Difference between revisions of "Article 12 GDPR"

From GDPRhub
 
(7 intermediate revisions by 4 users not shown)
Line 208: Line 208:
 
==Relevant Recitals==
 
==Relevant Recitals==
 
<span id="r39">
 
<span id="r39">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 39:''' Lawful and fair processing</div>
<div>'''Recital 39:''' Lawful and fair processing</div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
 
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
</div></div></span>
+
</div></div>
  
 
<span id="r57">
 
<span id="r57">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 57:''' Processing which does not require identification</div>
<div>'''Recital 57:''' Processing which does not require identification</div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
 
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
</div></div></span>
+
</div></div>
  
 
<span id="r58">
 
<span id="r58">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 58:''' Requirements, form and structure of the information</div>
<div>'''Recital 58:''' Requirements, form and structure of the information</div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
 
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
</div></div></span>
+
</div></div>
  
 
<span id="r59">
 
<span id="r59">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div>
<div>'''Recital 59:''' Facilitate the exercise of data subject's rights</div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
 
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
</div></div></span>
+
</div></div>
  
 
<span id="r60">
 
<span id="r60">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 60:''' Information provision </div>
<div>'''Recital 60:''' Information provision </div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
 
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
</div></div></span>
+
</div></div>
  
 
<span id="r64">
 
<span id="r64">
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px">
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 64:''' Verification of the data subject's identity</div>
<div>'''Recital 64:''' Verification of the data subject's identity</div>
 
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
 
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
</div></div></span>
+
</div></div>
 +
 
 +
<span id="r166">
 +
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 166:''' Delegated Acts of the Commission</div>
 +
<div class="mw-collapsible-content">
 +
In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
 +
</div></div>
  
 
==Commentary==
 
==Commentary==
  
=== (1) Requirements of the information in the GDPR ===
+
===Requirements of the information in the GDPR===
In describing the general requirements of the information to be provided to the user, paragraph 1 refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions exhaust all the cases of communication and information provided by the controller to the data subject.  
+
In describing the general requirements of the information to be provided to the user, Article 12(1) refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions list all cases of communication and information obligations by the controller to the data subject.  
  
It follows that, no matter whether the information refers to a forthcoming processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.  
+
It follows that no matter whether the information refers to future processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “''in a concise, transparent, intelligible and easily accessible form, using clear and plain language''”.  
  
==== Conciseness ====
+
====Conciseness====
Controllers should present the information/communication in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use.  
+
Controllers should present the information/communication in such a way to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use.  
  
The use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues
+
The use of a layered privacy statement/ notice will provide a data subject with the relevant section of the privacy statement/ notice at the appropriate moment instead of a monolithic notice.
  
==== Transparency ====
+
====Transparency====
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39).  
+
A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used ([[Article 12 GDPR#r39|Recital 39]]).  
  
In particular, for complex, technical or unexpected data processing, WP29’s position is that, as well as providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.
+
In particular, for complex, technical or unexpected data processing, the Article 29 Working Party's (WP29) position is that, in addition to providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be. [''Reference?'']
  
==== Intelligibility ====
+
====Intelligibility====
The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.
+
The requirement that information is “intelligible” means that it should be understandable by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.
  
 
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.
 
If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.
  
==== Easily accessible form ====
+
====Easily accessible form====
 
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).
 
The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).
  
==== Clear and plain language ====
+
====Clear and plain language====
 
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations.  
 
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations.  
  
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.
+
In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use vague language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.
  
==== Forms of the information ====
+
====Forms of the information====
 
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).
 
Under [[Article 12 GDPR#1|Article 12(1)]], the default provision of information to, or communications with, data subjects should be done in writing (also, according to [[Article 12 GDPR#7|Article 12(7)]], in combination with standardised icons).
  
However, the GDPR also allows for other, unspecified “means” including electronic means to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them.
+
However, the GDPR also allows for other, unspecified “means” including electronic means, to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them. [''Reference?'']
  
