https://gdprhub.eu/index.php?title=Article_12_GDPR&feed=atom&action=historyArticle 12 GDPR - Revision history2024-03-28T15:45:41ZRevision history for this page on the wikiMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40178&oldid=prev10.90.129.3: /* (5) Free of charge */2024-03-04T08:37:41Z<p><span dir="auto"><span class="autocomment">(5) Free of charge</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:37, 4 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l363">Line 363:</td>
<td colspan="2" class="diff-lineno">Line 363:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A controller may reject the request if he considers that no personal data is being processed, thus failing to apply the GDPR in its entirety, if it finds that the request is "''manifestly unfounded or excessive''" under Article 12(5) GDPR or because it takes the view that it is not the relevant controller. In any case, the entity that receives a request, must provide at least a negative response.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A controller may reject the request if he considers that no personal data is being processed, thus failing to apply the GDPR in its entirety, if it finds that the request is "''manifestly unfounded or excessive''" under Article 12(5) GDPR or because it takes the view that it is not the relevant controller. In any case, the entity that receives a request, must provide at least a negative response.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>===(5) Free of charge===</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>===(5) Free of charge <ins style="font-weight: bold; text-decoration: none;">and manifestly unfounded or excessive requests</ins>===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Under Article 12(</del>5<del style="font-weight: bold; text-decoration: none;">) GDPR, controllers may </del>generally <del style="font-weight: bold; text-decoration: none;">not charge data subjects for </del>the <del style="font-weight: bold; text-decoration: none;">provision </del>of <del style="font-weight: bold; text-decoration: none;">information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]], or for communications and actions taken under [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]] (</del>data subject rights<del style="font-weight: bold; text-decoration: none;">) and [[Article 34 GDPR]] (communication </del>of <del style="font-weight: bold; text-decoration: none;">personal data breaches to data subjects). The principle </del>of <del style="font-weight: bold; text-decoration: none;">transparency requires that the provision </del>of <del style="font-weight: bold; text-decoration: none;">such information is available to everyone</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Paragraph </ins>5 generally <ins style="font-weight: bold; text-decoration: none;">ensures that </ins>the <ins style="font-weight: bold; text-decoration: none;">exercise </ins>of data subject rights <ins style="font-weight: bold; text-decoration: none;">is free </ins>of <ins style="font-weight: bold; text-decoration: none;">charge, but also allows exceptions for extreme cases </ins>of <ins style="font-weight: bold; text-decoration: none;">abuse </ins>of <ins style="font-weight: bold; text-decoration: none;">these rights</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>There are exceptions to <del style="font-weight: bold; text-decoration: none;">this </del>rule, which should nonetheless be interpreted narrowly to avoid undermining the principle of transparency and gratuity of the request.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For instance, if the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request. In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, controllers should maintain a proper documentation of the underlying facts. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">'''Free of charge''' </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Under Article 12(5) GDPR, controllers may generally not charge data subjects for the provision of information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]], or for communications and actions taken under [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]] (data subject rights) and [[Article 34 GDPR]] (communication of personal data breaches to data subjects). The principle of transparency requires that the provision of such information is available to everyone. At the same time the costs of a data subject for making a request are usually not recoverable.<ref>See ''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 35 (C.H. Beck 2020, 3rd Edition). However, there may be options to recover pre-litigation costs under the national procedural laws in certain jurisdictions (e.g. when a lawyer was needed to enforce a right under the GDPR against the controller). The GDPR stays silent on such reimbursement.</ref> </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>There are exceptions to <ins style="font-weight: bold; text-decoration: none;">the </ins>rule <ins style="font-weight: bold; text-decoration: none;">that the exercise of rights is free of charge</ins>, which should nonetheless be interpreted narrowly to avoid undermining the principle of transparency and gratuity of the request.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For instance, if the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request. In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, controllers should maintain a proper documentation of the underlying facts. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Manifestly unfounded ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Manifestly unfounded ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore obviously unfounded.<ref>In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore obviously unfounded.<ref>In its Guidelines on access requests, the EDPB emphasises that “there is only very limited scope for relying on the «manifestly unfounded» alternative of Art. 12(5) in terms of requests for the right of access”. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 51 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> For example, if an unauthorised person wants to assert the rights of a data subject, or when an individual requests the erasure of their personal data vis-à-vis a controller who has not stored any data concerning them.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 12 GDPR, margin number 43 (C.H. Beck, 2nd Edition 2018).</ref> <ins style="font-weight: bold; text-decoration: none;">The understanding is that the request must be made with abusive intent.<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 36 and 37 (C.H. Beck 2020, 3rd Edition).</ref> Merely making a broad request or a request that is not covered by the GDPR, because a data subject does not understand the details of the rights under the GDPR is not "''manifestly unfounded''" but may just be a misunderstand that requires a negative response under Article 12(4) GDPR.</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Manifestly excessive ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Manifestly excessive ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>There is no definition of the term “''manifestly'' ... ''excessive''” in the GDPR. <del style="font-weight: bold; text-decoration: none;">On the one hand, </del>the <del style="font-weight: bold; text-decoration: none;">wording </del>“''in particular because of their repetitive character''” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject uses the free rights under the GDPR to consistently bombard the controller with requests. On the other hand, the qualifier “''in particular”'' indicates that other reasons that might cause excessiveness are not excluded ''a priori''.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>There is no definition of the term “''manifestly'' ... ''excessive''” in the GDPR. <ins style="font-weight: bold; text-decoration: none;">The example in </ins>the <ins style="font-weight: bold; text-decoration: none;">law </ins>“''in particular because of their repetitive character''” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject uses the free rights under the GDPR to consistently bombard the controller with requests. On the other hand, the qualifier “''in particular”'' indicates that other reasons that might cause excessiveness are not excluded ''a priori''.