Article 12 GDPR

← Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Relevant Recitals

Commentary

This provision opens Chapter III of the GPDR titled "Rights of the data subject". As the name suggest, this chapter provides for rights of data subjects. While some rights have to be exercised by the data subject in order to oblige the controller to take action, some of the rights rights need to be complied with by the controller without a prior request by the data subject, like the initial information under Article 13 and 14 GDPR or the prohibition of automated individual decision-making in Article 22 GDPR. However, with Article 12 GDPR Chapter III starts with general rules regarding transparency and modalities in connection with data subjects rights.

Criticism of lengthy, hardly comprehensible privacy policies, confusing online forms and controllers that cannot be easily reached is omnipresent. Article 12 GDPR is meant to take care of these issues and ensure frank and transparent information, as well as the efficient exercise of the data subject’s rights. Transparency and efficient communication is a prerequisite to exercise the rights under the GDPR, but the lack of clear information and efficient response to the exercise of rights is more often than not one of the main stumbling blocks for data subjects in practice.

Article 12 GDPR requires similar standards to other EU law, such as the Unfair Terms Directive 93/13/EEC that limits the use of unclear, unfair or disadvantageous contractual terms or the requirement of any service provider to provide an email address to communicate 'rapidly' and 'efficiently' under Article 5(1)(c) eCommerce Directive 2000/31/EC.

To ensure that the rights of data subjects are not undermined, Article 12 regulates clarity and accessibility standards regarding communications with the data subject. The provisions of Article 12 largely apply to Articles 13, 14, 15 to 22 and 34 GDPR and thereby form horizontal rules, that must always be kept in mind when these Articles are applied. This horizontal application also means that Article 12 GDPR covers situations where the controller must actively provide information (such as under Articles 13, 14, or 34 GDPR) as well as situations where the controller must be able to respond to requests or the exercise of rights by the data subject quickly and efficiently.

Not all horizontal rules in Article 12 GDPR have a corresponding material requirement in Articles 13, 14, 15 to 22 and 34 GDPR. The horizontal rules do not always fit the named Articles. Therefore, Article 12 GDPR must be read in conjunction with the context and purpose of the relevant Article and only applies where there is a corresponding aim in an Article.^[1]

For example: While any information must be "concise" it does not mean that a copy of personal data under Article 15(3) GDPR should not be fully provided, but it does mean that a privacy policy under Article 13 GDPR should not be too long.

Article 12 GDPR may be limited by Union or national Law in accordance with Article 23 GDPR.

EDPB Guidelines: For this Article, see the following Guidelines:

• WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018 (available here); and
• EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1) (available here).

(1) Clear and transparent communication

Article 12(1) GDPR requires controllers to take appropriate measures to provide any information under Articles 13 and 14 GDPR and any communication under Articles 15 to 22 and 34 GDPR in a manner that is concise, transparent, intelligible and easily accessible, using clear and plain language. The provision further provides for rather vague rules regarding the medium the controller should use when providing information to data subjects; specifically, the information should be provided in writing, or by other means, which can include electronic means or even oral means if this is requested by the data subject and the data subject's identity is authenticated.

Therefore, the first part of this provision can be understood as setting out two main requirements. Firstly, the content must be presented in a precise way to provide a clear picture of the information. Secondly, the manner in which the information is presented must be easily understandable to the data subject without requiring excessive cognitive effort or time.^[2]

The second part or the provision deals with the form in the sense of the medium that should be used by the controller when communicating with the data subject, establishing more specific rules on when information can be provided to the data subject orally.^[3]

Covered information / communication

This provision covers, on the one hand, the initial information of the data subjects under Article 13 and 14 GDPR. On the other hand, it covers any communication with the data subject under Articles 15 to 22 GDPR (i.e. data subjects rights) and the communication in connection with the notification of a personal data breach in accordance with Article 34 GDPR.

Appropriate measures

Complying with the requirements of Article 12(1) GDPR may be challenging. For example, deciding what is appropriate to satisfy both the preciseness and the clarity requirement in a privacy information will not always be an obvious choice. As a matter of fact, there may even be conflicts between preciseness and clarity of the information, as the former usually pushes in the direction of more complexity, whereas the latter requires a certain degree of simplification.^[4] In certain circumstances, for instance, a given processing may not be easy to explain, especially where a considerable amount of data is processed and numerous actors are involved in the processing chain.

The wording of Article 12(1) GDPR allows the controller some leeway to pick an appropriate measure.^[5] This may be simple texts in standard situations and a very elaborate system in complex situations. Drafting information that is short and concise is not easy, especially when it comes to complex data processing. Complying with Article 12(1) GDPR requires substantial effort, skill and innovative thinking.

For example: A small business may just have a box with a sign saying "drop your business card here to get updates via email" and some additional small print to satisfy Article 12(2) GDPR. A controller of a complex processing system may need to draft a detailed privacy policy, explainer videos for complex issues, multiple layers of information to ensure "appropriate" information.

Importantly, the complexity of processing is not a justification for reducing the transparency standards. Complex processing operations will usually require more effort to make transparency efforts appropriate in relation to the interference with the rights of a data subject.

"[T]he [controller's] assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a vast amount of data on a large scale must accept to undertake great efforts to ensure the right of access to the data subjects in a concise, transparent, intelligible and easily accessible form, by using plain and clear language."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 129 regarding transparency measures in connection to the right of access.