 
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.
 
Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.
Line 288: Line 288:
 
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).
 
“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).
  
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient assurance.  
+
[[Article 12 GDPR#1|Article 12(1)]] specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient certainty.  
  
=== (2) Exercise of rights ===
+
===Exercise of rights===
The exercise of rights by the data subject is considered as one of the peculiar aspects of the new discipline. Only a full recognition of your rights makes it possible for the data subject to control your personal data. This objective requires a broad protection that the legislator provides by defining a discipline aimed at facilitating the exercise of rights by the user.
+
The controller should help the data subject exercise their rights . Only a full recognition of their rights makes it possible for the data subject to control their personal data.
  
=== (3) Time limit ===
+
===Time limit===
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject
+
The controller must act on any request by the data subject under Articles 15 to 22 as soon as possible ("''without undue delay''") and in any event within one month. That period may be extended by two further months where necessary if the requests are complex or numerous such that they cannot be answered within one month. A controller cannot extend the duration simply because inadequate internal organisation prevents them from complying in a timely manner. In any case, where a controller is unable to comply within the one month deadline, the controller must inform the data subject within one month of receiving the request and the reasons for the delay.  
  
=== (4) No actions taken by the controller ===
+
The manner information is provided to the data subject should mirror the manner the data subject made the request, unless otherwise specified by the data subject. For example, an electronic request by the data subject should typically be responded to electronically.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
 
  
=== (5) Free of charge ===
+
===Failure to act on the request===
Under [[Article 12 GDPR#5|Article 12(5)]], data controllers cannot generally charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). This aspect of transparency also means that any information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.
+
If, for whatever reason, a controller does not act on the data subject's request, they must inform the data subject as soon as possible and at the latest within one month of receiving the request, as well as the reasons why the controller decided to not act on the data subject's request. They must also tell the data subject about their right to lodge a complaint with a supervisory authority or seek a judicial remedy.
  
==== Exceptions ====
+
===Free of charge===
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable expense contribution.
+
Under [[Article 12 GDPR#5|Article 12(5)]], controllers may generally not charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). Flowing from the principle of transparency, the provision of such information cannot be made conditional upon financial transactions, for example the payment for services or goods.
  
Pursuant to [[Article 12 GDPR#5|Article 12(5)]], the controller may refuse the request, or claim a fee for expenses, only if the request is deemed to be manifestly unfounded or excessive, in particular because it is repetitive. This is clearly an exception to the rule which, as such, must be interpreted restrictively.
+
====Exceptions====
 +
Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception to the rule must be interpreted restrictively in order to not infringe upon the data subject's right to information.
  
Consequently, if the request is not manifestly unfounded or repetitive, the Controller cannot charge any fee, regardless of whether it was provided for in the contract terms. GDPR rights are in fact very personal rights and cannot be assigned from the data subject by accepting an electronically signed contract term.
+
Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even if a fee was provided for in the contract terms. GDPR rights are personal rights and as such cannot be signed away by the data subject.
  
==== Burden of proof ====
+
====Burden of proof====
 
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
 
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
  
=== (6) Verifying the data subject === NB: Extract from a BOOK - need to be summarised and changed
+
===Verifying the data subject===
 
+
In practice, controller often reject users' requests because of alleged problems identifying them and the risk of disclosing personal data to an unauthorized person, for example in the case of identity theft.
If the controller has reasonable doubts concerning the identity of a natural person making a request pursuant to GDPR, Articles 15 to 21, the controller may ask for additional information necessary to confirm the identity of the data subject.  
 
  
Background of this controller's right is the possible risk of unauthorised third parties trying to exercise rights of data subjects. A reasonable doubt may be given, e.g. if a request is made via an unknown email address or user account. In such cases controllers are permitted but not required to request information as proof of identity before meeting the requests.
+
If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21, additional information may be asked to confirm the identity. In doing so, the controller may use "''all reasonable measures''" ([[Article 12 GDPR#r64|Recital 64]]) including contacting them via known contact details, such as a phone number or a postal address.  
  
