duty to provide complete and clear information under Article 12(1) GDPR.
EDPB: Instead the [controller's] assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a vast amount of data on a large scale must accept to undertake great efforts to ensure the right of access to the data subjects in a concise, transparent, intelligible and easily accessible form, by using plain and clear language. [FN, Access]
From this angle, a measure is not only a method of displaying information (i.e., a multi-layered privacy policy, a download tool, pup-up notifications) but also every method, internal policy, technical feature by which a controller is able to deliver complete information. This includes, for instance, measures to correctly authenticate the data subject, detect the content of the request and assign it to the responsible department. The same goes for internal policies and technical equipment enabling the controller to retrieve the data and perform any required operation as required (e.g. copy, rectification, deletion).
Last but not least, measures are also those defining the methods for communicating the response in a concise, transparent, intelligible and easily accessible way, using clear and plain language.
Conciseness
Information about the processing must be presented concisely. This is intended to prevent controllers from providing a too detailed description of the processing activity, as data subjects generally have very limited attention spans. Thus, controllers have a positive obligation to prevent data subjects from experiencing information overload.[3] For example, the use of a layered privacy statement may present the most relevant section to the data subject rather than providing them with an unconscionable notice.
EDPB: In an online context, the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues. [FN]
Transparency
A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used (Recital 39 GDPR).
Example: If a controller (e.g. provider of a website) does not have sufficient information about the functioning of software it uses (e.g. because the manufacturer of this software does not disclose it), or simply does not understand it (so that it cannot fulfil its duty to inform the data subject), it should refrain from using the software.[4]
For complex, technical or unexpected data processing, in addition to providing the prescribed information under Articles 13 and 14 GDPR, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.[5]
EDPB: in case of mobile apps, the privacy information in question should be specific to the particular app and should not merely be the generic privacy policy of the company that owns the app or makes it available to the public. [FN, § 11]
Intelligibility
Information is “intelligible” when it is understandable by an average member of the intended audience. Therefore, an accountable data controller must have an understanding of the people that it collects information about, which it should use to determine what they are likely to understand.
EDPB: For example, a controller collecting the personal data of working professionals can assume its audience has a higher level of understanding than a controller that obtains the personal data of children. [FN]
The main goal of transparency is the actual understanding of data processing operations. Recitals 39 and 58 GDPR require that information must not only be clear, but also “easy to understand”. Along these lines, the CJEU criticised the behaviour of a controller "in the absence of any indications confirming that that clause was actually read and digested".[6]
EDPB: If controllers are uncertain about the level of intelligibility, they can test these through mechanisms such as, inter alia, user panels, readability testing, as well as formal and informal dialogue with industry groups, consumer advocacy groups and regulatory bodies (Article 35(9) GDPR). [FN]
Easily Accessible Form
Under Article 12(1), controllers must provide any information to the data subject. The verb "provide" makes it clear that the controller must take every step necessary to provide that information. In other words, the data subject need not make any special effort to "seek" the information to which it is entitled. On the contrary, the controller will provide data subjects with direct links to the information, or clearly signpost information as an answer to a natural language question (e.g. in an online layered privacy statement, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc.).[7]
EDPB: For apps, the necessary information should also be made available from an online store prior to download. Once the app is installed, the information still needs to be easily accessible from within the app. One way to meet this requirement is to ensure that the information is never more than “two taps away” (e.g. by including a “Privacy”/ “Data Protection” option in the menu functionality of the app). [FN]
Clear and plain language
The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures.[8] The information should be concrete as well as definitive, and should neither be phrased in abstract or ambivalent terms, nor leave room for diverging interpretations. In particular, the purposes of and legal basis for processing the personal data should be clear.[9]
Common misunderstanding: Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should be avoided. Where data controllers opt to use vague language, they should be able to, in accordance with the principle of accountability, demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.[10]
This requirement also affects the language used for the communication. Whilst the GDPR does not expressly regulate the matter, it is clear that the level of intelligibility of information is directly linked to the user’s capacity of understanding a certain language.
EDPB: Where the information is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted. (A translation in one or more other languages should be provided where the controller targets15 data subjects speaking those languages.)