Article 12 GDPR does not allow to limit the rights of data subjects due to the complexity of a controller's system. If it is not possible to process personal data while also complying with the transparency obligations under Article 12 GDPR, then the system can simply not be used to process personal data legally.

3.1.1. Requirements for transparent information and communication

Article 12(1) GDPR establishes transparency obligations regarding the information of and communication with data subjects. In particular, the information and communication should be provided to data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.

Concise

Information about the processing must be presented concisely. This is intended to prevent controllers from providing an overly lengthy or convoluted description of the processing activity, as data subjects usually will not read multiple pages of the text. Thus, controllers have a positive obligation to prevent data subjects from experiencing information overload.^[6] There are many linguistic approaches to achieve concise information, without loosing content.

In the area of privacy policies, the use of layered privacy statements is a common approach to present the most relevant section to the data subject rather than providing them with an unconscionable notice.

"In an online context, the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular

section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 8.

A layered approach may however not be used to hide the more problematic processing in a lower layer. The most relevant information or any unexpected processing should be easily available.

"This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. In an online context, the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 8.

Transparent

In the context of Article 12 GDPR, the main goal of transparency is the accurate and fair understanding of the information and communication provided to the data subjects under Articles 13, 14, 15 to 22 and 34 GDPR.^[7] This is necessary because, otherwise, it would be impossible for data subjects to fully grasp the processing of their personal data, evaluate the lawfulness of such processing and enjoy the different rights granted by those provisions.^[8] Transparency requires a fair and honest communication of the processing operation. Withholding or hiding information is the antithesis of transparent information. The same is true of deceptive information.

For example: A controller uses the term “To allow you a better experience, we may share some information with our partners”, when in fact the data is sold to a specific data broker for the purpose of advertisement. This would not be a “transparent” explanation of the intended processing. A data subject may easily exercise their right to erasure against a known recipient, but is not able to exercise his or her rights when only informed about undisclosed "partners".

In any way, data subjects should be able to determine the scope and consequences of a processing activity; this requirement is therefore closely related to the principle of transparency and fairness under Article 5(1)(a) GDPR.^[9]

Intelligible

Information is “intelligible” when it is understandable by a member of the intended audience. In some cases there may be multiple audiences that a controller addresses, including people with disabilities, different language skills or education. Therefore, a data controller must have an understanding of the people that it collects information about, which it should use to determine what they are likely to understand.^[10]

For example: A controller dealing with professionals working in a specific area may rely on the fact that they understand the relevant professional terminology. A controller that processes personal data of average consumers would have to avoid any jargon. A controller catering to audiences where a relevant number of data subjects do not speak the local language as the first language may need to use simplified language.

In many cases the intelligibility of a text can be objectively tested by asking members of the target audience if they understand the information. There is a growing movement towards simplified writing, which can provide relevant information to ensure understandable texts in each language. Intelligibility is also a relevant factor, when various formats are used, like videos, animations or "gamified" information, as such information may not be accessible to all data subjects, such as blind or elderly data subjects.

"The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience. Intelligibility is closely linked to the requirement to use clear and plain language. An accountable data controller will have knowledge about the people it collects information about and it can use this knowledge to determine what that audience would likely understand. For example, a controller collecting the personal data of working professionals can assume its audience has a higher level of understanding than a controller that obtains the personal data of children. If controllers are uncertain about the level of intelligibility and transparency of the information and effectiveness of user interfaces/notices/ policies etc., they can test these, for example, through mechanisms such as user panels, readability testing, formal and informal interactions and dialogue with industry groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst other things"

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 9.

Easily accessible form

The "easily accessible" element implies that the data subjects should not have to actively search for the information. It should be readily visible and clear to them where and how they can access the information. This can be achieved through various means, such as providing the information directly to them (e.g. in an attachment), linking to the resources on a website, or providing it as an answer to a natural language question. Examples of how this can be implemented include online layered privacy statement, FAQs, a reference to the information in the welcome message of a hotline, contextual pop-ups that activate when a data subject fills in an online form, or interactive digital interfaces like chat-bots.^[11]

"For apps, the necessary information should also be made available from an online store prior to download. Once the app is installed, the information still needs to be easily accessible from within the app. One way to meet this requirement is to ensure that the information is never more than “two taps away” (e.g. by including a “Privacy”/ “Data Protection” option in the menu functionality of the app). Additionally, the privacy information in question should be specific to the particular app and should not merely be the generic privacy policy of the company that owns the app or makes it available to the public."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 11.

Easy access to information also plays a major role whenever physically impaired people (e.g. blind or hearing-impaired people) are concerned. From this perspective, alongside with more traditional formats, the controller must be able to use alternative means of communication which suit the data subject's specific needs.

Clear and plain language

The requirement for clear and plain language means that information should be provided in a manner as simple as possible, avoiding to downplay or 'reframe' processing operations, as well as complex sentence and language structures. Best practices for clear communication should be followed regardless whether information is written, delivered orally, or by audio/audio-visual methods (including for vision-impaired data subjects).^[12] Text that may be understandable for lawyers, compliance experts or technicians, may not be understandable for average users with limited language skills or limited education. If guidelines exist in a specific language on how to simplify legal language, these guidelines should be considered by the controller.

