Article 12 GDPR: Difference between revisions

From GDPRhub
(41 intermediate revisions by 3 users not shown)
Line 212: Line 212:


==Commentary==
==Commentary==
Article 12 GDPR ensures the efficient exercise of the data subject’s rights. To do so, it regulates clarity and accessibility standards regarding communications with the data subject. It also lays down procedural rules with regard to the flow of information between the data subject and the controller. This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures.<ref>''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).</ref><blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/transparency_de Transparency - WP29]</blockquote>
Article 12 GDPR ensures the efficient exercise of the data subject’s rights. To do so, it regulates clarity and accessibility standards regarding communications with the data subject. It also lays down procedural rules the controller must follow once a GDPR right is exercised.
===(1) Clear and transparent communication===
Article 12(1) GDPR requires controllers to take appropriate measures to provide<ref>Under Article 12(1), controllers must provide any information to the data subject. The verb "provide" makes it clear that the controller must take every step necessary to provide that information. In other words, the data subject need not make any special effort to "seek" the information to which it is entitled. On the contrary, the controller will provide data subjects with direct links to the information, or clearly signpost information as an answer to a natural language question (e.g. in an online layered privacy statement, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc.). See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> any information under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]<ref>Considered together, these provisions list all communication and information obligations the controller owes to the data subject.</ref> in a manner that is concise, transparent, intelligible and easily accessible, using clear and plain language.<ref>A "''measure''" is any method, internal process, policy or technical tool used by the controller during its processing operations. Within this wide category, the "''measures''" falling under the scope of Article 12(1) are just those whose goal is to provide the data subject with information and communications under [https://gdprhub.eu/index.php%3Ftitle=Article_13_GDPR Articles 13], [https://gdprhub.eu/index.php%3Ftitle=Article_14_GDPR 14], [https://gdprhub.eu/index.php%3Ftitle=Article_15_GDPR 15] to [https://gdprhub.eu/index.php%3Ftitle=Article_22_GDPR 22] and [https://gdprhub.eu/index.php%3Ftitle=Article_34_GDPR 34 GDPR]. Hence, the "measures" under Article 12(1) form a stricter group than those mentioned, among the others, in Article 24 GDPR. In the latter case, measures concerned are all those used to ensure general compliance with the Regulation as a whole (and not only Articles 13-22, 34).</ref> The provision set out two main requirements. Firstly, the controller must precisely present the information in terms of content (preciseness requirement). Secondly, the information must be presented in a manner that is easily understandable to the data subject without requiring excessive cognitive effort or time (comprehensibility requirement).<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> Hence, a measure - or, most likely, a set of measures - is therefore "appropriate" under Article 12 GDPR when it generates information under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]] which is <u>both</u> (i) precise (''"any'' ''information''") and (ii) clear ("''concise, transparent, intelligible and easily accessible, using clear and plain language''").
==== (i) Preciseness ====


===(1) Requirements of Information in the GDPR===
The controller is obliged to provide all the information the law requires in connection with the specific cases. The information must be as complete as possible. Sometimes, it may be a matter of constructing a privacy policy under Article 13 GDPR. In this case, the information will be complete when all the elements required by that provision are included in the policy. On other occasions, it will be a matter of responding comprehensively to an Article 15 GDPR access request.
Paragraph 1 requires controllers to take appropriate measure to provide that any mandatory communication with the data subject is expressed ''<nowiki/>'in a concise, transparent, intelligible and easily accessible form, using clear and plain language''<nowiki/>', especially when directed to children.


==== Appropriate measures ====
In all cases, the controller's effort must be to include all the information it is required to provide. The controller's obligation covers, where appropriate, measures to correctly detect the content of the request and assign it to the responsible department. The same goes for internal policies and technical equipment enabling the controller's staff to retrieve the data and perform any required operation (e.g. copy, rectification, deletion).
Measures are the methods by which a controller provides responses to a right request.<ref>A measure consists of every method, policy, internal agreement by which a controller is able to provide any information required under the GDPR. This includes measures to authenticate the data subject, detect the content of the request, assign it to the responsible department. Measures are also the internal policies and technical equipment that enable the controller to retrieve the data, perform any required operation (e.g. copy, rectification, deletion), and to do so within the time limits required by law. Finally, measures are also those that define the methods for communicating the response (a privacy policy, different layers, a download tool, etc).</ref> Following the wording of the first sentence of Section 12(1), measures are only "appropriate" if they fulfil the meet two requirements: (1) they are able to provide all the information required in each case by law, and (2) they convey that (complete) information in a clear and accessible manner for the data subject.
==== (ii) Clarity ====
=====Conciseness=====
Information about the processing must be presented concisely. This is intended to prevent controllers from providing an overly lengthy or convoluted description of the processing activity, as data subject usually will not read multiple pages of the text. Thus, controllers have a positive obligation to prevent data subjects from experiencing information overload.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (C.H. Beck 2018, 2nd Edition).</ref> For example, the use of a layered privacy statement<ref>In an online context, the use of a layered privacy statement/notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues. See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> may present the most relevant section to the data subject rather than providing them with an unconscionable notice. A layered approach may not be used to hide the more problematic processing in a lower layer. The most relevant information or any unexpected processing should be easily available.  <blockquote>
EDPB: It should be noted that layered privacy statements/ notices are not merely nested pages that require several clicks to get to the relevant information. The design and layout of the first layer of the privacy statement/ notice should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information within the layers of the privacy statement/ notice.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 19 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>  </blockquote>


===== Provide any information under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]. =====
===== Transparency =====
Article 12(1) GDPR refers to [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]. Considered together, these provisions list all communication and information obligations the controller owes to the data subject.


===== In a concise, transparent, intelligible and easily accessible form, using clear and plain language =====
In the context of Article 12 GDPR, the main goal of transparency is the accurate and fair understanding<ref>Recitals 39 and 58 GDPR require that information must not only be clear, but also “''easy to understand''”. Along these lines, the CJEU criticised the behaviour of a controller "''in the absence of any indications confirming that that clause was actually read and digested''". See, CJEU, C‑61/19, ''Orange România'', 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=435D246D36987631CF7ECEEE183201DF?text=&docid=233544&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5720138 here]).</ref> of the information and communication provided to the data subjects under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]. This is needed because, otherwise, it would be impossible for them to fully enjoy the different rights granted by those provisions.<ref>This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures. ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020). See, ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).</ref>  <blockquote><u>Example</u>: A controller provider of a website does not have sufficient information about the functioning of software it uses because the manufacturer of this software does not disclose it. It will be difficult for the controller to fulfil its duty to inform the data subject. Consequently, in order to be transparent, it would have to refrain from using such software.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).</ref> </blockquote>


======Conciseness======
===== Intelligibility =====
Information about the processing must be presented concisely. This is intended to prevent controllers from providing a too detailed description of the processing activity, as data subjects generally have very limited attention spans. Thus, controllers have a positive obligation to prevent data subjects from experiencing information overload.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (C.H. Beck 2018, 2nd Edition).</ref> For example, the use of a layered privacy statement may present the most relevant section to the data subject rather than providing them with an unconscionable notice. 