Should it turn out that the requesting party was not the data subject concerned, providing information to that person may be considered an illegal transfer of personal data which can be penalised under GDPR, Article 83, para 4 with administrative fines up to 20,000,000 EUR or 4 % of the total worldwide annual turnover of the controller. Documentation of the incoming requests, controller's measures taken to investigate the lawfulness of the request including requestor's identity, and the measures taken to fulfil such requests will be of the essence to establish sufficient proof for controller's GDPR compliance.  
+
In the context of online services, the data subject can be authenticated for example, by sending a secret code, or a link containing a unique token, to the email address or other contact method used for the registration.
  
To verify the requesting person's identity, the controller may, according to GDPR, recital 64, use "all reasonable measures", in particular in the context of online services and online identifiers. Such reasonable measures may include contacting the data subject at its known postal address or, in the context of online services, certifying a digital identification of the data subject, for example through authentication mechanisms, such as the same credentials, used by the data subject to log-in to the online service offered by the controller.
+
===Standardised icons===
 
+
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate.  
Requesting a copy of the data subject's passport might exceed the appropriate extent, as the document provides more information that is usually needed. In some Member States, such as in Germany, national law does not allow copying the data subject's passport and the use of such copies for identification purposes unless this is explicitly allowed under any other applicable law. In view of the very general wording of GDPR, Article 12, para 6 (“additional information necessary to confirm the identity of the data subject”), it is unclear whether this rule would be accepted as a statutory authorisation to make copies of a passport.
 
 
 
=== (7) Standardised icons ===
 
The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of information addressed to the public or to data subjects is especially important in the online environment.
 
  
 
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.
 
However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.
  
=== (8) Information to be presented by the icons ===
+
===Code of icons===
The GDPR assigns responsibility for the development of a code of icons to the Commission but ultimately the European Data Protection Board may, either at the request of the Commission or of its own accord, provide the Commission with an opinion on such icons.49 WP29 recognises that, in line with Recital 166, the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context
+
The Commission may determine the information to be displayed by icons and the procedures for providing standardised icons.  The competence does not include the binding establishment of specific icons. In line with Recital 166 the development of a code for icons should be centred upon an evidence-based approach. Prior to any such standardisation it will be necessary for research on the efficacy of icons will need to be conducted.
  
 
==Decisions==
 
==Decisions==
Line 336: Line 331:
  
 
==References==
 
==References==
<references />
+
<references />→ [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)]
 
 
 
 
 
[[Category:GDPR Articles]]
 
[[Category:GDPR Articles]]

Revision as of 10:52, 22 April 2021

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Relevant Recitals

Recital 39: Lawful and fair processing

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 57: Processing which does not require identification

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 58: Requirements, form and structure of the information

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 59: Facilitate the exercise of data subject's rights

Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 60: Information provision

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 64: Verification of the data subject's identity

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Recital 166: Delegated Acts of the Commission

In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

Commentary

Requirements of the information in the GDPR

In describing the general requirements of the information to be provided to the user, Article 12(1) refers to Articles 13, 14, 15 to 22 and 34 of the GDPR. Considered together, these provisions list all cases of communication and information obligations by the controller to the data subject.

It follows that no matter whether the information refers to future processing, as in Articles 13 or 14, or to an existing one, as in Articles 15 to 22, it must always be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.

Conciseness

Controllers should present the information/communication in such a way to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use.

The use of a layered privacy statement/ notice will provide a data subject with the relevant section of the privacy statement/ notice at the appropriate moment instead of a monolithic notice.

Transparency

A data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (Recital 39).

In particular, for complex, technical or unexpected data processing, the Article 29 Working Party's (WP29) position is that, in addition to providing the prescribed information under Articles 13 and 14, controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be. [Reference?]