It is common that controller information is drafted in a careful manner in order to avoid taking a clear position. While there are surely reasons for this approach,^[13] the GDPR clearly requires to plainly say which processing is undertaken and what is not done. Cloudy wording that tries to camouflage the processing, or aims at marketing purposes rather than at providing a plain explanation, would violate this provision. The information should be concrete as well as definitive, and should neither be phrased in abstract or ambivalent terms, nor leave room for diverging interpretations.^[14]

Common mistake: Common qualifiers such as “may”, “might”, “some”, “often” and “possible” should be avoided. Equally, open-ended lists, usually stating with wording like “such as” are not clear and plain. Where data controllers opt to use vague language, they should be able to, in accordance with the principle of accountability, demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.^[15]

Information that suggests that processing goes further than in reality (overclaiming) also constitutes false and thereby unclear information. While such approaches are often used just to be sure that every processing operation is covered, overclaiming leads to a situation where the data subject cannot be sure that the statement is fully accurate. Overclaiming can also lead to inconsistencies between information provided ex-ante under Article 13 and 14 GDPR and information provided ex-post under Article 15 GDPR.

Information addressed to children

Article 12(1) highlights that the above requirements are especially relevant when information is addressed to children. In the larger context, this is just a specific situation where information must be provided in a form that is understandable for the relevant audience. Therefore, if a controller is aware that the targeted audience includes other vulnerable people, this should also be taken into account.^[16]

"Where a data controller is targeting children or is, or should be, aware that their goods/services are particularly utilised by children (including where the controller is relying on the consent of the child), it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018 margin number 14.

Examples of child-centered language can be found in the UN Convention on the Rights of the Child in Child Friendly Language.^[17]

Use of languages

The requirement of "intelligibility" (see above) also affects the language used for the communication. Whilst the GDPR does not expressly regulate the use of languages, it is clear that the level of intelligibility of information is directly linked to the user’s capacity of understanding a certain language as a native or non-native speaker. This can be separated into information that must be actively provided by the controller and passive communication initiated by the data subject (such as the exercise of a right).

Active communication by the controller

From a factual perspective, controllers that know that a relevant part of their data subjects do not speak the dominant language in a country and also offer products in different languages, may need to provide the relevant information in these languages too. Given that the right to data protection is a fundamental right, the duty to provide intelligible information is neither limited to EU citizens or residents, nor official EU languages.^[18] The situation may also require translation of documents to non-EU languages.

The GDPR does not clearly limit the efforts that a controller has to take when it comes to translations, but it must take "appropriate" measures to provide the information to everyone. If the data subjects are not known, a minimum would be to provide information in all languages that the service of the controller is offered in or the official languages of all the markets served.^[19] At the same time, it does not seem "appropriate" to demand that any possible data subject must get a translation to their mother tongue.

For example: A German company mainly employs persons from former Yugoslavia. Most employees only speak a couple of words of German. The employer could provide information under Article 13 GDPR in Serbo-Croatian, if this ensures that all employees understand the notice.

For example: A hotel in Venice must not provide a privacy policy in all possible languages of any possible tourist, but it would be "appropriate" to provide it in common international languages like English, French or Spanish. It may also be "appropriate" to provide the language of the most common visitors, which may be Chinese for an Italian hotel focusing on the Chinese market.

Providing information that is "intelligible" also means that translations must be accurate and understandable. A mere auto-translation may not be sufficient for a complex privacy policy.

"Where the information is translated into one or more other languages, the data controller should ensure that all the translations are accurate and that the phraseology and syntax makes sense in the second language(s) so that the translated text does not have to be deciphered or re-interpreted. (A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages.)"

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 13.

Passive communication initiated by the data subject

If a data subject exercises his or her rights under Articles 13, 14, 15 to 22 and 34 GDPR in another language than used by the controller, the controller must respond in the relevant language if the data subject objectively does not understand the communication or information in the provided language.^[19] The requirement is that the communication must be "intelligible" for the data subject. If a data subject merely feels that it would be more convenient to communicate in his or her mother tongue, but understands the language provided by the controller, the information is still "intelligible". For unfounded or excessive request, see also Article 12(5) GDPR below.

Form

Under Article 12(1) GDPR, information “shall be provided in writing, or by other means, including, where appropriate, by electronic means.” The written form is therefore the default option. However, in addition to the written form, other means can be used, and that includes electronic information, videos, graphics, non-verbal methods and oral information.

In writing

The most common form of providing relevant information is clearly in writing. In offline context this will usually be printed. There is no duty to provide the information in a format that can be kept by the data subject, it must only be "provided". It is also possible to provide information on a sign or similar formats.

Electronic means

In addition to the traditional written form, the GDPR allows for providing information in electronic form. The use of the disjunctive phrase "or", followed by the expression "where appropriate", suggests that the written form may be abandoned in certain circumstances, and that the controller has some discretion in this regard.^[20]

In case of online activities, the WP29 suggested the implementation of layered privacy statements which allow website visitors to navigate particular aspects of the relevant privacy statement that are of most interest to them. The use of a layered approach is nonetheless not the only available option. Other electronic means include “just-in-time” contextual pop-up notices in a form or flow, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement might also include videos and smartphone or IoT voice alerts.^[21]

Other means

“Other [not necessarily electronic] means” might include cartoons, info-graphics or flowcharts.^[22] The method chosen by controllers must fit the particular circumstances. For example, if a certain device does not have a screen, controllers can provide a printed privacy statement inside the device package or redirect the data subject to the URL website address or QR code where the privacy notice can be found.^[23] However, such means must be reasonably accessible to data subjects of all ages, ability and technical expertise.

