Article 12
Transparent information, communication and modalities for the exercise of the rights of the data subject

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 12 keyboard_arrow_down Hide the recitals of the Regulation related to article 12 keyboard_arrow_up

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

There is no recital in the Directive related to article 12.

The GDPR

Article 12 requires the controller to provide procedures and mechanisms for the data subjects to exercise their rights. 

A principle of transparency is proclaimed: any information to the public or to the data subject should be easily accessible and easy to understand in a concise and transparent form, and formulated in clear and simple terms - in particular for any information addressed specifically to a child. It applies both to the exercise of the right to information (Art. 13 and 14) and to the right to access (Art. 15 ), the rights to rectification and erasure (Art. 16 and 17), the right to limitation of processing (Art.  18), the right to data portability (Art. 20 ), the right to object (Art. 21 ), the right not to be subject to automated individual decision-making (Art. 22), and regarding the obligation of official notification (Art. 19) And finally, that of the right to communication of a personal data breach (Art. 34).

The information may be provided in writing or by other means, if necessary, electronically, if this is appropriate. If the data subject exercises his or her right in an electronic form, the information can usually be provided electronically, unless the data subject requests it otherwise. If the data subject so requests, the information can even be provided orally, provided that the identity of the data subject is demonstrated by other means.

It is the responsibility of the controller to facilitate the exercise of the rights referred to in Articles 15 to 22 above. In case of application of Article 11, (2) concerning processing that does not require identification, the controller cannot deny the rights of the data subject, unless proven not being able to identify them.

Maximum times for response are provided. Thus, for the rights envisaged in Articles  15-22 , the information must be provided  promptly and in any event within one month of receipt of the request. This period may be extended by two months if necessary, given the complexity and the number of requests. In this case, the data subject must be specifically informed of the postponement reasons, within one month of receipt of the request. If the controller does not give any response to the request made by the data subject, he or she shall inform them of the reasons for his inaction and of the possibility to lodge a complaint with a supervisory authority, without delay and within one month of receipt of the request at the latest.

The principle of free exercise of rights is generalized to provide information under Articles 13 and 14 and to proceed with all communication and take any measure under Articles 15 to 22 and Article 34.

When any requests by a data subject are manifestly unfounded or excessive, in particular due to their repetitive character, the controller may either require the payment of a reasonable fee based on administrative costs or refuse to reply. In both cases, it is up to the controller to demonstrate clearly the unfounded or excessive nature of the request.

Without prejudice to Article 11 which provides for an exception based on the rights set in Articles 15 to 20 if the processing does not require identification when having reasonable doubts as to the identity of the person making the request referred to in Articles 15 to 21, it may request the provision of additional information necessary to confirm the identity of the data subject.

The provision states - which is new – that the information to be provided on the basis of Articles 13 and 14  could be accompanied by standardized icons to provide a good overview of the respective processing that should be easily visible and clearly legible and understandable. By delegation, the Commission could accept rules to determine the information presented by the icons as well as the procedures for their standardization.

The Directive

The Directive did not include a general provision on the general  mechanisms for the exercise of rights.

These varied from a national legislation to another, where the rest of the mechanisms  for  each right were provided for with more or less precision.

Potential issues

The implementation of Article 12 will require a thorough review - or even new right to be set – relevant internal procedures to meet the various requests of the data subjects or simply to make the disclosures required by the Regulation.

Strangely, the exercise of rights is not subject, as a rule, to the provision of proof of the applicant's identity, which opens the way to abuse. Caution nevertheless would require the controller to make sure in data subject’s identity before transmitting, if any, any information of a confidential nature.

Group 29

Guidelines on the right to data portability (5 april 2017)

Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.

Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.

This opinion provides guidance on the way to interpret and implement the right to data portability as introduced by the GDPR. It aims at discussing the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The opinion also provides concrete examples and criteria to explain the circumstances in which this right applies. In this regard, WP29 considers that the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity. This new right cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.

As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The opinion also helps data controllers to clearly understand their respective obligations and recommends best practices and tools that support compliance with the right to data portability. Finally, the opinion recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. 

Lien : http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233

Regulation
1e 2e

Art. 12

1.   The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2.   The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3.   The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4.   If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5.   Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6.   Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7.   The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8.   The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

1st proposal close

Art. 12

1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.

2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.

3. If the controller refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.

6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Art. 13

The controller  shall communicate  any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.

 

2nd proposal close

Art. 12

1. The controller shall take appropriate measures to provide any information referred to in Articles 14 and 14a and any communication under Articles 15 to 19 and 32 relating to the processing of personal data to the data subject in an intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, where appropriate electronically. Where the data subject makes the request in electronic form, the information may as a rule be provided in electronic form, unless otherwise requested by the data subject. When requested by the data subject, the information may be given orally provided that the identity of the data subject is proven.

1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19. (...) In cases referred to in Article 10 (2) the controller shall not refuse to act on the request of the data subject for exercising his/her rights under Articles 15 to 19, unless the controller demonstrates that he/she is not in a position to identify the data subject.

2. The controller shall provide (...) information on action taken on a request under Articles 15 and 16 to 19 to the data subject without undue delay and at the latest within one month of receipt of the request (...). This period may be extended for a further two months when necessary, taking into account the complexity of the request and the number of requests. Where the extended period applies, the data subject shall be informed within one month of receipt of the request of the reasons for the delay.

3. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint to a supervisory authority (...).

4. Information provided under Articles 14 and 14a (...) and any communicati on under Articles 16 to 19 and 32 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller (...) may refuse to act on the request. In that case, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

4a. Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject

5. (...)

6. (...)

Directive close

No specific provision

close