====== Transparency ======
Information is “intelligible” when it is understandable by an average member of the intended audience. In some cases there may be multiple audiences that a controller addresses. Therefore, an accountable data controller must have an understanding of the people that it collects information about, which it should use to determine what they are likely to understand. For example, a controller dealing with professionals working in a specific area may rely on the fact that they understand the relevant professional terminology - while a controller that processes personal data of avarage consumers or even children would have to avoid any jargon. <blockquote><u>EDPB</u>: If controllers are uncertain about the level of intelligibility, they can test these through mechanisms such as, ''inter alia'', user panels, readability testing, as well as formal and informal dialogue with industry groups, consumer advocacy groups and regulatory bodies (Article 35(9) GDPR).<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> </blockquote>
A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used (Recital 39 GDPR). For complex, technical or unexpected data processing, the WP29's position is that, in addition to providing the prescribed information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]], controllers should also separately spell out in unambiguous language what the most important consequences of the processing will be.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> Thus, if a controller (e.g. provider of a website) does not have sufficient information about the functioning of software it uses (e.g. because the manufacturer of this software does not disclose it), or simply does not understand it (so that it cannot fulfil its duty to inform the data subject), it should refrain from using the software.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).</ref>


====== Intelligibility ======
===== Easily accessible form =====
For information to be “intelligible”, it should be understandable by an average member of the intended audience. An accountable data controller will have an understanding of the people that it collects information about, which it should use to determine what they are likely to understand.


In other words, the information must aim to make the data subject understand the processing, as they can only then make free choices with regard to the processing of their personal data. The legal elements underpinning this requirement appear to be quite unambiguous. First, the overall logic of the GDPR points in this direction. If information were to be understood as a mere heap of data, the rights of access, rectification and objection would effectively be meaningless. Further, Recitals 39 and 58 GDPR require that information must not only be clear, but also “''easy to understand''”. The CJEU seems to go in the same direction, criticising the behaviour of a controller "''in the absence of any indications confirming that that clause was actually read and digested''".<ref>CJEU, C‑61/19, ''Orange România'', 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=435D246D36987631CF7ECEEE183201DF?text=&docid=233544&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5720138 here]).</ref>
The "easily accessible" element implies that the data subject should not have to actively search for the information. It should be readily visible and clear to them where and how they can access the information. This can be achieved through various means, such as providing the information directly to them, linking to it, clearly indicating its location, or providing it as an answer to a natural language question. Examples of how this can be implemented include online layered privacy statements/notices, FAQs, contextual pop-ups that activate when a data subject fills in an online form, or interactive digital interfaces like chat-bots.<blockquote><u>EDPB</u>: For apps, the necessary information should also be made available from an online store prior to download. Once the app is installed, the information still needs to be easily accessible from within the app. One way to meet this requirement is to ensure that the information is never more than “two taps away” (e.g. by including a “Privacy”/ “Data Protection” option in the menu functionality of the app). Additionally, the privacy information in question should be specific to the particular app and should not merely be the generic privacy policy of the company that owns the app or makes it available to the public.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 37-38 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref></blockquote>Easy access to information also plays a major role whenever physically impaired people (e.g. blind or hearing-impaired people) are concerned. From this perspective, alongside with more traditional formats, the controller must be able to use alternative means of communication which suit the data subject's specific needs.  
If controllers are uncertain about the level of intelligibility and transparency of the information, and effectiveness of user-facing notices, they can test these through mechanisms such as, inter alia, user panels, readability testing, as well as formal and informal dialogue with industry groups, consumer advocacy groups and regulatory bodies (Article 35(9) GDPR).


====== Easily Accessible Form ======
=====Clear and plain language=====
The data subject should not have to seek out the information. Instead, it should be immediately apparent where and how it can be accessed. The controller can provide data subjects with information directly, provide links to it, or clearly signpost information as an answer to a natural language question (e.g. in an online layered privacy statement, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc.).<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>


======Clear and Plain Language======
The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures.<ref>Best practices for clear communication should be followed regardless whether information is written, delivered orally, or by audio/audio-visual methods (including for vision-impaired data subjects).</ref> Text that may be understandable for lawyers, may not be understandable for average users with limited language skills or limited education. For most languages, guidelines exist on how to simplify legal language. Cloudy wording, that tries to camouflage the processing, or aims at marketing purposes rather than at providing a plain explanation, would violate this provision. The information should be concrete as well as definitive, and should neither be phrased in abstract or ambivalent terms, nor leave room for diverging interpretations. In particular, the purposes of and legal basis for processing the personal data should be clear.<ref>Recital 39: "The principle of transparency [...] concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed".</ref>  <blockquote>
Best practices for clear communication should be followed regardless whether information is written, delivered orally, or by audio/audio-visual methods (including for vision-impaired data subjects). The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete as well as definitive, and should neither be phrased in abstract or ambivalent terms, nor leave room for diverging interpretations.


In particular, the purposes of and legal basis for processing the personal data should be clear. Language qualifiers such as “''may''”, “''might''”, “''some''”, “''often''” and “''possible''” should also be avoided. Where data controllers opt to use vague language, they should be able to, in accordance with the principle of accountability, demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 9 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>
<u>Example</u>: A controller uses the term “''To allow you a better experience, we may share some information with our partners''”, when in fact the data is sold to a specific data broker for the purpose of advertisement. This would not be a “''clear and plain''” explanation of the intended processing.  