In many cases, a combination of multiple means (e.g. a written policy and parallel graphics, videos or in-line information) will be best suited to ensure broad access and the best use of alternative forms of information.

Oral information

Finally, the GDPR also allows data subjects to request information to be provided orally. Controllers "may" do so under two conditions: (i) the data subject must request oral information or communication and (ii) the controller must have otherwise verified the data subject’s identity.^[24] The second requirement, only refers to cases where data subject's authentication is necessary. There is no duty by the controller to provide information orally.^[25]

For example: A data subject wants to know the results of a medical exam. The staff member at the clinic should verify the identity of the person. The information can then be provided orally.

(2) Facilitation of the exercise of rights and identification

Under Article 12(2) GDPR the controller must facilitate the data subject in the exercise of their GDPR rights under Articles 15 to 22 GDPR. At the same time, Article 12(2) provides for the option to refuse to act on the request of a data subject's right if a controller is unable to identify the data subject and can demonstrate this fact accordingly. Other than Article 12(1) these rules do not apply to the duty to provide information under Article 13 and 14 GDPR or the duty to communicate a data breach under Article 34 GDPR.

Shall facilitate the exercise of rights

The term "facilitate" codifies a proactive duty by the controller who must take any reasonable action to ease the exercise of GDPR rights under Articles 15 to 22 GDPR.^[26] The GDPR does not define the notion of “facilitation”, but mentions that modalities should be provided; e.g. Recital 59 GDPR expresses the need to implement modalities to facilitate the exercise of the data subjects' rights, including mechanisms to request and obtain access to and rectification or erasure of personal data and the exercise of the right to object. These modalities should cover the whole range of activities a controller undertakes to fully address a GDPR right request. In particular, controllers must demonstrate that they handle data subjects' requests in a way that facilitates their rights.^[27]

"[T]he controller should always be able to demonstrate, that the way to handle the request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects' rights (Art. 12(2) GDPR)."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 35.

In particular, a controller is not allowed to implement unnecessary burdens in the process of exercising data subjects' rights.^[28]

Data subjects should be able to reach the controller in an easy way (e.g. a postal address, a dedicated telephone number, and/or a dedicated e-mail address).^[29] This duty is very similar to the existing requirement of any service provider to provide an email address that allows to communicate "rapidly" and "efficiently" under Article 5(1)(c) eCommerce Directive 2000/31/EC.

It is important to stress the fact that the data subject can choose the format in which it wants to send any request to the controller, as long as it is a common format (such as emails, postal letters, phone calls, PDFs and alike) and it is not sent to a clearly irrelevant contact point.^[30] Controllers may not limit communication to certain formats or forms, unless this is factually required.

Controllers that embrace this duty see the exercise of rights as a feature of their product or service. Controllers may use existing capacities and knowledge in the area user interface (UI) and user experience (UX) design to "facilitate" data subjects to exercise their rights as seamlessly as placing an order. Common approaches include a dedicated email address for GDPR requests, online forms or in-line options to delete, correct or download information for the data subject. While there is an overlap with other business functions (like self-service portals to update personal details in a profile) it is crucial that these tools fully implement the rights of data subjects, or that limitations are clearly communicated, if they are marketed as a GDPR tool.

For example: A controller implements a "privacy tool" for users to edit and delete certain information or get a copy of their data - this facilitates the exercise of rights. However, if data subjects are forced to use this tool and the controller does not allow to exercise their rights by other means, this does not facilitate the exercise of rights for data subjects that are unable to use these tools. Furthermore, if the "privacy tool" does not provide a full copy of all data under Article 15(3) and lacks information under Article 15(1), it may actually be deceptive to refer data subjects to this tool when they seek to exercise their rights under Article 15 GDPR. It may however be fair to refer to the "privacy tool" to change a wrong name or address, if this can be done there and this is the sole request by the data subject.

Once the request is received, the controller should be able to handle it internally as efficiently as possible, and ensure the request is handled by the appropriate department. Any subsequent interaction with the data subject must once again be marked by the principle of fairness and must not result in delay tactics, rephrasing of the request and alike. At the same time, the facilitation of the exercise of rights may include asking back about the exact wishes of the data subject or requesting more information to fully comply with the request, for example when a controller processes various data in multiple systems or additional information allows the controller to comply quicker or more targeted.^[31]

Refusal to act if data subject cannot be identified

Article 12(2) GDPR stipulates that in case the controller is unable to identify the data subject, the controller must not refuse to act on the request of a data subject unless the controller demonstrates that it is not in a position to identify the data subject.

This provision makes reference to Article 11(2) GDPR which declares that Articles 15 to 20 are not applicable in case the controller cannot identify the data subject (i.e. match the person making a request with the processed personal data) unless the requesting person provides further additional information enabling their identification (see Commentary on Article 11 GDPR for further details).^[32] This situation has to be differentiated from a lack of authentication in case the controller has doubts whether the person making a request is indeed the person who's data is processed. Article 12(5) GDPR however, deals with the case of authentication.

