Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

Overview:

Article 12 of the GDPR requires organizations to provide clear, concise, and transparent information to data subjects about their rights and how their personal data is processed. Further the articles covers the following:

  1. Orgnazation (data controller) must ensure that all communications regarding data processing are written in clear, plain language and easily accessible to the clients. 
  2. The responses to the data subject must be provided within one month of placing the request. 
  3. If the organization (controller) refuses to act on a request, they must inform the data subject within one month providing reasons for the refusal and informing them of their right to lodge a complaint with a supervisory authority.
  4. The information/ responses provided to the data subject must be free of charge.However, if requests are manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act on the request.
  5. If the controller has doubts on the identity of the data subject (person) furnishing the request, they may request for additional information to verify and confirm their identity.

Implementation Guidance:

  1. Ensure that all communications related to data processing are communicated in a clear, easy to understand and accessible way.
  2. The privacy policy and related documents should convey the following but not limited to:
  1. Provide information about data processing practices
  2. How to exercise the rights of the data subject
  3. Precise point of contact for sending data subject request and queries
  4. Timelines to respond to these request
  5. Escalation matrix 
  6. Fees for processing manifestly unfounded or excessive request
  7. Request on additional verification details in-case if the identity cannot be asserted initially.
  1. There should be a clear and defined procedure for handling data subject request
  2. Ensure that updated and accurate records are maintained on the processing activities
  3. Mechanism for data subject to submit request/query

Regularly update and review policies and procedure to be compliant with GDPR

Compliance Checklist:

  1. Privacy policy
  2. Privacy notice
  3. Procedure for handing data subject request
  4. Record of Processing Activities (RoPA)

Examples and Use Cases

  1. An online shopping portal displays a privacy notice in their portal on the data processing activities, data subject right and a clear precise form to submit data subject request (access, modification, erasure)
  2. A visually impaired person asks information of how the data is being processed, shared and stored on a large print. The organisation provides the details in the format asked by the person in a timely manner. 
Scroll to Top