This requirement also affects the language used for the communication. Whilst the GDPR does not expressly regulate the matter, it is clear that the level of intelligibility of information is directly linked to the user’s capacity of understanding a certain language.  
<u>Common misunderstanding</u>: Language qualifiers such as “''may''”, “''might''”, “''some''”, “''often''” and “''possible''” should be avoided. Equally, open-ended lists, usually stating with wording like “''such as''” are not clear and plain. Where data controllers opt to use vague language, they should be able to, in accordance with the principle of accountability, demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 9 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>  </blockquote>This requirement also affects the language used for the communication. Whilst the GDPR does not expressly regulate the matter, it is clear that the level of intelligibility of information is directly linked to the user’s capacity of understanding a certain language as a native or non-native speaker. Controllers that know that a relevant part of their data subjects do not speak the dominant language in a country and also offer products in different languages, may need to provide the relevant information in these languages too. <blockquote><u>EDPB</u>: Where the information is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted. (A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages.)<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> </blockquote>


==== Form of the Information ====
===== In writing or by other means =====
Under Article 12(1) GDPR, information “''shall be provided in writing, or by other means, including, where appropriate, by electronic means''.” Thus, the provision of information to, or communication with, data subjects should be done in writing by default.
Under Article 12(1) GDPR, information “''shall be provided in writing, or by other means, including, where appropriate, by electronic means''.” Written form is therefore the default option. However, in addition to the written form, other means can be used, and that includes electronic writing, cartoons, info-graphics, non-verbal methods and oral information.      


However, the GDPR also allows for other unspecified “''means''” to be used, including electronic means. For instance, if a data controller operates a website, a written notice is not necessary and electronic forms are to be preferred. In such cases, the use of a webpage containing the information will adequately serve the purpose. The WP29 suggested the implementation of layered privacy statements which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 11-12 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>
====== In writing ======
This is the typical written format used to imprint a specific message on paper for later reading.      


The use of a layered approach is nonetheless not the only available option. Other electronic means include “''just-in-time''” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts. “''Other'' [not necessarily electronic] ''means''” might include cartoons, infographics or flowcharts.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>
====== Electronic means ======
In addition to the traditional written form on paper, the GDPR allows for providing information in electronic form. The use of the disjunctive phrase "''or''", followed by the expression "''where appropriate''", suggests that the written form may be abandoned in certain circumstances, and that the controller has some discretion in this regard.<ref>Quaas, in BeckOK Datenschutzrecht, Article 12 GDPR, margin number 27 (C.H. Beck 2020, 43rd Edition).</ref>      


The WP29 also points out that it is critical that the method chosen by controllers fits the particular circumstances. For example, if a certain device does not have a screen it does not seem appropriate to only provide the information in an electronic written format. In such cases, viable alternatives should be considered, such as providing a printed privacy statement inside the device package or the URL website address where the privacy notice can be found.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available [https://gdprhub.eu/WP29,%20%E2%80%98Guidelines%20on%20Transparency%20under%20Regulation%202016/679%E2%80%99,%2017/EN%20WP260%20rev.01,%2011%20April%202018,%20p.%2012%20(available%20here). here]).</ref> Finally, the GDPR also expressly empowers data subjects to be provided orally, but only under two conditions: the data subject must request this and the controller must have otherwise verified the data subject’s identity.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).</ref>
In case of online activities, the WP29 suggested the implementation of layered privacy statements which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them. The use of a layered approach is nonetheless not the only available option. Other electronic means include “''just-in-time''” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 11-12 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>    


===(2) Obligation to Facilitate the Exercise of Rights===
====== Other means ======
Under Article 12(2) GDPR the controller should facilitate the data subject in the exercise of their GDPR rights. The Regulation does not define the notion of “''facilitate''”, but warns the controller in Recital 59 that “''modalities should be provided for facilitating the exercise of the data subject's rights''” and that these include “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''”. 


These “''modalities''” should cover the whole range of activities necessary to fully address a request. First, data subjects should be allowed to easily express their concerns and exercise their rights. This means allowing them to reach the controller and its DPO “''in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)''”.<ref>WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref> The WP29 also points out that, “''[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided'' (emphasis added)”.<ref>WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref>
“''Other'' [not necessarily electronic] ''means''” might include cartoons, info-graphics or flowcharts.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref> The method chosen by controllers must fit the particular circumstances. For example, if a certain device does not have a screen, controllers can provide a printed privacy statement inside the device package or redirect the data subject to the URL website address where the privacy notice can be found.<ref>WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available [https://gdprhub.eu/WP29,%20%E2%80%98Guidelines%20on%20Transparency%20under%20Regulation%202016/679%E2%80%99,%2017/EN%20WP260%20rev.01,%2011%20April%202018,%20p.%2012%20(available%20here). here]).</ref>
====== Oral information ======


Example: Take the case of a user who has requested full access to their data via email. After receiving the request, the controller learns that the amount of information is very high and likely not transmissible via email. In accordance with its obligation to facilitate the request, the controller may provide a dedicated internet page through which the user can select the part of the processing to which it is directed. The user can then choose the desired option for the controller to address the request.  
Finally, the GDPR also empowers data subjects to request to be provided orally. For example, controllers may provide audio information by means of a dedicated hotline. Controllers "''may''" do so, but only under two conditions: (i) the data subject must request oral information or communication and (ii) the controller must have otherwise verified the data subject’s identity.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).</ref> The second requirement, (ii), only refers to cases where data subject's authentication is necessary. Consequently, it applies when a data subject exercises one of their GDPR rights (Articles 15 - 22) or when a communication of personal data breach is needed under Article 34 GDPR. <blockquote><u>Example</u>: A data subject requests clarification on the results of some medical exams from their clinic. The staff member at the clinic should verify the identity of the caller through appropriate checks. For example, by asking them to provide a pre-agreed secret phrase, or by waiting for the caller to verify their identity through their account. </blockquote>


The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify the data subject. However, in such circumstances the data subject may provide additional information enabling their identification (Article 11(2) GDPR). In order to allow the data subject to provide this additional information, the controller should inform the data subject of the nature of what is required to allow identification.  
===== Practical issues =====
In practice, deciding what is appropriate to satisfy both the preciseness and the clarity requirement will not always be easy. As a matter of fact, there are intrinsical points of attrition between preciseness and clarity, as the former usually pushes in the direction of more complexity, whereas the latter requires a certain degree of simplification.<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> In certain circumstances, for instance, a given processing may not be easy to explain, especially where a considerable amount of data is processed and numerous actors are involved in the processing chain. In such cases, finding the appropriate measure will not always be straightforward. However, the complexity of the processing is not a justification for reducing the transparency standards imposed by the Regulation.<blockquote>EDPB:  The [controller's] assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a vast amount of data on a large scale <u>must accept to undertake great efforts</u> to ensure the right of access to the data subjects in a concise, transparent, intelligible and easily accessible form, by using plain and clear language.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 40.</ref></blockquote>
===(2) Obligation to facilitate the exercise of rights===
Under Article 12(2), first sentence, GDPR the controller must facilitate the data subject in the exercise of their GDPR rights under Articles 15 to 22 GDPR.  