In relation to cases under Article 11 GDPR, Article 12(2) GDPR states that the controller may not refuse to act on a request of the data subject to exercise their rights, unless it demonstrates that it is not in a position to identify him or her. It must be stressed, that in accordance with Article 11(2) GDPR, the controller has to inform the data subject accordingly. Obviously, the data subject can provide additional information enabling their identification (Article 11(2) GDPR). Controllers should inform the data subject of the nature of what is required to allow identification. This provision, creates a burden of proof and thereby seeks to prevent obstructive tactics relating to alleged difficulties of identification unless these actually exist.^[33]

It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles 15 to 20 GDPR - excluding Articles 21 and 22 GDPR. While it is likely a mistake in the drafting process and Articles 21 and 22 GDPR are also meant, some argue that the rights of the controller to refuse request are more limited under Articles 21 and 22 GDPR.^[34]

(3) Time limit and form of the response

Under Article 12(3) GDPR, the controller must inform the data subject about the "action taken" following the receipt of a request under Articles 15 to 22 GDPR.

Information on action taken on data subject's request

The wording of the law only requires an information about the action taken, but logically this includes the duty to take that action within the relevant deadlines. Depending on the specific request, the required "action" will consist any steps to comply with the rights of the data subject under Articles 15 to 22 GDPR. Given that Article 12(4) also requires an information if no action is taken, there is no option to stay silent for the controller and simply ignore a request.^[35]

Without undue delay, in any event within one month

This must happen as soon as possible ("without undue delay") and in any event within one month. This means that if a controller can reasonably take action within a day or week, it cannot wait for a full month to act. It is a matter of the individual case if a controller acted “without undue delay”. While acute staffing shortage, the need to consult external legal council and alike can mean that an action takes longer than a couple of days, waiting with sending an already prepared answer or only starting to act when the one month deadline approaches would violate this provision.^[36]

Common mistake: It can often be read or heard that a controller has one month to respond to a request. This is incorrect, a controller must act as soon as possible. The period of one month is just a final deadline, to ensure that controllers cannot interpret "without undue delay" to mean more than one month.

Any period in the GDPR must be calculated according to Regulation (UE) 1182/71, which horizontally applies to all EU law. The deadline for data subject's request starts upon receipt of the application. Receipt occurs when the request comes within the controller's sphere of influence and can be noted, such as through digital storage or placement in the controller's mailbox.

For example: An organisation receives a request on 5 March. If they can respond within a couple of business days, they must do so. The maximum time limit of one month starts from the same day. This gives the organisation an ultimate deadline until and including 5 April to comply with the request, at the latest.^[37]

May be extended by two months

The one-month deadline may be extended by two months where necessary and if the controller intends to act on the request. The necessity should be evaluated in relation to the complexity and number of requests. The two factors have to be present (at least to some amount) cumulatively^[38] A typical example would be unexpected waives of requests after a data breach or other event that lead unusual numbers of data subjects to contact a controller or the need to engage large numbers of people to respond to a request.^[39] The extension is an exception and therefore is not available during normal operations of a controller or for normal requests that the controller is faced with on a regular basis. Reasons like a generally high number of request or insufficient staff do not allow for an extension since the controller is obliged to implement appropriate technical and organisational measures that ensure compliance with data subjects' requests.^[40] When a controller is unable to comply with the one-month deadline, it must inform the data subject of the reasons for the delay within one month of receiving the request.

The extension is not available if a controller does not act on a request, given that Article 12(4) GDPR there is no option for an extension (see Article 12(4) GDPR).

Request by electronic means

The final sentence of Article 12(3) GDPR specifies that where the data subject makes a request by electronic means, and unless otherwise requested by them, the information shall be provided in a commonly used electronic form where possible. The response in an electronic form may not possible if a data subject makes an access request for personal data that is processed in a paper filing system (see Article 2(1) GDPR). However, in most cases digital information can be provided by electronic means.

On the other hand, the wording "unless otherwise requested by them" makes clear that the default option for the form of the response - commonly used electronic form - can be changed if the data subject explicitly asks for another format. For example, the data subject can ask for a paper letter even if they made the request by electronic means, as data subjects may be able to send an email with a request, but unable to view and study data in electronic formats.

This provision could also be interpreted in providing a general principle, requiring a controller to respond to a request using the same medium as was used by the data subject, making it transparent for the data subject where to expect a response by the controller.^[41]

It should be kept in mind, that Article 15(3) GDPR provides for a similar provision requiring that the controller provides the information in a commonly used electronic form if the data subject makes the request by electronic means.

(4) Failure to act on the request

Information if controller takes no action on data subject's request

Article 12(4) GDPR obliges the controller to inform the data subject without undue delay in case it does not take action on a request by the data subject. Therefore, if a controller does not act on the data subject's request, it must explain to the data subject why this is the case.

This provision makes sure that a controller cannot simply ignore a request by a data subject. Even if the controller chooses not to act on the request, a respective information to the data subject is required.^[42]

Reasons for not taking action

It is important to point out that in its communication to the data subject, the controller must convey the reasons for not taking action. Since this communication refers to the exercise of a data subject's right, the communication has to comply with the requirements of Article 12(1) GDPR, i.e. it has to be in a concise, transparent, intelligible and easily accessible form, using clear and plain language (see Article 12(1) GDPR).^[43]

Common mistake: The controller is not just obliged to inform the data subject in case it does not comply with a request; e.g. if it does not comply with an erasure request because the data is still needed for the defence of legal claims. This obligation is also applicable, if the controller refuses to act on a request because it is manifestly unfounded or excessive under Article 12(5) GDPR.

