Understanding Article 12 of GDPR
Article 12 of GDPR relates to how data controllers must take the necessary measures to communicate with data subjects when they assert or exercise a right under GDPR.
Based on Article 12 of the regulation, companies cannot just brush off data subjects as it relates to the processing of their personal data.
Controller’s obligation to communicate information to the data subject (Article 12(1) GDPR)
The first paragraph of Article 12 makes it very clear that data controllers must provide any informed needed by individuals relating to:
- Instances when the data controller collects, stores and processes personal data relating to the data subject (Article 13 GDPR)
- Instances when the data controller receives personal data from another source (Article 14 GDPR)
In addition, if a person wants to exercise a right under GDPR, data controllers must provide any information required to comply.
Such rights include:
- Right of access by the data subject (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
- Automated individual decision-making, including profiling (Article 22 GDPR)
- Communication of a personal data breach to the data subject (Article 34 GDPR)
When the data controller communicates with the data subjects, they must take good care in communicating clearly, in a concise fashion and in an easy-to-understand fashion using plain language.
Facilitating the exercise of data subject rights (Article 12(2) GDPR)
GDPR is designed in such a way as to empower individuals in giving them rights, power and control over their personal data.
As a result, under Article 12(2) of GDPR, data controllers must facilitate the manner data subjects exercise their rights.
Data controllers who do not process personal data cannot refuse to act when a person exercises their rights under GDPR against them unless the data controller can prove that they are unable to identify the person.
30-day delay to respond to data subjects (Article 12(3) GDPR)
When a person exercises his or her rights under GDPR, an organization must respond to the individual within 30 days.
If due to the complexity of the request or the number of requests made by the data subject, a company can extend the delay to respond by two further months when necessary.
In such a case, the company must notify the individual within 30 days from the receipt of their request and provide sufficient justification as to why they need additional time to respond.
Data controller not taking action (Article 12(4) GDPR)
If the controller does not take action when a person exercises a right against them, they still have an obligation to notify the person within 30 days and provide them with the reasons why they will not take action.
In addition, they must inform the data subject on how to file a complaint with the relevant supervisory authority and how to seek legal remedy.
Information to be provided free of charge (Article 12(5) GDPR)
To facilitate the process of exercising their rights, GDPR prohibits companies from charging data subjects a fee to get the information they need.
The only except is when the request of a person is manifestly unfounded or excessive or due to their repetitive character.
If the request is manifestly unfounded, the data controller can either refuse to act or charge a responsible administrative fee to give the information.
Doubt of identity of the data subject (Article 12(6) GDPR)
If the data controller is not sure of the identity of the person asking for the information or exercising a right under GDPR, the data controller can request for additional information as necessary to identify the person.
This is important as you don’t want to share personal data related to one person to another!
Giving information with standardised icons (Article 12(7) GDPR)
When data controllers are required to give information about how their personal data is collected, stored and processed by them or how they get the data from another source, companies should provide the information in such a way that it will be intelligible to the person asking for it.
If a company can provide standard icons or means to make the information clearly visible, intelligible or legible so a person can meaningfully understand the intended processing.
Commission’s powers (Article 12(8) GDPR)
GDPR gives power to the Commission to adopt any delegated acts to further clarify what information to be presented by the icons on the procedures for providing standardised icons.
Recitals applicable to Article 12 of GDPR
Relevant Recitals: 58, 59, 60, 73
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 12 or relevant recitals
GDPR Text: Article 12 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679)