Form of the information
Under Article 12(1) GDPR, information “shall be provided in writing, or by other means, including, where appropriate, by electronic means.”
Written form is therefore the default option. However, where writing is not possible, other means can be used. For instance, if a data controller operates a website, a written notice is not necessary and electronic forms are to be preferred. In such cases, the use of a webpage containing the information will adequately serve the purpose.
The WP29 suggested the implementation of layered privacy statements which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them.[11] The use of a layered approach is nonetheless not the only available option. Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts. “Other [not necessarily electronic] means” might include cartoons, infographics or flowcharts.[12] The method chosen by controllers must fit the particular circumstances. For example, if a certain device does not have a screen, providing information in an electronic written format would not make much sense. In such cases, alternatives are possible. For instance, controllers can provide a printed privacy statement inside the device package or redirect the data subject to the URL website address where the privacy notice can be found.[13]
Finally, the GDPR also expressly empowers data subjects to be provided orally, but only under two conditions: (i) the data subject must request oral information or communication and (ii) the controller must have otherwise verified the data subject’s identity.[14] The second requirement, (ii), only refers to cases where data subject's authentication is necessary. Consequently, it generally applies when a data subject exercises one of their GDPR rights (Articles 15 - 22) or when a communication of personal data breach is needed under Article 34 GDPR.
(2) Obligation to facilitate the exercise of rights
Under Article 12(2), first sentence, GDPR the controller must facilitate the data subject in the exercise of their GDPR rights.
Shall facilitate
The use of the term "facilitate" implies a proactive approach by the controller, who must take any action and implement any measure to ease the exercise of GDPR rights.[15] The Regulation does not define the notion of “facilitation”, but warns the controller that “modalities should be provided for facilitating the exercise of the data subject's rights.”[16] These “modalities” should cover the whole range of activities necessary to fully address a request.
EDPB: Specifically, "the controller should always be able to demonstrate, that the way to handle the request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR)." [FN, Access, 16]
Data subjects should be allowed to reach the controller and its DPO “in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)”.[17] Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensuring the request is handled by the appropriate department.
EDPB: [T]he EDPB recommends, as good practice, that controllers introduce, where possible, mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with such requests. In order to facilitate the exercise of data subjects’ rights.
Covered by the obligation to facilitate the request is any preliminary activity that the controller is required to perform in order to respond. This certainly includes the data subject authentication phase. In particular, all practices that tend to make user authentication more complex than strictly necessary are incompatible with the obligation to facilitate.
EDPB: The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at identifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).
Any subsequent interaction that the controller feels it must have with the data subject in order to complete the request must also be facilitated. This dynamic, however, must once again be marked by the principle of fairness and must not result in unnecessary "ping-pongs" whose only goal is to prevent the data subject from obtaining the response.
EDPB: It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.
Finally, controllers must facilitate users in providing them with the final response. by using simple and clear language and layouts. The correlation with the principle of transparency is clear. A concise, comprehensive, easily accessible response inevitably facilitates the data subject, not only in immediately understanding the response, but also in enabling him or her to guide his or her future choices, such as filing an Article 77 GDPR complaint.
EDPB: Therefore, in order to facilitate the exercise of data subjects’ rights in line with Art. 12(2), the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation. In any event, the principle of transparent processing requires that the informat ion on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice). [36]Example: Take the case of a user who has requested full access to their data via email. After receiving the request, the controller learns that the amount of information is very high and likely not transmissible via email. In accordance with its obligation to facilitate the request, the controller may provide a dedicated internet page through which the user can select the part of the processing to which it is directed. The user can then choose the desired option for the controller to address the request.