Without delay, at the latest within one month

Just like the information about actions taken in line with Article 12(3) GDPR, the response must be provided without delay (see commentary on Article 12(3) GDPR for more information on the deadline). There is a maximum deadline for a negative response of one month. Other than for a positive response under Article 12(3) GDPR, the controller cannot extend the time for a negative response beyond the absolute deadline of one month.^[44] Generally, it can be said that a controller should not need a whole month in order to assess whether to comply with a request by a data subject. Therefore, the period of one month should rarely be exhausted.

For example: A controller may reject the request if it considers that no personal data is being processed, thus not falling in the scope of the GDPR in its entirety, if it finds that the request is "manifestly unfounded or excessive" under Article 12(5) GDPR or because it takes the view that it is not the relevant controller. In any case, the entity that receives a request, must provide at least a negative response.

Possibility of lodging a complaint and seeking judicial remedy

In this information to the data subject, the controller must inform the data subject about their right to lodge a complaint with a supervisory authority under Article 77 GDPR or to seek a judicial remedy under Article 78 GDPR.

(5) Free of charge and manifestly unfounded or excessive requests

Provide information and communication free of charge

Article 12(5) GDPR provides for the general principle that the initial information of the data subjects as well as the the exercise of data subject rights is free of charge. However, this provision also allows exceptions from this principle in extreme cases of abuse of these rights.^[45]

Covered by this provision are the controller's information obligations under Articles 13 and 14 GDPR and the communications and actions taken under Articles 15 to 22 GDPR (data subject rights) as well as the communication of personal data breaches to data subjects under Article 34 GDPR. The principle of transparency requires that the provision of such information is available to everyone; however, the costs of a data subject for making a request are usually not recoverable.^[46]

There are exceptions to the rule that the exercise of rights is free of charge. Namely, in case the request by the data subject is manifestly unfounded or excessive. These exceptions should be interpreted narrowly to avoid undermining the principle of transparency and the principle that requests by data subjects should be free of charge.^[47]

Manifestly unfounded

A request is considered manifestly unfounded if it does not meet essential legal requirements and is therefore obviously unfounded; the scope for relying on this exception is therefore rather narrow.^[48]

For example, for a manifestly unfounded request might be cases in which an obviously unauthorised person wants to assert the rights of a data subject.^[49] The understanding is that the request must be made with abusive intent.^[50] Merely making a broad request or a request that is not covered by the GDPR, because a data subject does not understand the details of the rights under the GDPR is not "manifestly unfounded" but may just be a misunderstand that requires a negative response under Article 12(4) GDPR.^[51]

It should be stressed that Article 12(5) GDPR in itself does not require a data subject to put forward a reason to justify their request. The fact that a data subject did not provide a justification for exercising a right, therefore is no reason to consider a request (manifestly) unfounded.^[52]

Excessive

There is no definition of the term “excessive” in the GDPR. The example in the law “in particular because of their repetitive character” in Article 12(5) GDPR suggests that the main scenario to which this limb applies is when a data subject uses the free rights under the GDPR to consistently bombard the controller with requests. On the other hand, the qualifier “in particular” indicates that other reasons that might cause excessiveness are not excluded a priori.^[53]

A data subject may nonetheless submit more than one request to a controller. In this case, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded. Controllers must take into account the particular circumstances of the single case carefully. In general, “The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive”.^[54] That said, other factors such as the nature of the data, the purpose of the processing and whether the subsequent requests concern the same type of information or processing activities should all be taken into account.^[55]

Another relevant factor is the nature of the communication channel between the data subject and controller. Taking the example of an access request, if it is possible to easily provide the relevant information by electronic means or by remote access to a secure system, which makes compliance simple for the controller, it is unlikely that repetitive requests can be regarded as excessive.^[56] In other words: A controller cannot charge a fee when a user downloads his information from a self service tool regularly.

The mere scope of a request is not per se "excessive", even if a data subject requests access to all personal data a controller holds under Article 15 GDPR. It cannot be held against a data subject if a controller holds massive amounts of personal data on the data subject, nor can a controller rely on the fact that its IT infrastructure is scattered or complex. In an effort to facilitate the quick and accurate response to a request, the controller may ask the data subject if the request concerns only subsets of the processing operation, but if the data subject insists on a broad scope of the request, the controller must comply with the request.^[57]

However, a request could be considered excessive if an individual makes a request but offers to withdraw the request against some payment from the controller or if the data subject states a malicious intend in the request itself, e.g. by claiming to make the request only to make exploit the time and effort of the controller.^[58]

Consequence of manifestly unfounded or excessive requests

Article 12(5) GDPR allows for two options to react to manifestly unfounded or excessive requests. If the request is manifestly unfounded or excessive, controllers may either charge a reasonable fee or refuse to act on the request.

