Article 12 GDPR

← Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Relevant Recitals

Recital 11: Strengthening of Rights and Enforcement

Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Recital 39: Principles of Data Processing

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 57: Additional Information for Identification

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 58: Modalities for Transparent Information Provision

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights

Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 60: Information Requirements

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 63: Modalities and Scope of Right of Access

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Recital 73: Restrictions by Member States

Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Recital 166: Delegated Acts

In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

Commentary on Article 12

Article 12 GDPR primary goal is to ensure the efficient exercise of the data subject’s access and information rights under the Regulation. To do so, the provision provides for clarity and accessibility standards regarding the communications with the data subject. Article 12 also lays down technical and procedural rules with regard to the flow of information between the data subject and the controller. This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can serve their purpose only if supported by clear information as well as proportionate and effective procedures.^[1]

(1) Requirements of Information in the GDPR

In describing the general requirements of information to be provided to the user, Article 12(1) GDPR refers to Articles 13, 14, 15 to 22 and 34 GDPR. Considered together, these provisions list all communication and information obligations by the controller to the data subject. It follows that no matter whether the information refers to future processing, as in Articles 13 or 14 GDPR, or to existing processing, as in Articles 15 to 22 GDPR, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language." Such requirements shall be even more observed “for any information addressed specifically to a child”.

Conciseness

The essential aspects of the processing must be presented concisely. This is intended to prevent a communication from being too much detailed, since those data subjects generally have only a limited focus capacity. In other words, controllers should present the information/communication in such a way as to avoid information fatigue.^[2] For example, the use of a layered privacy statement may present the relevant section the data subject is most interested to instead of providing them with a monolithic notice.

Transparency

A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used (Recital 39 GDPR).

For complex, technical or unexpected data processing, the WP29's position is that, in addition to providing the prescribed information under Articles 13 and 14 GDPR, controllers should also separately spell out (in unambiguous language) what the most important consequences of the processing will be.^[3]

It follows that, if a controller (e.g. provider of a website) uses software about whose functioning it does not have enough information (e.g. because the manufacturer of this software does not disclose it), or does not understand it (so that he can not fulfill his duty to inform the data subject), it should refrain from using the software.^[4]

Intelligibility

The requirement that information is “intelligible” means that it should be understandable by an average member of the intended audience. An accountable data controller will have knowledge on the people that they collect information about and can use this knowledge to determine what that audience would likely understand.

In other words, the information must aim at the effective awareness of the data subject, who can only then make free choices with regard to the processing of his personal data. The legal elements in this sense appear to be quite unambiguous. In the first place, the overall logic of the GDPR and of the system of personal data protection points in this direction. If information were to be understood as a mere heap of data, the rights of access, rectification and objection would be meaningless. There are also further specific elements that point to a substantive conception of information. For instance, Recitals 39 and 58 require that information must not only be clear, but also 'easy to understand'. The EU Court of Justice seems to go in the same direction, criticising the behaviour of a controller "in the absence of any indications confirming that that clause was actually read and digested".^[5]

If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, amongst other options (Article 35(9) GDPR).

Easily Accessible Form

The data subject should not have to seek out the information. It should be immediately apparent where and how information can be accessed. The controller can provide data subjects with information directly, linking them to it, or clearly signpost information as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc).^[6]

Clear and Plain Language

With written information (and where information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear communication should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations.

In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use vague language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.^[7]

Another aspect concerns the language used for the communication. The GDPR does not expressly regulate the matter although it is clear that the level of intelligibility of an information is directly linked to the user’s capacity of understanding a certain language.

Forms of the Information

Under Article 12(1) GDPR, information should be shall be provided in writing, or by other means, including, where appropriate, by electronic means. Thus, by default, provision of information to, or communications with, data subjects should be done in writing.

However, the GDPR also allows for other, unspecified “means” including electronic means, to be used. If, for instance, a data controller operates a website, a written notice is not necessary and electronic forms are to be preferred. In such cases, the use of a webpage containing the information will serve the purpose adequately. The WP29 suggests the implementation of layered privacy statements/notices which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them.^[8]

The use of a layered approach is not the only option available. Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts. “Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts.^[9]

The WP29 also points out that it is critical that the method(s) chosen fits the particular circumstances. For example, if a certain device does not have a screen, it does not seem appropriate to only provide the information in electronic written format. In such cases, viable alternatives should be considered, for example providing a printed privacy statement inside the device package or the URL website address where the privacy notice can be found.^[10]

Finally, the Regulation also expressly permits the data subjects to be provided with oral information, but only under two conditions: the data subject must request this and the controller must have otherwise verified the data subject’s identity.^[11]

(2) Obligation to Facilitate the Exercise of Rights

Under Article 12(2) GDPR the controller should facilitate the data subject in the exercise of their GDPR rights. The Regulation does not provide a definition of “facilitation” but, through Recital 59, warns the controller that “modalities should be provided for facilitating the exercise of the data subject's rights” and that these include “mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object”.