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 53 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> <ins style="font-weight: bold; text-decoration: none;">Again, the request must be manifestly excessive<ref>XXX FOOTNOTE FOR MANIFESTLY COVERING BOTH XXX</ref> and does not include misunderstandings on behalf of the data subject.</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A data subject may nonetheless submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “''The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive''”.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here], p. 54).</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A data subject may nonetheless submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “''The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive''”.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 54 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here], p. 54).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> <ins style="font-weight: bold; text-decoration: none;">In other words: A controller cannot charge a fee when a user changes his or her email too often in a self-service tool or downloads his information from a tool regularly.</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The mere scope of a request is not ''per se'' "excessive", even if a data subject request access to all personal data a controller holds under [[Article 15 GDPR]]. It cannot be held against a data subject if a controller holds massive amounts of personal data on the data subject, nor can a controller rely on the fact that its IT infrastructure is scattered or complex. In an effort to facilitate the quick and accurate response to a request, the controller may ask the data subject if the request concerns only subsets of the processing operation, but if the data subject insists on a broad scope of the request, the controller must comply with the request.<ref>XXXX EDPB GUIDELINES XXXX</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The mere scope of a request is not ''per se'' "excessive", even if a data subject request access to all personal data a controller holds under [[Article 15 GDPR]]. It cannot be held against a data subject if a controller holds massive amounts of personal data on the data subject, nor can a controller rely on the fact that its IT infrastructure is scattered or complex. In an effort to facilitate the quick and accurate response to a request, the controller may ask the data subject if the request concerns only subsets of the processing operation, but if the data subject insists on a broad scope of the request, the controller must comply with the request.<ref>XXXX EDPB GUIDELINES XXXX</ref></div></td></tr>
</table>10.90.129.3https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40168&oldid=prevMs: /* (3) Time limit and form of the response */2024-03-03T23:00:56Z<p><span dir="auto"><span class="autocomment">(3) Time limit and form of the response</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40168&oldid=40167">Show changes</a>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40167&oldid=prevMs: /* Authentication and identification of personal data */2024-03-03T21:57:23Z<p><span dir="auto"><span class="autocomment">Authentication and identification of personal data</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 21:57, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l386">Line 386:</td>
<td colspan="2" class="diff-lineno">Line 386:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(6) Authentication of the data subject===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(6) Authentication of the data subject===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==== Authentication <del style="font-weight: bold; text-decoration: none;">and </del>identification <del style="font-weight: bold; text-decoration: none;">of personal data </del>====</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==== Authentication <ins style="font-weight: bold; text-decoration: none;">versus </ins>identification ====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Contrary to problems identifying the personal data that is subject to a request described in [[Article 11 GDPR]] and Article 12(2) GDPR, Article 12(6) concerns issues of authentication. This means, that while the relevant personal data can be found, the controller may have "''reasonable doubts concerning the identity of the natural person making the request''" and if the person requesting the information is the actual data subject. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Contrary to problems identifying the personal data that is subject to a request described in [[Article 11 GDPR]] and Article 12(2) GDPR, Article 12(6) concerns issues of authentication. This means, that while the relevant personal data can be found, the controller may have "''reasonable doubts concerning the identity of the natural person making the request''" and if the person requesting the information is the actual data subject. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l393">Line 393:</td>
<td colspan="2" class="diff-lineno">Line 393:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== No option to reject a request ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== No option to reject a request ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Other than Article 11 and 12(2) GDPR, when personal data is simply not identifiable, the lack of authentication does not allow to reject a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]]. Instead, the controller must request additional information that allows the authentication. Article 12(6) does not foresee that a controller is unable to authenticate a data subject.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Other than Article 11 and 12(2) GDPR, when personal data is simply not identifiable, the lack of authentication does not allow to reject a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]]. Instead, the controller must request additional information that allows the authentication. Article 12(6) <ins style="font-weight: bold; text-decoration: none;">GDPR </ins>does not foresee that a controller is unable to authenticate a data subject.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Request limited to necessary information ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Request limited to necessary information ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>However, <del style="font-weight: bold; text-decoration: none;">this </del>cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested. The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If the controller imposes measures aimed at identifying "''the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)."'' See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> <del style="font-weight: bold; text-decoration: none;"> </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>However, <ins style="font-weight: bold; text-decoration: none;">the requirement to authenticate data subjects </ins>cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested. The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If the controller imposes measures aimed at identifying "''the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)."'' See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The limitation to request only necessary information also means </del>that <del style="font-weight: bold; text-decoration: none;">the controller cannot insist on a specific </del>form of <del style="font-weight: bold; text-decoration: none;">authentication</del>, <del style="font-weight: bold; text-decoration: none;">if a data subject provides other </del>information <del style="font-weight: bold; text-decoration: none;">that ensures sufficient authentication (for example</del>, <del style="font-weight: bold; text-decoration: none;">because only the data subject would likely </del>have <del style="font-weight: bold; text-decoration: none;">such information)</del>. <del style="font-weight: bold; text-decoration: none;"> </del><blockquote></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"><u>Common Mistake:</u> It is common </ins>that <ins style="font-weight: bold; text-decoration: none;">controllers just require some </ins>form of <ins style="font-weight: bold; text-decoration: none;">government issued identification or proof of address</ins>, <ins style="font-weight: bold; text-decoration: none;">even when the controller has no </ins>information <ins style="font-weight: bold; text-decoration: none;">to match this against. In some countries</ins>, <ins style="font-weight: bold; text-decoration: none;">residents are not required to </ins>have <ins style="font-weight: bold; text-decoration: none;">a government ID. Some form of proof of identity or addresses may also not be common in certain jurisdictions</ins>.<blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>EDPB</u>: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 2.0, paragraph 61.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>EDPB</u>: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 2.0, paragraph 61.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div></ref> </blockquote>In the context of online services, the data subject can be authenticated, ''inter alia'', by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <del style="font-weight: bold; text-decoration: none;">Further information about this can be found in the commentary under Article 11 GDPR. </del> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></ref> </blockquote>In the context of online services, the data subject can be authenticated, ''inter alia'', by sending a secret code, <ins style="font-weight: bold; text-decoration: none;">answering questions that only the data subject knows, have a user log in to a platform, send </ins>a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> <del style="font-weight: bold; text-decoration: none;"> </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Determination of the means for authentication ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The limitation to request only "''necessary''" information also means that the controller cannot insist on a specific form of authentication, if a data subject provides other information that ensures sufficient authentication. It is therefore for the data subject to provide (any) "''necessary''" information, while the controller has a duty to facilitate (see Article 12(1) GDPR) the exercise and may suggest certain, easy forms of authentication. </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(7) Standardised icons===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(7) Standardised icons===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Whilst </del>it is <del style="font-weight: bold; text-decoration: none;">one of </del>the <del style="font-weight: bold; text-decoration: none;">EDPB’s tasks </del>under Article <del style="font-weight: bold; text-decoration: none;">70</del>(<del style="font-weight: bold; text-decoration: none;">1</del>)(<del style="font-weight: bold; text-decoration: none;">r</del>) <del style="font-weight: bold; text-decoration: none;">GDPR </del>to <del style="font-weight: bold; text-decoration: none;">provide </del>the <del style="font-weight: bold; text-decoration: none;">Commission </del>with <del style="font-weight: bold; text-decoration: none;">an opinion on </del>the icons, <del style="font-weight: bold; text-decoration: none;">it has not yet published such a document</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">During the negotiations on the GDPR, some Members of the European Parliament have proposed to use icons to communicate privacy information. However, the foreseen icons did not make </ins>it <ins style="font-weight: bold; text-decoration: none;">into the final text of the GDPR - instead there </ins>is <ins style="font-weight: bold; text-decoration: none;">now an option for </ins>the <ins style="font-weight: bold; text-decoration: none;">European Commission to issue a delegated act </ins>under Article <ins style="font-weight: bold; text-decoration: none;">12</ins>(<ins style="font-weight: bold; text-decoration: none;">8</ins>) <ins style="font-weight: bold; text-decoration: none;">GDPR to define such icons. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">So far the European Commission has not used this power and there are no known plans to issue such an implementing decision. Even if such a Commission Decision would be issued, using these icons is optional </ins>(<ins style="font-weight: bold; text-decoration: none;">"''may''"</ins>)<ins style="font-weight: bold; text-decoration: none;">. Therefore the provision therefore has no practical relevance and must be considered </ins>to <ins style="font-weight: bold; text-decoration: none;">be dead law. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">If implemented, information would be provided visually, using symbols. The originally proposed symbols partly concerned </ins>the <ins style="font-weight: bold; text-decoration: none;">compliance </ins>with <ins style="font-weight: bold; text-decoration: none;">minimum standards under the GDPR and would have had very little benefit for data subjects, as any controller would have to carry </ins>the <ins style="font-weight: bold; text-decoration: none;">same symbols. It seems that </ins>icons <ins style="font-weight: bold; text-decoration: none;">and symbols would be more relevant when it comes to optional elements (e.g. use of personal data for advertisement</ins>, <ins style="font-weight: bold; text-decoration: none;">sharing of personal data or transfer of personal data outside of the EEA and alike)</ins>. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Information can also be provided visually, using certain kind of tools (e.g. icons, certification mechanisms, and data protection seals and marks). However</del>, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. <del style="font-weight: bold; text-decoration: none;"> </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">In any case</ins>, the use of icons should not replace the information needed by data subjects to enforce their rights, nor should they be used as a substitute to compliance with the controller’s obligations under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. Instead, they could constitute an acceptable first layer of information. For example, an icon representing a lock might be used to signal that data is safely collected or encrypted. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">provision therefore has no practical relevance at this time</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins style="font-weight: bold; text-decoration: none;">use of icons would also trigger the need to make them machine readable</ins>. <ins style="font-weight: bold; text-decoration: none;">Similar to the idea that the right to object may be exercised automatically in [[Article 21 GDPR|Article 21(5) GDPR]], the result of compromises during the negotiations led to a situation where the law lacks any path towards making these ideas operational. </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(8) Code of icons===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(8) Code of icons===</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40166:rev-40167 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40166&oldid=prevMs: /* (6) Verifying the data subject */2024-03-03T21:30:05Z<p><span dir="auto"><span class="autocomment">(6) Verifying the data subject</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 21:30, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l384">Line 384:</td>