(a) Reasonable fee

If information requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may charge a reasonable fee. This exception must be interpreted restrictively in order to not excessively constrain data subjects’ right to information. The amount should be based on the costs of the controller to comply with the request.^[59] It is argued that controllers should inform data subjects of their intention to charge them a reasonable fee based on Article 12(5) GDPR before doing so, to allow them to decide whether they should withdraw their request to avoid being charged.^[60]

(b) Refuse to act

Alternatively, if requests are manifestly unfounded or excessive, the controller can outright refuse to act on the request. If the controller refuses to act, it must inform the data subject accordingly (see Article 12(4) GDPR). Such a response should include a reason why they refuse to act as well as inform them about the right to lodge a complaint with a supervisory authority and the possibility to seek a judicial remedy.^[61]

Relationship between (a) and (b)

The relationship between these two options is not clarified by the GDPR. The wording of Article 12(5) GDPR seems to suggest that the controller has a free choice between the two alternatives. Nonetheless, it has been pointed out that a refusal to act can violate the good faith principle to the extent that the data subject offers to pay a reasonable fee.^[62] Equally, leaving the choice to the data subject would be more proportionate option, when the provision is interpreted in light of Article 8(2) and 52(1) CFR.^[63]

Reference can also be made to the CJEU interpreting the same wording in the context of the supervisory authority's obligation to handle a request unless it is "manifestly unfounded or excessive, in particular because of their repetitive character," which held that a supervisory authority "may choose, by reasoned decision, between charging a reasonable fee based on administrative costs and refusing to act on those requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate, necessary and proportionate."^[64]

Burden of proof

Finally, the law highlights that the controller bears the burden of proof that a request was manifestly unfounded or excessive. In these cases, controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Article 12(5), third sentence, GDPR). Hence, controllers should maintain a proper documentation of the underlying facts.^[65]

(6) Authentication of the data subject

Without prejudice to Article 11 GDPR - Authentication versus identification

Article 12(6) GDPR deals with the case that the controller has reasonable doubts concerning the identity of the natural person exercises a right under Articles 15 to 21 GDPR. In this case the controller may request that the data subject provides additional information in order to confirm the identity of the data subject. In other words, a controller can request additional information from a person making a request if this information is necessary to confirm that this person is indeed the data subject, the request refers to.

Contrary to problems identifying the personal data that is subject to a request described in Article 11 GDPR and Article 12(2) GDPR, Article 12(6) concerns issues of authentication. This means, that while the relevant personal data can be found, the controller may have reasonable doubts concerning the identity of the natural person making the request and if the person requesting the information is the actual data subject.

For example: If a controller receives a request from a data subject under their real name, requesting deletion of their IP-address stored in the controller's database, the controller is unable to identify the data subject (i.e. match the processed data with the person making the request). This is an issue of identification and subject to Article 12 GDPR.

If, however, a person requests access to his personal data from a doctor under their real name and the doctor can match the person to the data of one of its patients but is unsure whether the person making the request is indeed the person they claim they are, they can request additional information necessary to confirm their identity in order to make sure they don't provide the data to the wrong person. This is a case of authentication and subject to Article 12(6) GDPR.

Reasonable doubts concerning the identity

A controller can only request additional information from the data subject, in case it has reasonable doubts regarding their identity. This means that the controller, receiving a request from a natural person, has doubts whether that person is indeed the data subject entitled to make the request.^[66]

The doubts by the controller must be reasonable; therefore, a controller cannot always require additional information (like a scan of an ID) even if it has no reasonable doubts regarding the data subject's identity.^[67] Such a practice would violate the controller's obligation to facilitate data subjects' rights as stipulated in Article 12(2) GDPR.^[68] Therefore, the data subject has to co-operate with the controller in case they are required to provide additional information.^[69]

Requirement to authenticate the person making the request

Proper authentication of the person requesting the information is crucial, given the risk of disclosing personal data to an unauthorised person which, for example, might contribute to identity theft. Not establishing a proper system for authentication would usually constitute a violation of various provisions of the GDPR, such as Articles 5(1)(f) or 32 GDPR. Therefore, if the controller has reasonable doubts concerning the identity of a natural person making a request under Articles 15 to 21 GDPR, additional information must be requested to verify their identity.^[70]

Requests under Article 15 to 21 GDPR

This provision refers to the requests referred to in Articles 15 to 21 GDPR. Article 22 GDPR is not mentioned. The reason for omitting Article 22 GDPR - particularly the right to obtain human intervention, express a point of view and contest a decision - is unclear and it is argued that the provision should apply to Article 22 GDPR as well.^[71]

Controller may request additional information

Other than Article 11 and 12(2) GDPR, when personal data is simply not identifiable, the lack of authentication does not allow to reject a request under Articles 15 to 21 GDPR. Instead, the controller must request additional information that allows the authentication. Article 12(6) GDPR does not foresee that a controller is unable to authenticate a data subject.

Only in the case that the data subject refuses to cooperate and provide additional information can the controller refuse to comply with the data subject's request.^[72]

Information necessary to confirm identity

The authentication of data subjects must not lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested. That means that the controller cannot collect more data than necessary to authenticate the requesting person.^[73]

"[T]he controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 70.

The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle; any burdensome measures must be adequately justified by the controller in order to comply with its duty to facilitate data subjects' rights.^[74] The controller should also consider the risk to the data subjects in such an assessment; e.g. the risk for the data subject is smaller when it comes to complying with an objection to a processing activity for marketing purposes under Article 21 GDPR compared to the risk when sensitive data is disclosed to a requesting person due to an access request under Article 15 GDPR.^[75]

Common mistake: It is common that controllers just require some form of government issued identification or proof of address, even when the controller has no information to match this against. In some countries, residents are not required to have a government ID. Some form of proof of identity or addresses may also not be common in certain jurisdictions.