These “modalities” should cover the whole range of activities necessary to fully address a request. To begin, data subjects should be allowed to easily express their concerns and exercise their rights. This means allowing them to reach the controller and the DPO “in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)”^[12] The WP29 also points out that, “When appropriate, for purposes of communications with the public, other means of communications could also be provided (emphasis added)”.^[13]

Example: Take the case of a user who has requested full access to their data via email. After receiving the request, the controller learns that the amount of information is very high and likely not transmissible via email. In accordance with its obligation to facilitate the user, the controller may provide a dedicated internet page through which the user can select the part of the processing to which the request is directed. The user chooses the desired option and the controller addresses the request.

The final part of Article 12(2) states that the controller shall not refuse to act on the request of the data subject to exercise his or her rights, unless the controller demonstrates that it is not in a position to identify the data subject. In such circumstances, the data subject may, however, provide additional information enabling this identification (Article 11(2) GDPR). In order to allow the data subject to provide the additional information required to identify his or her data, the controller should inform the data subject of the nature of the additional information required to allow identification.

This provision, for the analysis of which reference is made to Article 11, presents interesting features in relation to the obligation to facilitate requests for the exercise of the right. It prevents the controller from adopting obstructive tactics relating to alleged "difficulties of identification" unless these actually exist. Consequently, all those attempts at verification which, while adding nothing in terms of security, require excessive efforts such as to discourage the user, become inadmissible - and do not constitute 'facilitation'.

Example: a user signs up to a social network by providing his or her email and generating a login password. After a few years of use, he decides to send an email login request because the information download tool provided by the controller does not provide certain information. Upon receipt of the email, the controller requests the user to send a scan of his identification document to verify the identity of the requesting party. This conduct constitutes a breach of the obligation to facilitate the exercise of rights. The controller may send a unique identification link to the address used by the user for registration.

(3) Time Limit and Form of the Request

Under Article 12(3) GDPR, the controller must act on any request by the data subject under Articles 15 to 22 GDPR as soon as possible ("without undue delay") and in any event within one month. That period may be extended by two further months where necessary if the requests are complex or numerous such that they cannot be answered within one month. A controller cannot extend the duration simply because inadequate internal organisation prevents them from complying in a timely manner. In any case, where a controller is unable to comply within the one month deadline, the controller must inform the data subject within one month of receiving the request of the reasons for the delay.^[14]

The final sentence of Article 12(3) specifies where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The provision of electronic means is not, however, an obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that, where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data; therefore, encouraging the controller to facilitate the exercise of access requests.

(4) Failure to Act on the Request

If, for whatever reason, a controller does not act on the data subject's request, they must inform the data subject as soon as possible and at the latest within one month of receiving the request, as well as the reasons why the controller decided to not act on the data subject's request. They must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.

(5) Free of charge

Under Article 12(5) GDPR, controllers may generally not charge data subjects for the provision of information under Articles 13 and 14 GDPR, or for communications and actions taken under Articles 15 - 22 GDPR (on the rights of data subjects) and Article 34 GDPR (communication of personal data breaches to data subjects). Flowing from the principle of transparency, the provision of such information cannot be made conditional upon financial transactions, for example the payment for services or goods. There are, however, exceptions to the requirement that the exercise of GDPR rights, such as obtaining information, be free of charge.

However, if the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request. Such exceptions should be interpreted narrowly in order to not undermine the principle of transparency and gratuity of the request.^[15] In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, it is recommended to ensure a proper documentation of the underlying facts.