<td colspan="2" class="diff-lineno">Line 384:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The relationship between these two options is not clarified by the GDPR. The wording of Article 12/5) GDPR seems to suggest that the controller has a free choice between the two alternatives. Nonetheless, it has been pointed out that a refusal to act can violate the good faith principle to the extent that the data subject offers to pay a reasonable fee.<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 39 (C.H. Beck 2020, 3rd Edition).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The relationship between these two options is not clarified by the GDPR. The wording of Article 12/5) GDPR seems to suggest that the controller has a free choice between the two alternatives. Nonetheless, it has been pointed out that a refusal to act can violate the good faith principle to the extent that the data subject offers to pay a reasonable fee.<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 12, margin number 39 (C.H. Beck 2020, 3rd Edition).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>===(6) <del style="font-weight: bold; text-decoration: none;">Verifying </del>the data subject===</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>===(6) <ins style="font-weight: bold; text-decoration: none;">Authentication of </ins>the data subject===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Controllers often reject data subjects’ requests because of alleged problems in identifying them and the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. If the controller has reasonable doubts concerning the identity of a natural person making a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]], additional information may be requested to verify their identity. However, this cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested. <blockquote></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"><u>EDPB</u>: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X. </blockquote>In the context of online services, the data subject can be authenticated, ''inter alia'', by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> Further information about this can be found in the commentary under Article 11 GDPR. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If the controller imposes measures aimed at identifying "''the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)."'' See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Authentication and identification of personal data ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Contrary to problems identifying the personal data that is subject to a request described in [[Article 11 GDPR]] and Article 12(2) GDPR, Article 12(6) concerns issues of authentication. This means, that while the relevant personal data can be found, the controller may have "''reasonable doubts concerning the identity of the natural person making the request''" and if the person requesting the information is the actual data subject. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Requirement to authenticate the person making the request ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Proper authentication of the person requesting the information is crucial, given the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. Not establishing a proper system for authentication would usually constitute a violation of various provisions of the GDPR, such as [[Article 5 GDPR|Articles 5(1)(f)]] or [[Article 32 GDPR|32]]. If the controller has reasonable doubts concerning the identity of a natural person making a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]], additional information must therefore be requested to verify their identity. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== No option to reject a request ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Other than Article 11 and 12(2) GDPR, when personal data is simply not identifiable, the lack of authentication does not allow to reject a request under [[Article 15 GDPR|Articles 15]] to [[Article 21 GDPR|21 GDPR]]. Instead, the controller must request additional information that allows the authentication. Article 12(6) does not foresee that a controller is unable to authenticate a data subject.</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Request limited to necessary information ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">However, this cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested. </ins>The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If the controller imposes measures aimed at identifying "''the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR)."'' See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The limitation to request only necessary information also means that the controller cannot insist on a specific form of authentication, if a data subject provides other information that ensures sufficient authentication (for example, because only the data subject would likely have such information). <blockquote></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"><u>EDPB</u>: For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose. However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 2.0, paragraph 61.</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ref> </blockquote>In the context of online services, the data subject can be authenticated, ''inter alia'', by sending a secret code, a link containing a unique token to their email address, or any other contact method used for the registration.<ref>According to the WP29’s guidelines on the right to data portability, as endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller, the latter must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. See, WP29 ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p.14 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> Further information about this can be found in the commentary under Article 11 GDPR. </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40126:rev-40166 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40126&oldid=prevMs: /* Manifestly unfounded */2024-03-03T12:47:31Z<p><span dir="auto"><span class="autocomment">Manifestly unfounded</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:47, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l374">Line 374:</td>
<td colspan="2" class="diff-lineno">Line 374:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.<ref>Importantly, and once again, especially for what concerns access requests, the simple fact that it would take the controller a vast amount of time and effort to provide the information cannot on its own render the request excessive. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 55 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">=</del>==== (a) Reasonable fee <del style="font-weight: bold; text-decoration: none;">=</del>====</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==== (a) Reasonable fee ====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. Consequently, provided the request is not manifestly unfounded or repetitive, the controller cannot charge a fee even it was provided for in the contract terms. Controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), pp. 56-57 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">=</del>==== (b) Refuse to act <del style="font-weight: bold; text-decoration: none;">=</del>====</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==== (b) Refuse to act ====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. For both of the aforementioned exceptions to the no-fee rule, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40125:rev-40126 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40125&oldid=prevMs: /* Identification of personal data impossible */2024-03-03T12:46:38Z<p><span dir="auto"><span class="autocomment">Identification of personal data impossible</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:46, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l333">Line 333:</td>
