Article 12 of the General Data Protection Regulation (GDPR) is a legal provision for transparency of information. In the GDPR Act, it plays an important role because it requires an easily understandable data protection declaration and consent query. It stipulates:
Legal text
The data controller shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and Article 34, which relate to the processing, in a clear, transparent, understandable and easily accessible form in simple language; this shall be done especially for information addressed specifically to children. The provision of information is made in writing or by other means, possibly also electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another way. ([1]) ([2]) ([3])
(2) The controller facilitates the exercise by the data subject of their rights pursuant to Articles 15 to 22. In cases referred to in Article 11(2), the controller may only refuse to act on a request from the data subject to exercise their rights pursuant to Articles 15 to 22 if he provides evidence that he is unable to identify the data subject. ([1]) ([2]) ([3])
(3) The controller shall provide the data subject with information on the measures taken pursuant to Articles 15 to 22 in response to a request for access, without undue delay and at the latest within one month of receipt of the request. This period may be extended by two further months where necessary considering the complexity and number of requests. The controller shall inform the data subject within one month of receipt of the request about any extension of this deadline together with the reasons for the delay. If the data subject makes a request electronically, they shall be informed in electronic form if possible, unless they indicate otherwise. ([1])
(4) If the controller does not act on the request of the data subject, he shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or bringing legal proceedings.
(5) Information pursuant to Articles 13 and 14, as well as all notifications and measures pursuant to Articles 15 to 22 and Article 34, shall be provided free of charge. In cases where it is clear that a request from the data subject is unjustified or – in particular if repeated frequently – excessive, the controller may either ([1]) ([2]) ([3])
a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or carrying out the requested action, or
b) to refuse to act on the request. The controller must provide evidence of the manifestly unfounded or excessive nature of the request.
(6) If the controller has well-founded doubts about the identity of the natural person who makes the request pursuant to Articles 15 to [21], he may, without prejudice to Article 11, require additional information necessary to verify the identity of the data subject. ([1]) ([2])
(7) The information that must be provided to data subjects in accordance with Articles 13 and 14 can be made available in combination with standardized pictorial symbols, in order to provide a clear overview of the intended processing in a readily perceivable, intelligible and easily understandable form. If the pictorial symbols are presented in electronic form, they must be machine-readable. ([1])
(8) The Commission shall be empowered, in accordance with Article 92, to adopt delegated acts determining the information to be presented by means of pictorial symbols, and the procedures for providing standardised pictorial symbols.
Common Terms (standardized): Person(15), affected party(14), application(12), responsible person(9), information(8), form(5), measure(4), electronically(4)
Comments
Article 12 of the GDPR: Transparent Information, Communication and Modalities for the Exercise of Rights of the Data Subject The first paragraph of Article 12 means that data protection notices must be available in the language in which a website is written or in the language understood by the intended target audience. The Dutch Data Protection Authority has fined TikTok 750,000 € because TikTok only presented an English-language data protection statement.
The first sentence of Article 12 of the GDPR implies together with Article 5, paragraph 1b of the GDPR, that privacy notices and therefore a consent request must be made specifically for each tool used on a website, such as Google reCAPTCHA. Furthermore, according to (especially) paragraph 1c of the referenced Article 13 of the GDPR, it must be explicitly stated for each tool and cookie (cf. also European Court of Justice ruling in Planet49, e.g. Rn. 81), what the purposes are.
The one-month maximum period mentioned in paragraph 3 is to be understood as such. The principle of immediacy takes precedence. This was clarified by the Labour Court Duisburg (ArbG Duisburg, judgment of 03.11.2023 – 5 Ca 877/23).
Also interesting
- General Data Protection Regulation (GDPR) in general
- Article 5 GDPR: Principles for data processing ([1])
- Article 6 GDPR: Legal bases for processing ([1])
- Article 7 GDPR: Conditions for Consent ([1])
- Article 12 GDPR: Transparent Information, Communication and Modalities for the Exercise of Rights by the Data Subject ([1])
- Article 15 GDPR: Right to Information ([1])
- Article 26 GDPR: Joint Responsibility ([1])
Key takeaways of this article
Companies must explain how they handle data in a clear, simple, and understandable way.
Individuals have the right to obtain information about their data and to have it corrected.
Companies must respond to requests from data subjects within one month.
In cases of unjustified or excessive data protection requests, the controller may charge fees or refuse the request.
The data controller must provide justification for denying a request.
Data protection information can be presented using pictorial symbols to make it more understandable.
Data protection information can be made more understandable by using images.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