This provision, clarifies the meaning of the obligation to facilitate the exercise of the right. It prevents the controller from adopting obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. Consequently, all attempts at verification which require excessive efforts (while adding nothing in terms of security) become inadmissible - and do not constitute 'facilitation'.(Ref to Art. 11)
==== Shall facilitate ====
The term "facilitate" implies a proactive approach by the controller who must take any action to ease the exercise of GDPR rights.<ref>''Paal, Hennemann'', in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).</ref> The Regulation does not define the notion of “''facilitation''”, but warns that “''modalities"'' should be provided''.''<ref>This includes “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''” (Recital 59). </ref> These “''modalities''” should cover the whole range of activities a controller undertakes to fully address a GDPR right request. In particular, controllers must demonstrate that "''the way to handle the request aims to give the <u>broadest effect</u> to the right'' [...] ''and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR).''"<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en here]).</ref>


Example: a user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide to send an email login request because the information download tool provided by the controller does not provide certain information. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. This conduct constitutes a breach of the obligation to facilitate the exercise of rights. The controller may nonetheless send a unique identification link to the email address used by the user for registration.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>
Among the others, data subjects should be allowed to reach the controller “''in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)''”.<ref>The WP29 also points out that, “''[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided''”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref> Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensure the request be handled by the appropriate department. Moreover, data subject authentication should be free of unnecessary burdens. The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If the controller imposes measures aimed at identifying "''the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)."'' See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>


===(3)  Time Limit and Form of the Request===
The data subject can choose the format in which it wants to send any request to the controller, as long as it is a common format (such as emails, postal letters, phone calls, PDFs and alike) and it is not sent to a clearly irrelevant contact point.   
Under Article 12(3) GDPR, the controller must act on any request by the data subject under [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]] as soon as possible ("''without undue delay''") and in any event within one month. That period may be extended by two months if the requests are so complex or numerous that they cannot be answered within one month. A controller cannot extend the duration simply because its inadequate internal organisation prevents them from complying with a request in a timely manner. In any case, when a controller is unable to comply with the one month deadline, it must inform the data subject of the reasons for the delay within one month of receiving the request.<ref>Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, pp. 16-17 (available [https://ico.org.uk/media/for-organisations/documents/2619803/right-of-access-1-0-20210520.pdf here]). </ref>  


The final sentence of Article 12(3) specifies that where the data subject makes the request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form. However, the provision of electronic means is not an obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that, where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data. This is clearly intended to encourage controllers to facilitate the exercise of access rights.
Any subsequent interaction with the data subject must once again be marked by the principle of fairness and must not result in unnecessary "ping-pongs" whose only goal is to prevent the data subject from obtaining a full and timely response.<ref>EDPB: It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.</ref>
==== Impossible identification ====
The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. However, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, prevents the controller from adopting obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. All attempts to verify the identity of a data subject which require excessive efforts by the latter (while adding nothing in terms of security) become inadmissible - and do not constitute "facilitation". <blockquote><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></blockquote>


===(4) Failure to Act on the Request===
===(3)  Time limit and form of the response===
If a controller does not act on the data subject's request, it must inform them why this is the case as soon as possible, and at the latest within one month of receiving the request. It must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.
Under Article 12(3) GDPR, the controller must inform the data subject about the "''action taken''" following receipt of a request under Articles 15 to 22 GDPR. 
 
==== Information on action taken ====
Depending on the specific request, the required "''action''" will consist of retrieving, arranging and disclosing personal data (for instance, the copy of data under Article 15(3) GDPR). In others, the action takes place within the controller's IT systems (data rectification and deletion, under Articles 16 and 17 GDPR). In any case, controllers shall provide the data subject with information about the action taken, therefore a response is always necessary.
 
==== '''Without undue delay, but no longer than one month''' ====
This must happen as soon as possible ("''without undue delay''") and in any event within one month. This means that if a controller can reasonably take action within a day or week, it cannot wait for a full month to act. It is a matter of the individual case if a controller acted “''without undue delay''”. While acute staffing shortage, the need to consult external legal council and alike can mean that an action takes longer than a couple of days, only stating to act when the one month deadline approaches would violate the law.
 
The EDPB confirms that the period in question should be calculated according to Regulation (UE) 1182/71. The deadline for data subject's request starts upon receipt of the application. Receipt occurs when the request comes within the controller's sphere of influence and can be noted, such as through digital storage or placement in the controller's mailbox.<ref>While formal acknowledgment of a data subject's request under the General Data Protection Regulation (GDPR) may not be required, it is advisable for data subjects to be able to demonstrate that the controller has received their request. The GDPR encourages the exercise of data subject rights, so the burden of proof is not considered burdensome. For example, an email saved in the sent folder could serve as evidence of the request. In cases where requests are sent via ordinary mail, it may be beneficial to obtain proof of receipt, such as a letter with an acknowledgment of receipt, to demonstrate that the request was indeed received by the controller.</ref> <blockquote><u>Example</u>: An organisation receives a request on 5 March. If they can respond within a couple of business days, they must do so. The maximum time limit of one month starts from the same day. This gives the organisation an ultimate deadline until and including 5 April to comply with the request, at the latest.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></blockquote>
==== Deadline may be extended ====
The one-month deadline may be extended by two months "''where necessary''". The necessity should be evaluated in relation to the complexity <u>and</u> number of requests. The wording implies that such requirements must exist at the same time. A typical example would be unexpected waives of requests after a data breach or other event that lead unusual numbers of data subjects to contact a controller.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 33 (C.H. Beck 2018, 2nd Edition).</ref> Either way, when a controller is unable to comply with the one-month deadline, it must inform the data subject of the reasons for the delay within one month of receiving the request. 
 
==== Corresponding means ====
The final sentence of Article 12(3) GDPR specifies that where the data subject makes the request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form - "''where possible''". In other words, answering by electronic means is not an absolute obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that - again where possible - the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data. This is clearly intended to encourage controllers to facilitate the exercise of access rights via so-called “Download Tools” and alike. 
 