<td colspan="2" class="diff-lineno">Line 333:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The situation described under [[Article 11 GDPR|Article 11(2) GDPR]] and Article 12(2) second sentence, concerns situations were the personal data that relates to a data subject cannot be identified, for example because it got anonymised or aggregated to an extent that it does not form personal data anymore. In other words: the personal data cannot be found or clearly linked to the data subject anymore. This is to be differentiated from a mere lack of authentication, which means that the personal data can be identified, but the controller has questions if the person making the request is the actual data subject. Matters of authentication are dealt with in Article 12(6) GDPR. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The situation described under [[Article 11 GDPR|Article 11(2) GDPR]] and Article 12(2) second sentence, concerns situations were the personal data that relates to a data subject cannot be identified, for example because it got anonymised or aggregated to an extent that it does not form personal data anymore. In other words: the personal data cannot be found or clearly linked to the data subject anymore. This is to be differentiated from a mere lack of authentication, which means that the personal data can be identified, but the controller has questions if the person making the request is the actual data subject. Matters of authentication are dealt with in Article 12(6) GDPR. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The final part </del>of Article 12(2) GDPR states that the controller <del style="font-weight: bold; text-decoration: none;">shall </del>not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. <del style="font-weight: bold; text-decoration: none;">However</del>, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, creates a burden of proof and thereby seeks to prevent obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">It is unclear why Article 12(2) GDPR refers to [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]], while [[Article 11 GDPR|Article 11(2) GDPR]] only refers to Articles [[Article 15 GDPR|Articles 15]] to [[Article 20 GDPR|20 GDPR]] - excluding [[Article 21 GDPR|Articles 21]] and [[Article 22 GDPR|22 GDPR]]. While it is likely a mistake in the drafting process and [[Article 21 GDPR|Articles 21]] and [[Article 22 GDPR|22 GDPR]] are also meant, some argue that the rights </ins>of <ins style="font-weight: bold; text-decoration: none;">the controller to refuse request are more limited under [[Article 21 GDPR|Articles 21]] and [[Article 22 GDPR|22 GDPR]].<ref>''Hansen'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 11 GDPR, margin number 34 (C.H. Beck 2019), citing that e.g. an "opt-out cookie" could be used to object without the need to identify the person.</ref> </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">In relation to cases under Article 11 GDPR, </ins>Article 12(2) GDPR states that the controller <ins style="font-weight: bold; text-decoration: none;">may </ins>not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. <ins style="font-weight: bold; text-decoration: none;">Obviously</ins>, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, creates a burden of proof and thereby seeks to prevent obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(3) Time limit and form of the response===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(3) Time limit and form of the response===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under Article 12(3) GDPR, the controller must inform the data subject about the "''action taken''" following receipt of a request under [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under Article 12(3) GDPR, the controller must inform the data subject about the "''action taken''" following receipt of a request under [[Article 15 GDPR|Articles 15]] to [[Article 22 GDPR|22 GDPR]]. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40124:rev-40125 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40124&oldid=prevMs: /* Shall facilitate the exercise of rights */2024-03-03T12:27:12Z<p><span dir="auto"><span class="autocomment">Shall facilitate the exercise of rights</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40124&oldid=40123">Show changes</a>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40123&oldid=prevMs: /* (2) Facilitation of the exercise of rights and identification */2024-03-03T11:38:46Z<p><span dir="auto"><span class="autocomment">(2) Facilitation of the exercise of rights and identification</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:38, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l323">Line 323:</td>
<td colspan="2" class="diff-lineno">Line 323:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Shall facilitate the exercise of rights ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Shall facilitate the exercise of rights ====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The term "''facilitate''" codifies a proactive <del style="font-weight: bold; text-decoration: none;">approach </del>by the controller who must take any reasonable action to ease the exercise of GDPR rights.<ref>''Paal, Hennemann'', in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).</ref> The Regulation does not define the notion of “''facilitation''”, but warns that “''modalities"'' should be provided''.''<ref>This includes “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''” (Recital 59). </ref> These “''modalities''” should cover the whole range of activities a controller undertakes to fully address a GDPR right request. In particular, controllers must demonstrate that "''the way to handle the request aims to give the broadest effect to the right'' [...] ''and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR).''"<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en here]).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The term "''facilitate''" codifies a proactive <ins style="font-weight: bold; text-decoration: none;">duty </ins>by the controller who must take any reasonable action to ease the exercise of GDPR rights.<ref>''Paal, Hennemann'', in Paal, Pauly, DS-GVO BDSG, Article 12 GDPR, margin number 45 (C.H. Beck 2021, 3rd ed.).</ref> The Regulation does not define the notion of “''facilitation''”, but warns that “''modalities"'' should be provided''.''<ref>This includes “''mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object''” (Recital 59). </ref> These “''modalities''” should cover the whole range of activities a controller undertakes to fully address a GDPR right request. In particular, controllers must demonstrate that "''the way to handle the request aims to give the broadest effect to the right'' [...] ''and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR).''"<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en here]).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Among </del>the <del style="font-weight: bold; text-decoration: none;">others</del>, data subjects should be allowed to reach the controller “''in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)''”.<ref>The WP29 also points out that, “''[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided''”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref> <del style="font-weight: bold; text-decoration: none;">Once the request </del>is <del style="font-weight: bold; text-decoration: none;">received, the controller should be able </del>to <del style="font-weight: bold; text-decoration: none;">handle it internally as efficiently as possible, and ensure </del>the <del style="font-weight: bold; text-decoration: none;">request be handled by the appropriate department. Moreover, data subject authentication should be free </del>of <del style="font-weight: bold; text-decoration: none;">unnecessary burdens. The method used for authentication should be </del>"''<del style="font-weight: bold; text-decoration: none;">relevant, appropriate, proportionate and respect the data minimisation principle</del>''<del style="font-weight: bold; text-decoration: none;">.