For instance, when a given processing operation begins with the storage of a cookie into the user's device, a controller cannot ask the data subject to provide IDs, signatures and in general anything that cannot help the identification purpose.^[76]

In the context of online services, the data subject can be authenticated, inter alia, by sending a secret code, answering questions that only the data subject knows, have a user log in to a platform, send a link containing a unique token to their email address, or any other contact method used for the registration. Insofar as a digital communication channel already exists between the data subject and the controller, the controller should implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR.^[77]

For example: A user signs up to a social network by providing their email and generating a login password. After a few years of use, they decide to make an access request under Article 15 GDPR via email. Upon receipt of the email, the controller requests the user to send a scan of their identification document to verify their identity. Requiring IDs when they are not necessary constitutes a breach of the obligation to facilitate the exercise of rights, as the controller could implement less burdensome and instrusive verification mechanisms, such as asking the user to log in or sending a verification code to the email address.^[78]

The limitation to request only "necessary" information also means that the controller cannot insist on a specific form of authentication, if a data subject provides other information that ensures sufficient authentication. It is therefore for the data subject to provide (any) "necessary" information, while the controller has a duty to facilitate (see Article 12(1) GDPR) the exercise and may suggest certain, easy forms of authentication.

(7) Standardised icons

Information pursuant to Articles 13 and 14 GDPR

Article 12(7) GDPR establishes the option to provide the information under Articles 13 and 14 GDPR in combination with standardised icons. The scope of this information is therefore explicitly the initial information of data subjects regarding the processing of their personal data as stipulated in Articles 13 and 14 GDPR.

May be provided with standardised icons

This provision is based on the assumption that it is easier to provide information using visual aids, rather than using plaint text alone.^[79] Therefore it can be appropriate to use visualisations (e.g. standardised icons) in order to increase the transparency of the information provided to data subjects.^[80]

During the negotiations on the GDPR, some Members of the European Parliament have proposed to use icons to communicate privacy information.^[81] However, the foreseen icons did not make it into the final text of the GDPR - instead there is now an option for the European Commission to issue a delegated act under Article 12(8) GDPR to define such icons (see below). The originally proposed symbols partly concerned the compliance with minimum standards under the GDPR and would have had little benefit for data subjects, as every controller would have to carry the same symbols. Arguably, icons and symbols have more relevance when it comes to optional elements (e.g. use of personal data for advertisement, sharing of personal data or transfer of personal data outside of the EEA and alike).

To give overview of intended processing

The purpose of using standardised icons in the information of data subjects is to make the information more accessible to the data subjects. Transparency should be increased, on the one hand, by reducing the need for vast amounts of written information to be presented to a data subject, on the other hand, it should be possible for the data subject to grasp the fundamentals of the processing activity by a glance at expressive icons.^[82] It is therefore a tool against the problems of information fatigue and information overload.^[83]

With this knowledge, the data subjects should be in a position to evaluate the lawfulness of the processing activity and to exercise their rights under the GDPR.^[84]

In combination

It should be noted that Article 12(7) GDPR only provides for the option to inform data subjects about a processing activity in combination with standardised icons. Therefore, standardised icons alone are not a suitable way of informing data subjects about the processing of their data in accordance with Article 13 and 14 GDPR. This should make sure that the usage of standardised icons does not lower the level of protection for data subjects by decreasing the amount of information provided to them.^[85]

"[T]he use of icons should not simply replace information necessary for the exercise of a data subject’s rights nor should they be used as a substitute to compliance with the data controller’s obligations under Articles 13 and 14"

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 50.

Instead, icons could be used in a multi-layered approach and provide data subjects with some fundamental information about the processing activity while the further information is mainly contained in the privacy policy accessible by a link.^[86]

If electronically, they shall be machine-readable

In case the icons are presented electronically, Article 12(7) GDPR requires that the icons are also machine-readable. This should for example enable a browser to automatically avoid websites that declare a specific processing activity or help to make privacy notices more accessible for people with an impairment of their vision.^[87]

However, without the implementation of standardised icons, this provision lacks practical importance at this point.

(8) Code of icons

Article 12(8) GDPR empowers the Commission to adopt delegated acts in accordance with Article 92 GDPR for the purpose of determining the information to be presented by the icons mentioned in Article 12(7) GDPR as well as procedures for providing standardised icons. Its competence does not include the binding establishment of specific icons. Per Recital 166 GDPR, the process of developing a code of icons should involve the carrying out of consultations and research on the efficacy of icons. Article 12(8) GDPR does not expressly specify whose responsibility it is to conduct such research, meaning standardised icons could come from either the Commission or standard-setting organisations. However, Article 71(1)(r) GDPR tasks the EDPB to provide the Commission with an opinion on the icons referred to in Article 12(7)GDPR.

"[T]he utility of icons to effectively convey information required under Articles 13 and 14 to data subjects is dependent upon the standardisation of symbols/ images to be universally used and recognised across the EU as shorthand for that information. In this regard, the GDPR assigns responsibility for the development of a code of icons to the Commission but ultimately the European Data Protection Board may, either at the request of the Commission or of its own accord, provide the Commission with an opinion on such icons. [I]n line with Recital 166, the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 52 (footnotes emitted).

So far the European Commission has not used this power and there are no known plans to issue such an implementing decision. Even if such a decision by the Commission would be issued, using these icons is optional ("may"). Therefore the provision therefore has no practical relevance.

Decisions

→ You can find all related decisions in Category:Article 12 GDPR

References