On the other hand, the wording "''unless otherwise requested by them''" makes clear that the default option for the form of the response - commonly used electronic form - can be changed if the data subject explicitly asks for another format. For example, the data subject can ask for a paper letter even if they made the request by electronic means. 
 
===(4) Failure to act on the request===
If a controller does not act on the data subject's request, it must explain why this is the case as soon as possible, and at the latest within one month of receiving the request. It must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.
 
These are obviously cases in which one or more of the prerequisites of the GDPR or the right exercised do not exist, or there are other grounds for exclusion of the right. To give a few examples, the controller may reject the request if he considers that no personal data is being processed, thus failing to apply the GDPR in its entirety (Article 4(1) and (2) GDPR). Or if the request is 'manifestly unfounded or excessive' (Article 12(5) GDPR). Again, the controller may reject a request for access, or a part thereof, in order to defend "the rights and freedoms of others" (Article 15(4) GDPR) or, a request for deletion, on the basis of one of the cases provided for in Article 17(3) GDPR.
 
In such circumstances, the communication must convey "''the reasons for not taking action''". It is therefore necessary to at least indicate the legal title on which the rejection. Based on the above-mentioned examples, Articles 4(1), 12(5), 15(4) or 17(3) GDPR.  


===(5) Free of charge===
===(5) Free of charge===
Line 281: Line 308:


==== Manifestly unfounded ====
==== Manifestly unfounded ====
A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore “''obvious''”.<ref>In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).</ref>
A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore obviously unfounded.<ref>In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).</ref>


==== Excessive requests ====
==== Excessive requests ====
There is no definition of the term “''excessive''” in the GDPR. On the one hand, the wording “''in particular because of their repetitive character''” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject makes a large amount of access requests under Article 15 GDPR. On the other hand, the qualifier “''in particular”'' indicates that other reasons that might cause excessiveness are not excluded a priori.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>
There is no definition of the term “''excessive''” in the GDPR. On the one hand, the wording “''in particular because of their repetitive character''” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject uses the free rights under the GDPR to bombard the controller with requests. On the other hand, the qualifier “''in particular”'' indicates that other reasons that might cause excessiveness are not excluded ''a priori''.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>


A data subject may nonetheless undoubtedly submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “''The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive''”.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here], p. 54).</ref>
A data subject may nonetheless submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “''The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive''”.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here], p. 54).</ref>


Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>
Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>


===== (a) Reasonable Fee =====
===== (a) Reasonable fee =====
If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).
If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).


</ref>
</ref>


===== (b) Refuse to Act =====
===== (b) Refuse to act =====
Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.  
Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.  


===(6) Verifying the Data Subject===
The relationship between these two options is not clarified by the GDPR. The wording of Article 12/5) GDPR seems to suggest that the controller has a free choice between the two alternatives. Nonetheless, it has been pointed out that a refusal to act can violate the good faith principle to the extent that the data subject offers to pay a reasonable fee.<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 39 (C.H. Beck 2020, 3rd Edition).</ref>
In practice, controllers often reject data subjects’ requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. If the controller has reasonable doubts concerning the identity of a natural person making a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]], additional information may be requested to verify their identity. The controller may use "''all reasonable measures''" to achieve this (Recital 64 GDPR), including contacting them via known contact details, such as their phone number or postal address. In the context of online services, the data subject can be authenticated, inter alia, by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> Further information about this can be found in the commentary under Article 11 GDPR.   
 
===(6) Verifying the data subject===
Controllers often reject data subjects’ requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. If the controller has reasonable doubts concerning the identity of a natural person making a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]], additional information may be requested to verify their identity. However, this cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.    <blockquote>
<u>EDPB</u>: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.   </blockquote>In the context of online services, the data subject can be authenticated, ''inter alia'', by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> Further information about this can be found in the commentary under Article 11 GDPR.   
 
===(7) Standardised icons===
Information can also be provided visually, using certain kind of tools (e.g. icons, certification mechanisms, and data protection seals and marks). However, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. Whilst it is one of the EDPB’s tasks under Article 70(1)(r) GDPR to provide the Commission with an opinion on the icons, it has not yet published such a document.


===(7) Standardised Icons===
The provision therefore has no practical relevance at this time.  
Information can also be provided visually, using certain kind of tools (e.g. icons, certification mechanisms, and data protection seals and marks). However, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. Whilst it is one of the EDPB’s tasks under Article 70(1)(r) to provide the Commission with an opinion on the icons, it has not yet published such a document.  


===(8) Code of Icons===
===(8) Code of icons===
The Commission has the power to determine the information to be displayed by icons as well as the procedures for providing standardised icons. Its competence does not include the binding establishment of specific icons. Per Recital 166 GDPR, the process of developing a code of icons should involve the carrying out of consultations, and research on the efficacy of icons. Article 12(8) does not expressly specify whose responsibility it is to conduct such research, meaning standardised icons could come from either the Commission or standard-setting organisations.  
The Commission has the power to determine the information to be displayed by icons as well as the procedures for providing standardised icons. Its competence does not include the binding establishment of specific icons. Per Recital 166 GDPR, the process of developing a code of icons should involve the carrying out of consultations, and research on the efficacy of icons. Article 12(8) GDPR does not expressly specify whose responsibility it is to conduct such research, meaning standardised icons could come from either the Commission or standard-setting organisations.  


==Decisions==
==Decisions==

Revision as of 11:53, 31 May 2023

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Relevant Recitals

Recital 11: Strengthening of Rights and Enforcement
Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 57: Additional Information for Identification
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 58: Modalities for Transparent Information Provision
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 60: Information Requirements
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 63: Modalities and Scope of Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Recital 73: Restrictions by Member States
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Recital 166: Delegated Acts
In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

Commentary

Article 12 GDPR ensures the efficient exercise of the data subject’s rights. To do so, it regulates clarity and accessibility standards regarding communications with the data subject. It also lays down procedural rules the controller must follow once a GDPR right is exercised.