Intelligibility

The requirement that information is “intelligible” means that it should be understandable by an average member of the intended audience. An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.

If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/ notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things.

Easily accessible form

The data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc).

Clear and plain language

With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations.

In particular, the purposes of, and legal basis for, processing the personal data should be clear. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use vague language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.

Forms of the information

Under Article 12(1), the default provision of information to, or communications with, data subjects should be done in writing (also, according to Article 12(7), in combination with standardised icons).

However, the GDPR also allows for other, unspecified “means” including electronic means, to be used. WP29’s position with regard to written electronic means is that where a data controller maintains (or operates, in part or in full, through) a website, WP29 recommends the use of layered privacy statements/ notices, which allow website visitors to navigate to particular aspects of the relevant privacy statement/ notice that are of most interest to them. [Reference?]

Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.

“Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).

Article 12(1) specifically contemplates that information may be provided orally to a data subject on request, provided that their identity is proven by other means. In other words, the means employed should be more than reliance on a mere assertion by the individual that they are a specific named person and the means should enable the controller to verify a data subject’s identity with sufficient certainty.

Exercise of rights

The controller should help the data subject exercise their rights . Only a full recognition of their rights makes it possible for the data subject to control their personal data.

Time limit

The controller must act on any request by the data subject under Articles 15 to 22 as soon as possible ("without undue delay") and in any event within one month. That period may be extended by two further months where necessary if the requests are complex or numerous such that they cannot be answered within one month. A controller cannot extend the duration simply because inadequate internal organisation prevents them from complying in a timely manner. In any case, where a controller is unable to comply within the one month deadline, the controller must inform the data subject within one month of receiving the request and the reasons for the delay.

The manner information is provided to the data subject should mirror the manner the data subject made the request, unless otherwise specified by the data subject. For example, an electronic request by the data subject should typically be responded to electronically.

Failure to act on the request

If, for whatever reason, a controller does not act on the data subject's request, they must inform the data subject as soon as possible and at the latest within one month of receiving the request, as well as the reasons why the controller decided to not act on the data subject's request. They must also tell the data subject about their right to lodge a complaint with a supervisory authority or seek a judicial remedy.

Free of charge

Under Article 12(5), controllers may generally not charge data subjects for the provision of information under Articles 13 and 14, or for communications and actions taken under Articles 15 - 22 (on the rights of data subjects) and Article 34 (communication of personal data breaches to data subjects). Flowing from the principle of transparency, the provision of such information cannot be made conditional upon financial transactions, for example the payment for services or goods.

Exceptions

Normally, the exercise of GDPR rights, as well as obtaining information, is free of charge. However, if the requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception to the rule must be interpreted restrictively in order to not infringe upon the data subject's right to information.

Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even if a fee was provided for in the contract terms. GDPR rights are personal rights and as such cannot be signed away by the data subject.

Burden of proof

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Verifying the data subject

In practice, controller often reject users' requests because of alleged problems identifying them and the risk of disclosing personal data to an unauthorized person, for example in the case of identity theft.

If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21, additional information may be asked to confirm the identity. In doing so, the controller may use "all reasonable measures" (Recital 64) including contacting them via known contact details, such as a phone number or a postal address.

In the context of online services, the data subject can be authenticated for example, by sending a secret code, or a link containing a unique token, to the email address or other contact method used for the registration.

Standardised icons

The GDPR provides for visualisation tools (referencing in particular, icons, certification mechanisms, and data protection seals and marks) where appropriate.

However, the use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14.

Code of icons

The Commission may determine the information to be displayed by icons and the procedures for providing standardised icons.  The competence does not include the binding establishment of specific icons. In line with Recital 166 the development of a code for icons should be centred upon an evidence-based approach. Prior to any such standardisation it will be necessary for research on the efficacy of icons will need to be conducted.

Decisions

→ You can find all related decisions in Category:Article 12 GDPR

References

Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)