</del>"<del style="font-weight: bold; text-decoration: none;"><ref>If the controller imposes measures aimed at identifying </del>"''<del style="font-weight: bold; text-decoration: none;">the </del>data subject which <del style="font-weight: bold; text-decoration: none;">are burdensome, </del>it <del style="font-weight: bold; text-decoration: none;">needs </del>to <del style="font-weight: bold; text-decoration: none;">adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation </del>to <del style="font-weight: bold; text-decoration: none;">facilitate </del>the <del style="font-weight: bold; text-decoration: none;">exercise of data subjects’ rights </del>(<del style="font-weight: bold; text-decoration: none;">Art. 12(2) GDPR)."'' See</del>, <del style="font-weight: bold; text-decoration: none;">EDPB</del>, <del style="font-weight: bold; text-decoration: none;">‘Guidelines 01/2022 on data subject rights - Right of access’</del>, <del style="font-weight: bold; text-decoration: none;">18 January 2022 (Version 1.0), p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]</del>).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Controllers that embrace this duty see the exercise of rights as a feature of their product or service. Controllers may use existing capacities and knowledge in the area user interface (UI) and user experience (UX) design to "''facilitate''" data subjects to exercise their rights as seamlessly as placing an order. Common approaches include a dedicated email address for GDPR requests, online forms or in-line options to delete, correct or download information for the data subject. While there is an overlap with other business functions (like self-service portals to update personal details in a profile) is crucial that these tools fully implement the rights of data subjects, or that limitations are clearly communicated, if they are marketed as a GDPR tool.<blockquote><u>Example:</u> A controller implements a "privacy tool" for users to edit and delete certain information or get a copy of their data - this facilitates the exercise of rights. However, if data subjects are forced to use this tool and </ins>the <ins style="font-weight: bold; text-decoration: none;">controller does not allow to exercise their rights by other means, this does not facilitate the exercise of rights for data subjects that are unable to use these tools. Furthermore, if the "privacy tool" does not provide a full copy of all data under Article 15(3) and lacks information under Article 15(1) GDPR, it may actually be deceptive to refer data subjects to this tool when they seek to exercise their rights under Article 15 GDPR. It may however be fair to refer to the "privacy tool" to change a wrong name or address</ins>, <ins style="font-weight: bold; text-decoration: none;">if this can be done there and this is the sole request be the </ins>data <ins style="font-weight: bold; text-decoration: none;">subject.</blockquote>Data </ins>subjects should be allowed to reach the controller “''in an easy way (a postal address, a dedicated telephone number, and a dedicated e-mail address)''”.<ref>The WP29 also points out that, “''[w]hen appropriate, for purposes of communications with the public, other means of communications could also be provided''”. WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available [https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 here]).</ref> <ins style="font-weight: bold; text-decoration: none;">This duty </ins>is <ins style="font-weight: bold; text-decoration: none;">very similar </ins>to the <ins style="font-weight: bold; text-decoration: none;">existing requirement </ins>of <ins style="font-weight: bold; text-decoration: none;">any service provider to provide an email address that allows to communicate </ins>"''<ins style="font-weight: bold; text-decoration: none;">rapidly</ins>''" <ins style="font-weight: bold; text-decoration: none;">and </ins>"''<ins style="font-weight: bold; text-decoration: none;">efficiently''" under Article 5(1)(c) eCommerce Directive 2000/31/EC. The </ins>data subject <ins style="font-weight: bold; text-decoration: none;">can choose the format in </ins>which it <ins style="font-weight: bold; text-decoration: none;">wants </ins>to <ins style="font-weight: bold; text-decoration: none;">send any request </ins>to the <ins style="font-weight: bold; text-decoration: none;">controller, as long as it is a common format </ins>(<ins style="font-weight: bold; text-decoration: none;">such as emails</ins>, <ins style="font-weight: bold; text-decoration: none;">postal letters</ins>, <ins style="font-weight: bold; text-decoration: none;">phone calls</ins>, <ins style="font-weight: bold; text-decoration: none;">PDFs and alike</ins>) <ins style="font-weight: bold; text-decoration: none;">and it is not sent to a clearly irrelevant contact point</ins>.<ins style="font-weight: bold; text-decoration: none;"><ref>XXX MISSING XXX</ins></ref> <ins style="font-weight: bold; text-decoration: none;">Controllers may not limit communication to certain formats or forms, unless this is factually required.</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The </del>data subject <del style="font-weight: bold; text-decoration: none;">can choose </del>the <del style="font-weight: bold; text-decoration: none;">format </del>in <del style="font-weight: bold; text-decoration: none;">which it wants </del>to <del style="font-weight: bold; text-decoration: none;">send any </del>request to the controller, <del style="font-weight: bold; text-decoration: none;">as long as </del>it <del style="font-weight: bold; text-decoration: none;">is a common format </del>(<del style="font-weight: bold; text-decoration: none;">such as emails</del>, <del style="font-weight: bold; text-decoration: none;">postal letters</del>, <del style="font-weight: bold; text-decoration: none;">phone calls</del>, <del style="font-weight: bold; text-decoration: none;">PDFs and alike</del>) <del style="font-weight: bold; text-decoration: none;">and it is not sent to a clearly irrelevant contact point</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensure the request be handled by the appropriate department. Any subsequent interaction with the </ins>data subject <ins style="font-weight: bold; text-decoration: none;">must once again be marked by </ins>the <ins style="font-weight: bold; text-decoration: none;">principle of fairness and must not result </ins>in <ins style="font-weight: bold; text-decoration: none;">delay tactics, rephrasing of the request and alike. At the same time, the facilitation of the exercise of rights may include asking back about the exact wishes of the data subject or requesting more information </ins>to <ins style="font-weight: bold; text-decoration: none;">fully comply with the </ins>request<ins style="font-weight: bold; text-decoration: none;">, for example when a controller processes various data in multiple systems or additional information allows the controller </ins>to <ins style="font-weight: bold; text-decoration: none;">comply quicker or more targeted.<ref>XXX FOOTNOTE NEEDED XXX</ref></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==== Impossible identification ====</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The method used for authentication should be "''relevant, appropriate, proportionate and respect the data minimisation principle''."<ref>If </ins>the controller <ins style="font-weight: bold; text-decoration: none;">imposes measures aimed at identifying "''the data subject which are burdensome</ins>, it <ins style="font-weight: bold; text-decoration: none;">needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12</ins>(<ins style="font-weight: bold; text-decoration: none;">2) GDPR)."'' See, EDPB</ins>, <ins style="font-weight: bold; text-decoration: none;">‘Guidelines 01/2022 on data subject rights - Right of access’</ins>, <ins style="font-weight: bold; text-decoration: none;">18 January 2022 (Version 1.0)</ins>, <ins style="font-weight: bold; text-decoration: none;">p. 25 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]</ins>).<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Any subsequent interaction with the data subject must once again be marked by the principle of fairness and must not result in unnecessary "ping-pongs" whose only goal is to prevent the data subject from obtaining a full and timely response.<ref>EDPB: It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.