(1) Clear and transparent communication

Article 12(1) GDPR requires controllers to take appropriate measures to provide[1] any information under Articles 13, 14, 15 to 22 and 34 GDPR[2] in a manner that is concise, transparent, intelligible and easily accessible, using clear and plain language.[3] The provision set out two main requirements. Firstly, the controller must precisely present the information in terms of content (preciseness requirement). Secondly, the information must be presented in a manner that is easily understandable to the data subject without requiring excessive cognitive effort or time (comprehensibility requirement).[4] Hence, a measure - or, most likely, a set of measures - is therefore "appropriate" under Article 12 GDPR when it generates information under Articles 13, 14, 15 to 22 and 34 GDPR which is both (i) precise ("any information") and (ii) clear ("concise, transparent, intelligible and easily accessible, using clear and plain language").

(i) Preciseness

The controller is obliged to provide all the information the law requires in connection with the specific cases. The information must be as complete as possible. Sometimes, it may be a matter of constructing a privacy policy under Article 13 GDPR. In this case, the information will be complete when all the elements required by that provision are included in the policy. On other occasions, it will be a matter of responding comprehensively to an Article 15 GDPR access request.

In all cases, the controller's effort must be to include all the information it is required to provide. The controller's obligation covers, where appropriate, measures to correctly detect the content of the request and assign it to the responsible department. The same goes for internal policies and technical equipment enabling the controller's staff to retrieve the data and perform any required operation (e.g. copy, rectification, deletion).

(ii) Clarity

Conciseness

Information about the processing must be presented concisely. This is intended to prevent controllers from providing an overly lengthy or convoluted description of the processing activity, as data subject usually will not read multiple pages of the text. Thus, controllers have a positive obligation to prevent data subjects from experiencing information overload.[5] For example, the use of a layered privacy statement[6] may present the most relevant section to the data subject rather than providing them with an unconscionable notice. A layered approach may not be used to hide the more problematic processing in a lower layer. The most relevant information or any unexpected processing should be easily available.

EDPB: It should be noted that layered privacy statements/ notices are not merely nested pages that require several clicks to get to the relevant information. The design and layout of the first layer of the privacy statement/ notice should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information within the layers of the privacy statement/ notice.[7]

Transparency

In the context of Article 12 GDPR, the main goal of transparency is the accurate and fair understanding[8] of the information and communication provided to the data subjects under Articles 13, 14, 15 to 22 and 34 GDPR. This is needed because, otherwise, it would be impossible for them to fully enjoy the different rights granted by those provisions.[9]

Example: A controller provider of a website does not have sufficient information about the functioning of software it uses because the manufacturer of this software does not disclose it. It will be difficult for the controller to fulfil its duty to inform the data subject. Consequently, in order to be transparent, it would have to refrain from using such software.[10]

Intelligibility

Information is “intelligible” when it is understandable by an average member of the intended audience. In some cases there may be multiple audiences that a controller addresses. Therefore, an accountable data controller must have an understanding of the people that it collects information about, which it should use to determine what they are likely to understand. For example, a controller dealing with professionals working in a specific area may rely on the fact that they understand the relevant professional terminology - while a controller that processes personal data of avarage consumers or even children would have to avoid any jargon.

EDPB: If controllers are uncertain about the level of intelligibility, they can test these through mechanisms such as, inter alia, user panels, readability testing, as well as formal and informal dialogue with industry groups, consumer advocacy groups and regulatory bodies (Article 35(9) GDPR).[11]

Easily accessible form

The "easily accessible" element implies that the data subject should not have to actively search for the information. It should be readily visible and clear to them where and how they can access the information. This can be achieved through various means, such as providing the information directly to them, linking to it, clearly indicating its location, or providing it as an answer to a natural language question. Examples of how this can be implemented include online layered privacy statements/notices, FAQs, contextual pop-ups that activate when a data subject fills in an online form, or interactive digital interfaces like chat-bots.

EDPB: For apps, the necessary information should also be made available from an online store prior to download. Once the app is installed, the information still needs to be easily accessible from within the app. One way to meet this requirement is to ensure that the information is never more than “two taps away” (e.g. by including a “Privacy”/ “Data Protection” option in the menu functionality of the app). Additionally, the privacy information in question should be specific to the particular app and should not merely be the generic privacy policy of the company that owns the app or makes it available to the public.[12]

Easy access to information also plays a major role whenever physically impaired people (e.g. blind or hearing-impaired people) are concerned. From this perspective, alongside with more traditional formats, the controller must be able to use alternative means of communication which suit the data subject's specific needs.

Clear and plain language

The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures.[13] Text that may be understandable for lawyers, may not be understandable for average users with limited language skills or limited education. For most languages, guidelines exist on how to simplify legal language. Cloudy wording, that tries to camouflage the processing, or aims at marketing purposes rather than at providing a plain explanation, would violate this provision. The information should be concrete as well as definitive, and should neither be phrased in abstract or ambivalent terms, nor leave room for diverging interpretations. In particular, the purposes of and legal basis for processing the personal data should be clear.[14]

Example: A controller uses the term “To allow you a better experience, we may share some information with our partners”, when in fact the data is sold to a specific data broker for the purpose of advertisement. This would not be a “clear and plain” explanation of the intended processing.

Common misunderstanding: Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should be avoided. Equally, open-ended lists, usually stating with wording like “such as” are not clear and plain. Where data controllers opt to use vague language, they should be able to, in accordance with the principle of accountability, demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.[15]

This requirement also affects the language used for the communication. Whilst the GDPR does not expressly regulate the matter, it is clear that the level of intelligibility of information is directly linked to the user’s capacity of understanding a certain language as a native or non-native speaker. Controllers that know that a relevant part of their data subjects do not speak the dominant language in a country and also offer products in different languages, may need to provide the relevant information in these languages too.

EDPB: Where the information is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted. (A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages.)[16]

In writing or by other means

Under Article 12(1) GDPR, information “shall be provided in writing, or by other means, including, where appropriate, by electronic means.” Written form is therefore the default option. However, in addition to the written form, other means can be used, and that includes electronic writing, cartoons, info-graphics, non-verbal methods and oral information.

In writing

This is the typical written format used to imprint a specific message on paper for later reading.