Manifestly unfounded

A manifestly unfounded request exists if it lacks its basic requirements under the law and it is therefore “obvious”.^[16] For example, if an unauthorized person wants to assert the rights of the data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.^[17]

Excessive requests

There is no definition of the term “excessive” in the GDPR. On the one hand, the wording “in particular because of their repetitive character” in Art. 12(5) GDPR allows for the conclusion that the main scenario for application of this limb with regard to Art. 15 GDPR is linked to the quantity of requests of a data subject for the right of access. On the other hand, the aforementioned phrasing shows that other reasons that might cause excessiveness are not excluded a priori.^[18]

A data subject may certainly submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded or not. Controllers must take into account the particular circumstances of the single case carefully. In general, “The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive”.^[19] That said, other factors may and should be taken into account. For instance, the nature of the data, the purposed of the processing and whether the subsequent requests concern the same type of information or processing activities or different ones.^[20]

Another relevant factor is the nature of the communication channel between data subject and controller. For example, in case of access request, when it is possible to provide the information easily by electronic means or by remote access to a secure system, which means that complying with such requests actually doesn’t strain the controller, it is unlikely that subsequent requests can be regarded as excessive.^[21]

(a) Reasonable Fee

If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception to the rule must be interpreted restrictively in order to not infringe upon the data subject's right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even if a fee was provided for in the contract terms. Before charging a reasonable fee based on Art. 12(5) GDPR, controllers should provide an indication of their plan to do so to the data subjects. The latter have to be enabled to decide whether they will withdraw the request to avoid being charged.^[22]

(b) Refuse to Act

Alternatively, if requests are manifestly unfounded or excessive, the controller can refuse to act on the request. For both exceptions to the rule that controllers respond to access requests free of charge, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

(6) Verifying the Data Subject

In practice, controllers often reject user requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft.

If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21 GDPR, additional information may be requested to confirm identity. In doing so, the controller may use "all reasonable measures" (Recital 64 GDPR), including contacting them via known contact details, such as a phone number or a postal address, to verify their identity.

In the context of online services, the data subject can be authenticated by, for example, sending a secret code, a link containing a unique token to their email address, or other contact method used for the registration.^[23] Further information about this can be found in the commentary under Article 11 GDPR.

(7) Standardised Icons

The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the controller’s obligations under Articles 13 and 14 GDPR.

(8) Code of Icons

The Commission may determine the information to be displayed by icons and the procedures for providing standardised icons. The competence does not include the binding establishment of specific icons. In line with Recital 166 GDPR the development of a code for icons should be centered upon an evidence-based approach. Prior to any such standardisation it will be necessary for research on the efficacy of icons to be conducted.

Decisions

→ You can find all related decisions in Category:Article 12 GDPR

References

↑ Polčák, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 12 GDPR, p. 1046 (Oxford University Press 2020).
↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (Beck, 2nd edition 2018) (accessed 13 January 2022).
↑ WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 7.
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 12 (Beck 2019) (accessed 13 January 2022).
↑ CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 8
↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 9
↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 11
↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12
↑ WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (Beck 2019) (accessed 13 January 2022)
↑ WP29, Guidelines on Data Protection Officers (‘DPOs’), WP243, p. 12.
↑ WP29, Guidelines on Data Protection Officers (‘DPOs’), WP243, p. 12.
↑ Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, pp. 16-17 (available here).
↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 51
↑ In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 51.
↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (Beck, 2nd edition 2018) (accessed 8 February 2022).
↑ See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.
↑ See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.
↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.
↑ Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 54-55.
↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 57.
↑ According to the WP29 Guidelines on Data Portability endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 Guidelines on the right to data portability - endorsed by the EDPB, p. 14

[1] Polčák, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 12 GDPR, p. 1046 (Oxford University Press 2020).

[2] Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (Beck, 2nd edition 2018) (accessed 13 January 2022).

[3] WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 7.

[4] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 12 (Beck 2019) (accessed 13 January 2022).

[5] CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).

[6] WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 8

[7] WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 9

[8] WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 11

[9] WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12

[10] WP29, Guidelines on Transparency under Regulation 2016/679 (Rev01), 11 April 2018, p. 12

[11] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (Beck 2019) (accessed 13 January 2022)

[12] WP29, Guidelines on Data Protection Officers (‘DPOs’), WP243, p. 12.

[13] WP29, Guidelines on Data Protection Officers (‘DPOs’), WP243, p. 12.

[14] Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, pp. 16-17 (available here).

[15] EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 51

[16] In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 51.

[17] Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (Beck, 2nd edition 2018) (accessed 8 February 2022).

[18] See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.

[19] See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.

[20] EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 52.

[21] Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 54-55.

[22] EDPB, Guidelines 01/2022 on data subject rights - Right of access, 18.1.2022, p. 57.

[23] According to the WP29 Guidelines on Data Portability endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 Guidelines on the right to data portability - endorsed by the EDPB, p. 14

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]