Article 12 GDPR
Legal Text
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- (b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Relevant Recitals
Commentary on Article 12
Article 12 GDPR primary goal is to ensure the efficient exercise of the data subject’s access and information rights under the Regulation. To do so, the provision provides for clarity and accessibility standards regarding the communications with the data subject. Article 12 also lays down technical and procedural rules with regard to the flow of information between the data subject and the controller. This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can serve their purpose only if supported by clear information as well as proportionate and effective procedures.[1]
(1) Requirements of Information in the GDPR
In describing the general requirements of information to be provided to the user, Article 12(1) GDPR refers to Articles 13, 14, 15 to 22 and 34 GDPR. Considered together, these provisions list all communication and information obligations by the controller to the data subject. It follows that no matter whether the information refers to future processing, as in Articles 13 or 14 GDPR, or to existing processing, as in Articles 15 to 22 GDPR, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language." Such requirements shall be even more observed “for any information addressed specifically to a child”.
Conciseness
The essential aspects of the processing must be presented concisely. This is intended to prevent a communication from being too much detailed, since those data subjects generally have only a limited focus capacity. In other words, controllers should present the information/communication in such a way as to avoid information fatigue.[2] For example, the use of a layered privacy statement may present the relevant section the data subject is most interested to instead of providing them with a monolithic notice.
Transparency
A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used (Recital 39 GDPR).
For complex, technical or unexpected data processing, the WP29's position is that, in addition to providing the prescribed information under Articles 13 and 14 GDPR, controllers should also separately spell out (in unambiguous language) what the most important consequences of the processing will be.[3]
It follows that, if a controller (e.g. provider of a website) uses software about whose functioning it does not have enough information (e.g. because the manufacturer of this software does not disclose it), or does not understand it (so that he can not fulfill his duty to inform the data subject), it should refrain from using the software.[4]
Intelligibility
The requirement that information is “intelligible” means that it should be understandable by an average member of the intended audience. An accountable data controller will have knowledge on the people that they collect information about and can use this knowledge to determine what that audience would likely understand.
In other words, the information must aim at the effective awareness of the data subject, who can only then make free choices with regard to the processing of his personal data. The legal elements in this sense appear to be quite unambiguous. In the first place, the overall logic of the GDPR and of the system of personal data protection points in this direction. If information were to be understood as a mere heap of data, the rights of access, rectification and objection would be meaningless. There are also further specific elements that point to a substantive conception of information. For instance, Recitals 39 and 58 require that information must not only be clear, but also 'easy to understand'. The EU Court of Justice seems to go in the same direction, criticising the behaviour of a controller "in the absence of any indications confirming that that clause was actually read and digested".[5]
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, amongst other options (Article 35(9) GDPR).
Easily Accessible Form
The data subject should not have to seek out the information. It should be immediately apparent where and how information can be accessed. The controller can provide data subjects with information directly, linking them to it, or clearly signpost information as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc).[6]
Clear and Plain Language
With written information (and where information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear communication should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations.
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use vague language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.[7]
Another aspect concerns the language used for the communication. The GDPR does not expressly regulate the matter although it is clear that the level of intelligibility of an information is directly linked to the user’s capacity of understanding a certain language.
Forms of the Information
Under Article 12(1) GDPR, information should be shall be provided in writing, or by other means, including, where appropriate, by electronic means. Thus, by default, provision of information to, or communications with, data subjects should be done in writing.
However, the GDPR also allows for other, unspecified “means” including electronic means, to be used. If, for instance, a data controller operates a website, a written notice is not necessary and electronic forms are to be preferred. In such cases, the use of a webpage containing the information will serve the purpose adequately. The WP29 suggests the implementation of layered privacy statements/notices which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them.[8]
The use of a layered approach is not the only option available. Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts. “Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts.[9]
The WP29 also points out that it is critical that the method(s) chosen fits the particular circumstances. For example, if a certain device does not have a screen, it does not seem appropriate to only provide the information in electronic written format. In such cases, viable alternatives should be considered, for example providing a printed privacy statement inside the device package or the URL website address where the privacy notice can be found.[10]
Finally, the Regulation also expressly permits the data subjects to be provided with oral information, but only under two conditions: the data subject must request this and the controller must have otherwise verified the data subject’s identity.[11]
(2) Exercise of Rights
The controller should help the data subject exercise their rights . Only a full recognition of their rights makes it possible for the data subject to control their personal data.
(3) Time Limit
The controller must act on any request by the data subject under Articles 15 to 22 GDPR as soon as possible ("without undue delay") and in any event within one month.
That period may be extended by two further months where necessary if the requests are complex or numerous such that they cannot be answered within one month. A controller cannot extend the duration simply because inadequate internal organisation prevents them from complying in a timely manner.
In any case, where a controller is unable to comply within the one month deadline, the controller must inform the data subject within one month of receiving the request of the reasons for the delay.
The manner information is provided to the data subject should mirror the manner the data subject made the request, unless otherwise specified by the data subject. For example, an electronic request by the data subject should typically be responded to electronically.
(4) Failure to Act on the Request
If, for whatever reason, a controller does not act on the data subject's request, they must inform the data subject as soon as possible and at the latest within one month of receiving the request, as well as the reasons why the controller decided to not act on the data subject's request. They must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.
(5) Free of charge
Under Article 12(5) GDPR, controllers may generally not charge data subjects for the provision of information under Articles 13 and 14 GDPR, or for communications and actions taken under Articles 15 - 22 GDPR (on the rights of data subjects) and Article 34 GDPR (communication of personal data breaches to data subjects). Flowing from the principle of transparency, the provision of such information cannot be made conditional upon financial transactions, for example the payment for services or goods. There are, however, exceptions to the requirement that the exercise of GDPR rights, such as obtaining information, be free of charge.
(a) Reasonable Fee
If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception to the rule must be interpreted restrictively in order to not infringe upon the data subject's right to information.
Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even if a fee was provided for in the contract terms. GDPR rights are personal rights and as such cannot be signed away by the data subject.
(b) Refuse to Act
Alternatively, if requests are manifestly unfounded or excessive, the controller can refuse to act on the request.
For both exceptions to the rule that controllers respond to access requests free of charge, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(6) Verifying the Data Subject
In practice, controllers often reject user requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft.
If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21 GDPR, additional information may be requested to confirm identity. In doing so, the controller may use "all reasonable measures" (Recital 64 GDPR), including contacting them via known contact details, such as a phone number or a postal address, to verify their identity.
In the context of online services, the data subject can be authenticated by, for example, sending a secret code, a link containing a unique token to their email address, or other contact method used for the registration.
(7) Standardised Icons
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate.
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the controller’s obligations under Articles 13 and 14 GDPR.
(8) Code of Icons
The Commission may determine the information to be displayed by icons and the procedures for providing standardised icons. The competence does not include the binding establishment of specific icons. In line with Recital 166 GDPR the development of a code for icons should be centered upon an evidence-based approach. Prior to any such standardisation it will be necessary for research on the efficacy of icons to be conducted.
Decisions
→ You can find all related decisions in Category:Article 12 GDPR
References
- ↑ Polčák, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 12 GDPR, p. 1046 (Oxford University Press 2020).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (Beck, 2nd edition 2018) (accessed 13 January 2022).
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 7.
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 12 (Beck 2019) (accessed 13 January 2022).
- ↑ CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 8
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 9
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 11
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (Beck 2019) (accessed 13 January 2022)