Electronic means

In addition to the traditional written form on paper, the GDPR allows for providing information in electronic form. The use of the disjunctive phrase "or", followed by the expression "where appropriate", suggests that the written form may be abandoned in certain circumstances, and that the controller has some discretion in this regard.[17]

In case of online activities, the WP29 suggested the implementation of layered privacy statements which allow website visitors to navigate to particular aspects of the relevant privacy statement that are of most interest to them. The use of a layered approach is nonetheless not the only available option. Other electronic means include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts.[18]

Other means

Other [not necessarily electronic] means” might include cartoons, info-graphics or flowcharts.[19] The method chosen by controllers must fit the particular circumstances. For example, if a certain device does not have a screen, controllers can provide a printed privacy statement inside the device package or redirect the data subject to the URL website address where the privacy notice can be found.[20]

Oral information

Finally, the GDPR also empowers data subjects to request to be provided orally. For example, controllers may provide audio information by means of a dedicated hotline. Controllers "may" do so, but only under two conditions: (i) the data subject must request oral information or communication and (ii) the controller must have otherwise verified the data subject’s identity.[21] The second requirement, (ii), only refers to cases where data subject's authentication is necessary. Consequently, it applies when a data subject exercises one of their GDPR rights (Articles 15 - 22) or when a communication of personal data breach is needed under Article 34 GDPR.

Example: A data subject requests clarification on the results of some medical exams from their clinic. The staff member at the clinic should verify the identity of the caller through appropriate checks. For example, by asking them to provide a pre-agreed secret phrase, or by waiting for the caller to verify their identity through their account.

Practical issues

In practice, deciding what is appropriate to satisfy both the preciseness and the clarity requirement will not always be easy. As a matter of fact, there are intrinsical points of attrition between preciseness and clarity, as the former usually pushes in the direction of more complexity, whereas the latter requires a certain degree of simplification.[22] In certain circumstances, for instance, a given processing may not be easy to explain, especially where a considerable amount of data is processed and numerous actors are involved in the processing chain. In such cases, finding the appropriate measure will not always be straightforward. However, the complexity of the processing is not a justification for reducing the transparency standards imposed by the Regulation.

EDPB: The [controller's] assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a vast amount of data on a large scale must accept to undertake great efforts to ensure the right of access to the data subjects in a concise, transparent, intelligible and easily accessible form, by using plain and clear language.[23]

(2) Obligation to facilitate the exercise of rights

Under Article 12(2), first sentence, GDPR the controller must facilitate the data subject in the exercise of their GDPR rights under Articles 15 to 22 GDPR.

Shall facilitate

The term "facilitate" implies a proactive approach by the controller who must take any action to ease the exercise of GDPR rights.[24] The Regulation does not define the notion of “facilitation”, but warns that “modalities" should be provided.[25] These “modalities” should cover the whole range of activities a controller undertakes to fully address a GDPR right request. In particular, controllers must demonstrate that "the way to handle the request aims to give the broadest effect to the right [...] and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR)."[26]

Among the others, data subjects should be allowed to reach the controller “in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)”.[27] Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensure the request be handled by the appropriate department. Moreover, data subject authentication should be free of unnecessary burdens. The method used for authentication should be "relevant, appropriate, proportionate and respect the data minimisation principle."[28]

The data subject can choose the format in which it wants to send any request to the controller, as long as it is a common format (such as emails, postal letters, phone calls, PDFs and alike) and it is not sent to a clearly irrelevant contact point.

Any subsequent interaction with the data subject must once again be marked by the principle of fairness and must not result in unnecessary "ping-pongs" whose only goal is to prevent the data subject from obtaining a full and timely response.[29]

Impossible identification

The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. However, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, prevents the controller from adopting obstructive tactics relating to alleged "difficulties of identification" unless these actually exist. All attempts to verify the identity of a data subject which require excessive efforts by the latter (while adding nothing in terms of security) become inadmissible - and do not constitute "facilitation".

Example: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.[30]

(3) Time limit and form of the response

Under Article 12(3) GDPR, the controller must inform the data subject about the "action taken" following receipt of a request under Articles 15 to 22 GDPR.

Information on action taken

Depending on the specific request, the required "action" will consist of retrieving, arranging and disclosing personal data (for instance, the copy of data under Article 15(3) GDPR). In others, the action takes place within the controller's IT systems (data rectification and deletion, under Articles 16 and 17 GDPR). In any case, controllers shall provide the data subject with information about the action taken, therefore a response is always necessary.

Without undue delay, but no longer than one month

This must happen as soon as possible ("without undue delay") and in any event within one month. This means that if a controller can reasonably take action within a day or week, it cannot wait for a full month to act. It is a matter of the individual case if a controller acted “without undue delay”. While acute staffing shortage, the need to consult external legal council and alike can mean that an action takes longer than a couple of days, only stating to act when the one month deadline approaches would violate the law.

The EDPB confirms that the period in question should be calculated according to Regulation (UE) 1182/71. The deadline for data subject's request starts upon receipt of the application. Receipt occurs when the request comes within the controller's sphere of influence and can be noted, such as through digital storage or placement in the controller's mailbox.[31]

Example: An organisation receives a request on 5 March. If they can respond within a couple of business days, they must do so. The maximum time limit of one month starts from the same day. This gives the organisation an ultimate deadline until and including 5 April to comply with the request, at the latest.[32]

Deadline may be extended

The one-month deadline may be extended by two months "where necessary". The necessity should be evaluated in relation to the complexity and number of requests. The wording implies that such requirements must exist at the same time. A typical example would be unexpected waives of requests after a data breach or other event that lead unusual numbers of data subjects to contact a controller.[33] Either way, when a controller is unable to comply with the one-month deadline, it must inform the data subject of the reasons for the delay within one month of receiving the request.

Corresponding means

The final sentence of Article 12(3) GDPR specifies that where the data subject makes the request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form - "where possible". In other words, answering by electronic means is not an absolute obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that - again where possible - the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data. This is clearly intended to encourage controllers to facilitate the exercise of access rights via so-called “Download Tools” and alike.

On the other hand, the wording "unless otherwise requested by them" makes clear that the default option for the form of the response - commonly used electronic form - can be changed if the data subject explicitly asks for another format. For example, the data subject can ask for a paper letter even if they made the request by electronic means.

(4) Failure to act on the request

If a controller does not act on the data subject's request, it must explain why this is the case as soon as possible, and at the latest within one month of receiving the request. It must also tell the data subject about their right to lodge a complaint with a supervisory authority or to seek a judicial remedy.

These are obviously cases in which one or more of the prerequisites of the GDPR or the right exercised do not exist, or there are other grounds for exclusion of the right. To give a few examples, the controller may reject the request if he considers that no personal data is being processed, thus failing to apply the GDPR in its entirety (Article 4(1) and (2) GDPR). Or if the request is 'manifestly unfounded or excessive' (Article 12(5) GDPR). Again, the controller may reject a request for access, or a part thereof, in order to defend "the rights and freedoms of others" (Article 15(4) GDPR) or, a request for deletion, on the basis of one of the cases provided for in Article 17(3) GDPR.