Data subject requests always addressed unless identification is impossible
The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify the data subject. However, in such circumstances the data subject may provide additional information enabling their identification (Article 11(2) GDPR). In order to allow the data subject to provide this additional information, the controller should inform the data subject of the nature of what is required to allow identification. This provision, prevents the controller from adopting obstructive tactics relating to alleged "difficulties of identification" unless these actually exist. Consequently, all attempts at verification which require excessive efforts (while adding nothing in terms of security) become inadmissible - and do not constitute 'facilitation'. [Ref to Art. 11]
Example: a user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide to send an email login request because the information download tool provided by the controller does not provide certain information. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. This conduct constitutes a breach of the obligation to facilitate the exercise of rights. The controller may nonetheless send a unique identification link to the email address used by the user for registration.[18]
(3) Time limit and form of the request
Under Article 12(3) GDPR, the controller must act on any request by the data subject under Articles 15 to 22 GDPR as soon as possible ("without undue delay") and in any event within one month. That period may be extended by two months if the requests are so complex or numerous that they cannot be answered within one month. A controller cannot extend the duration simply because its inadequate internal organisation prevents them from complying with a request in a timely manner. In any case, when a controller is unable to comply with the one month deadline, it must inform the data subject of the reasons for the delay within one month of receiving the request.[19]
The final sentence of Article 12(3) specifies that where the data subject makes the request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form. However, the provision of electronic means is not an obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that, where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data. This is clearly intended to encourage controllers to facilitate the exercise of access rights.
(4) Failure to act on the request
If a controller does not act on the data subject's request, it must inform them why this is the case as soon as possible, and at the latest within one month of receiving the request. It must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.
(5) Free of charge
Under Article 12(5) GDPR, controllers may generally not charge data subjects for the provision of information under Articles 13 and 14 GDPR, or for communications and actions taken under Articles 15-22 GDPR (data subject rights) and Article 34 GDPR (communication of personal data breaches to data subjects). The principle of transparency requires that the provision of such information is not made conditional upon a financial transaction. There are exceptions to this rule, which should nonetheless be interpreted narrowly to avoid undermining the principle of transparency and gratuity of the request.[20] For instance, if the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request. In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, controllers should maintain a proper documentation of the underlying facts.
Manifestly unfounded
A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore “obvious”.[21] For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.[22]
Excessive requests
There is no definition of the term “excessive” in the GDPR. On the one hand, the wording “in particular because of their repetitive character” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject makes a large amount of access requests under Article 15 GDPR. On the other hand, the qualifier “in particular” indicates that other reasons that might cause excessiveness are not excluded a priori.[23]
A data subject may nonetheless undoubtedly submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive”.[24] That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.[25]
Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.[26]
(a) Reasonable fee
If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.[27]
(b) Refuse to act
Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
(6) Verifying the data subject
In practice, controllers often reject data subjects’ requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21 GDPR, additional information may be requested to verify their identity. The controller may use "all reasonable measures" to achieve this (Recital 64 GDPR), including contacting them via known contact details, such as their phone number or postal address. In the context of online services, the data subject can be authenticated, inter alia, by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.[28] Further information about this can be found in the commentary under Article 11 GDPR.
(7) Standardised icons
Information can also be provided visually, using certain kind of tools (e.g. icons, certification mechanisms, and data protection seals and marks). However, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under Articles 13 and 14 GDPR. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. Whilst it is one of the EDPB’s tasks under Article 70(1)(r) to provide the Commission with an opinion on the icons, it has not yet published such a document.
(8) Code of icons
The Commission has the power to determine the information to be displayed by icons as well as the procedures for providing standardised icons. Its competence does not include the binding establishment of specific icons. Per Recital 166 GDPR, the process of developing a code of icons should involve the carrying out of consultations, and research on the efficacy of icons. Article 12(8) does not expressly specify whose responsibility it is to conduct such research, meaning standardised icons could come from either the Commission or standard-setting organisations.
Decisions
→ You can find all related decisions in Category:Article 12 GDPR
References
- ↑ Polčák, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).
- ↑ Considered together, these provisions list all communication and information obligations the controller owes to the data subject.
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (C.H. Beck 2018, 2nd Edition).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available here).
- ↑ CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available here).
- ↑ Best practices for clear communication should be followed regardless whether information is written, delivered orally, or by audio/audio-visual methods (including for vision-impaired data subjects).
- ↑ Recital 39: "The principle of transparency [...] concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed".
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 9 (available here).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 11-12 (available here).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available here).
- ↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available here).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).
- ↑ Paal, Hennemann, in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).
- ↑ This includes “mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object” (Recital 59).
- ↑ The WP29 also points out that, “[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available here).
- ↑ Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, pp. 16-17 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available here).
- ↑ In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available here).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available here, p. 54).
- ↑ Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available here).
- ↑ According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available here).