</ref> </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">==== Impossible identification ====</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. However, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, prevents the controller from adopting obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. All attempts to verify the identity of a data subject which require excessive efforts by the latter (while adding nothing in terms of security) become inadmissible - and do not constitute "facilitation". <blockquote><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The final part of Article 12(2) GDPR states that the controller shall not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. However, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, prevents the controller from adopting obstructive tactics relating to alleged "''difficulties of identification''" unless these actually exist. All attempts to verify the identity of a data subject which require excessive efforts by the latter (while adding nothing in terms of security) become inadmissible - and do not constitute "facilitation". <blockquote><u>Example</u>: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 26 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref></blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40122:rev-40123 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40122&oldid=prevMs: /* Passive communication initiated by the data subject */2024-03-03T10:59:00Z<p><span dir="auto"><span class="autocomment">Passive communication initiated by the data subject</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:59, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l271">Line 271:</td>
<td colspan="2" class="diff-lineno">Line 271:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>From a factual perspective, controllers that know that a relevant part of their data subjects do not speak the dominant language in a country and also offer products in different languages, may need to provide the relevant information in these languages too. Given that the right to data protection is a fundamental right, the duty to provide intelligible information is neither limited to EU citizens or residents, nor official EU languages.<ref>We are not convinced by ''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 15 (C.H. Beck 2019), which seems to limit information to the official EU languages (which would e.g. exclude large minority language groups like Catalan speakers).</ref> The situation may also require translation of documents to non-EU languages. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>From a factual perspective, controllers that know that a relevant part of their data subjects do not speak the dominant language in a country and also offer products in different languages, may need to provide the relevant information in these languages too. Given that the right to data protection is a fundamental right, the duty to provide intelligible information is neither limited to EU citizens or residents, nor official EU languages.<ref>We are not convinced by ''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 12 GDPR, margin number 15 (C.H. Beck 2019), which seems to limit information to the official EU languages (which would e.g. exclude large minority language groups like Catalan speakers).</ref> The situation may also require translation of documents to non-EU languages. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The GDPR does not clearly limit the efforts that a controller has to take when it comes to translations, but it must take "''appropriate''" measures to provide the information to everyone. If the data subjects are not known, a minimum would be to provide information in all languages that the service of the controller is offered in. At the same time, it does not seem "''appropriate''" to demand that any possible data subject must get a translation. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The GDPR does not clearly limit the efforts that a controller has to take when it comes to translations, but it must take "''appropriate''" measures to provide the information to everyone. If the data subjects are not known, a minimum would be to provide information in all languages that the service of the controller is offered in <ins style="font-weight: bold; text-decoration: none;">or the official languages of all the markets served.<ref name=":0">''Dix'', in Spiecker gen.Döhmann, Papakonstantinou, Hornung, De Hert, Article 12 GDPR, margin number 11 (Beck, Hart, Nomos, 2023)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins>At the same time, it does not seem "''appropriate''" to demand that any possible data subject must get a translation <ins style="font-weight: bold; text-decoration: none;">to their mother tongue</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A German company mainly employs persons from former Yugoslavia. Most employees only speak a couple of words of German. The employer <del style="font-weight: bold; text-decoration: none;">should </del>provide information under Article 13 GDPR in Serbo-Croatian, if this ensures that all employees understand the notice. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A German company mainly employs persons from former Yugoslavia. Most employees only speak a couple of words of German. The employer <ins style="font-weight: bold; text-decoration: none;">could </ins>provide information under Article 13 GDPR in Serbo-Croatian, if this ensures that all employees understand the notice. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A hotel in Venice must not provide a privacy policy in all possible languages of any possible tourist, but it would be "''appropriate''" to provide it in common international languages like English, French or Spanish. It may also <del style="font-weight: bold; text-decoration: none;">consider </del>the language of the most common visitors, which may be Chinese for <del style="font-weight: bold; text-decoration: none;">a </del>hotel focusing on the Chinese market. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A hotel in Venice must not provide a privacy policy in all possible languages of any possible tourist, but it would be "''appropriate''" to provide it in common international languages like English, French or Spanish. It may also <ins style="font-weight: bold; text-decoration: none;">be "''appropriate''" to provide </ins>the language of the most common visitors, which may be Chinese for <ins style="font-weight: bold; text-decoration: none;">an Italian </ins>hotel focusing on the Chinese market. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Providing information that is "''intelligible''" also means that translations must be accurate and understandable. A mere auto-translation may not be sufficient for a complex privacy policy. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Providing information that is "''intelligible''" also means that translations must be accurate and understandable. A mere auto-translation may not be sufficient for a complex privacy policy. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l282">Line 282:</td>
<td colspan="2" class="diff-lineno">Line 282:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>====== Passive communication initiated by the data subject ======</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>====== Passive communication initiated by the data subject ======</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>If a data subject exercises his or her rights under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]] in another language than used by the controller, the controller must respond in the relevant language if the data subject objectively does not understand the communication or information in the provided language. The requirement is that the communication must be "''intelligible''" for the data subject. If a data subject merely feels that it would be more convenient to communicate in his or her mother tongue, but understands the language provided by the controller, the information is still "intelligible". For unfounded or excessive request, see also paragraph 5 below.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>If a data subject exercises his or her rights under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]] in another language than used by the controller, the controller must respond in the relevant language if the data subject objectively does not understand the communication or information in the provided language.<ins style="font-weight: bold; text-decoration: none;"><ref name=":0" /> </ins>The requirement is that the communication must be "''intelligible''" for the data subject. If a data subject merely feels that it would be more convenient to communicate in his or her mother tongue, but understands the language provided by the controller, the information is still "intelligible". For unfounded or excessive request, see also paragraph 5 below.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====Clear and plain language=====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====Clear and plain language=====</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40121:rev-40122 -->