In such circumstances, the communication must convey "the reasons for not taking action". It is therefore necessary to at least indicate the legal title on which the rejection. Based on the above-mentioned examples, Articles 4(1), 12(5), 15(4) or 17(3) GDPR.

(5) Free of charge

Under Article 12(5) GDPR, controllers may generally not charge data subjects for the provision of information under Articles 13 and 14 GDPR, or for communications and actions taken under Articles 15-22 GDPR (data subject rights) and Article 34 GDPR (communication of personal data breaches to data subjects). The principle of transparency requires that the provision of such information is not made conditional upon a financial transaction. There are exceptions to this rule, which should nonetheless be interpreted narrowly to avoid undermining the principle of transparency and gratuity of the request.[34] For instance, if the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request. In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, controllers should maintain a proper documentation of the underlying facts.

Manifestly unfounded

A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore obviously unfounded.[35] For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.[36]

Excessive requests

There is no definition of the term “excessive” in the GDPR. On the one hand, the wording “in particular because of their repetitive character” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject uses the free rights under the GDPR to bombard the controller with requests. On the other hand, the qualifier “in particular” indicates that other reasons that might cause excessiveness are not excluded a priori.[37]

A data subject may nonetheless submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive”.[38] That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.[39]

Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.[40]

(a) Reasonable fee

If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.[41]

(b) Refuse to act

Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

The relationship between these two options is not clarified by the GDPR. The wording of Article 12/5) GDPR seems to suggest that the controller has a free choice between the two alternatives. Nonetheless, it has been pointed out that a refusal to act can violate the good faith principle to the extent that the data subject offers to pay a reasonable fee.[42]

(6) Verifying the data subject

Controllers often reject data subjects’ requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. If the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21 GDPR, additional information may be requested to verify their identity. However, this cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.

EDPB: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.

In the context of online services, the data subject can be authenticated, inter alia, by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.[43] Further information about this can be found in the commentary under Article 11 GDPR.

(7) Standardised icons

Information can also be provided visually, using certain kind of tools (e.g. icons, certification mechanisms, and data protection seals and marks). However, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under Articles 13 and 14 GDPR. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. Whilst it is one of the EDPB’s tasks under Article 70(1)(r) GDPR to provide the Commission with an opinion on the icons, it has not yet published such a document.

The provision therefore has no practical relevance at this time.

(8) Code of icons

The Commission has the power to determine the information to be displayed by icons as well as the procedures for providing standardised icons. Its competence does not include the binding establishment of specific icons. Per Recital 166 GDPR, the process of developing a code of icons should involve the carrying out of consultations, and research on the efficacy of icons. Article 12(8) GDPR does not expressly specify whose responsibility it is to conduct such research, meaning standardised icons could come from either the Commission or standard-setting organisations.

Decisions

→ You can find all related decisions in Category:Article 12 GDPR

References

  1. Under Article 12(1), controllers must provide any information to the data subject. The verb "provide" makes it clear that the controller must take every step necessary to provide that information. In other words, the data subject need not make any special effort to "seek" the information to which it is entitled. On the contrary, the controller will provide data subjects with direct links to the information, or clearly signpost information as an answer to a natural language question (e.g. in an online layered privacy statement, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, in an interactive digital context through a chatbot interface, etc.). See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available here).
  2. Considered together, these provisions list all communication and information obligations the controller owes to the data subject.
  3. A "measure" is any method, internal process, policy or technical tool used by the controller during its processing operations. Within this wide category, the "measures" falling under the scope of Article 12(1) are just those whose goal is to provide the data subject with information and communications under Articles 13, 14, 15 to 22 and 34 GDPR. Hence, the "measures" under Article 12(1) form a stricter group than those mentioned, among the others, in Article 24 GDPR. In the latter case, measures concerned are all those used to ensure general compliance with the Regulation as a whole (and not only Articles 13-22, 34).
  4. Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 11 (C.H. Beck 2020, 3rd Edition).
  5. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 12 (C.H. Beck 2018, 2nd Edition).
  6. In an online context, the use of a layered privacy statement/notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues. See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available here).
  7. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 19 (available here).
  8. Recitals 39 and 58 GDPR require that information must not only be clear, but also “easy to understand”. Along these lines, the CJEU criticised the behaviour of a controller "in the absence of any indications confirming that that clause was actually read and digested". See, CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
  9. This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures. Polčák, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020). See, Polčák, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).
  10. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).
  11. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 7 (available here).
  12. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 37-38 (available here).
  13. Best practices for clear communication should be followed regardless whether information is written, delivered orally, or by audio/audio-visual methods (including for vision-impaired data subjects).
  14. Recital 39: "The principle of transparency [...] concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed".
  15. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 9 (available here).
  16. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 8 (available here).
  17. Quaas, in BeckOK Datenschutzrecht, Article 12 GDPR, margin number 27 (C.H. Beck 2020, 43rd Edition).
  18. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 11-12 (available here).
  19. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available here).
  20. WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 12 (available here).
  21. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 22 (C.H. Beck 2019).
  22. Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 12 (C.H. Beck 2020, 3rd Edition).
  23. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 40.
  24. Paal, Hennemann, in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).
  25. This includes “mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object” (Recital 59).
  26. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available here).
  27. The WP29 also points out that, “[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).
  28. If the controller imposes measures aimed at identifying "the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)." See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available here).
  29. EDPB: It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.
  30. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available here).
  31. While formal acknowledgment of a data subject's request under the General Data Protection Regulation (GDPR) may not be required, it is advisable for data subjects to be able to demonstrate that the controller has received their request. The GDPR encourages the exercise of data subject rights, so the burden of proof is not considered burdensome. For example, an email saved in the sent folder could serve as evidence of the request. In cases where requests are sent via ordinary mail, it may be beneficial to obtain proof of receipt, such as a letter with an acknowledgment of receipt, to demonstrate that the request was indeed received by the controller.
  32. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available here).
  33. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 33 (C.H. Beck 2018, 2nd Edition).
  34. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available here).
  35. In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available here).
  36. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).
  37. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available here).
  38. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available here).
  39. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available here, p. 54).
  40. Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available here).
  41. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available here).
  42. Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 39 (C.H. Beck 2020, 3rd Edition).
  43. According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available here).