</table>Mshttps://gdprhub.eu/index.php?title=Article_12_GDPR&diff=40121&oldid=prevMs: /* Transparency */2024-03-03T10:54:11Z<p><span dir="auto"><span class="autocomment">Transparency</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:54, 3 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l212">Line 212:</td>
<td colspan="2" class="diff-lineno">Line 212:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Commentary==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Commentary==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Criticism of lengthy, hardly comprehensible privacy policies, confusing online forms and controllers that cannot be easily reached is omnipresent. Article 12 GDPR is meant to take care of these issues and ensure frank and transparent information, as well as the efficient exercise of the data subject’s rights. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Criticism of lengthy, hardly comprehensible privacy policies, confusing online forms and controllers that cannot be easily reached is omnipresent. Article 12 GDPR is meant to take care of these issues and ensure frank and transparent information, as well as the efficient exercise of the data subject’s rights<ins style="font-weight: bold; text-decoration: none;">. Transparency and efficient communication is a prerequisite to exercise the rights under the GDPR, but the lack of clear information and efficient response to the exercise of rights ir more often than not one of the main stumbling blocks for data subjects in practice</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 12 GDPR requires similar standards than other EU law, such as the Unfair Terms Directive 93/13/EEC that limits the use of unclear, unfair or disadvantageous contractual terms or the requirement of any service provider to provide an email address to communicate 'rapidly' and 'efficiently' under Article 5(1)(c) eCommerce Directive 2000/31/EC. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 12 GDPR requires similar standards than other EU law, such as the Unfair Terms Directive 93/13/EEC that limits the use of unclear, unfair or disadvantageous contractual terms or the requirement of any service provider to provide an email address to communicate 'rapidly' and 'efficiently' under Article 5(1)(c) eCommerce Directive 2000/31/EC. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l252">Line 252:</td>
<td colspan="2" class="diff-lineno">Line 252:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== Transparency =====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===== Transparency =====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In the context of Article 12 GDPR, the main goal of transparency is the accurate and fair understanding<ref>Recitals 39 and 58 GDPR require that information must not only be clear, but also “''easy to understand''”. Along these lines, the CJEU criticised the behaviour of a controller "''in the absence of any indications confirming that that clause was actually read and digested''". See, CJEU, C‑61/19, ''Orange România'', 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=435D246D36987631CF7ECEEE183201DF?text=&docid=233544&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5720138 here]).</ref> of the information and communication provided to the data subjects under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]. This is needed because, otherwise, it would be impossible for them to fully enjoy the different rights granted by those provisions.<ref>This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures. ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020). See, ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).</ref> Transparency requires a fair and honest communication of the processing operation. Withholding of hiding information is the antithesis of "''transparent''" information. <del style="font-weight: bold; text-decoration: none;">Not having the relevant information</del>, <del style="font-weight: bold; text-decoration: none;">is not an excuse to not provide it to the data subject</del>, <del style="font-weight: bold; text-decoration: none;">but requires further research</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In the context of Article 12 GDPR, the main goal of transparency is the accurate and fair understanding<ref>Recitals 39 and 58 GDPR require that information must not only be clear, but also “''easy to understand''”. Along these lines, the CJEU criticised the behaviour of a controller "''in the absence of any indications confirming that that clause was actually read and digested''". See, CJEU, C‑61/19, ''Orange România'', 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=435D246D36987631CF7ECEEE183201DF?text=&docid=233544&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5720138 here]).</ref> of the information and communication provided to the data subjects under [[Article 13 GDPR|Articles 13]], [[Article 14 GDPR|14]], [[Article 15 GDPR|15]] to [[Article 22 GDPR|22]] and [[Article 34 GDPR|34 GDPR]]. This is needed because, otherwise, it would be impossible for them to fully enjoy the different rights granted by those provisions.<ref>This provision reflects the German doctrine of informational self-determination, according to which substantive rights of data subjects can only serve their purpose when supported by clear information as well as proportionate and effective procedures. ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020). See, ''Polčák'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 12 GDPR, pp. 401-402 (Oxford University Press 2020).</ref> Transparency requires a fair and honest communication of the processing operation. Withholding of hiding information is the antithesis of "''transparent''" information. <ins style="font-weight: bold; text-decoration: none;">The use of "dark patterns" or other forms of deceptive user interface design violated Article 12(1) GDPR.<ref>''Dix'', in Spiecker gen.Döhmann, Papakonstantinou, Hornung, De Hert, Article 12 GDPR, margin number 9 (Beck, Hart</ins>, <ins style="font-weight: bold; text-decoration: none;">Nomos</ins>, <ins style="font-weight: bold; text-decoration: none;">2023)</ins>.<ins style="font-weight: bold; text-decoration: none;"></ref> </ins> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A controller uses the term “''To allow you a better experience, we may share some information with our partners''”, when in fact the data is sold to a specific data broker for the purpose of advertisement. This would not be a “''transparent''” explanation of the intended processing. A data subject may easily exercise a right to erasure against a known recipient, but is not able to exercise his or her rights when only informed about undisclosed "''partners''". </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example</u>: A controller uses the term “''To allow you a better experience, we may share some information with our partners''”, when in fact the data is sold to a specific data broker for the purpose of advertisement. This would not be a “''transparent''” explanation of the intended processing. A data subject may easily exercise a right to erasure against a known recipient, but is not able to exercise his or her rights when only informed about undisclosed "''partners''". </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40120:rev-40121 -->
</table>Ms