EN

Article 12.
Transparent information, communication and modalities for the
exercise of the rights of the data subject

GDPR training, consulting and DPO outsourcing www.data-privacy-

office.eu info@data-privacy-
www.gdpr-text.com office.eu
 www.gdpr-text.com/ko

Article 12.

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and
any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise,
transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information
addressed specifically to a child. The information shall be provided in writing, or by other means, including, where
appropriate, by electronic means. When requested by the data subject, the information may be provided orally,
provided that the identity of the data subject is proven by other means.

전문 (Recitals)

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily
accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such
information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular
relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data
subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such
as in the case of online advertising. Given that children merit specific protection, any information and communication, where
processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

지침 및 사례 법률

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

The obligation to provide the necessary information and obtain data subjects’ consent ultimately lies with the entity that sends
and reads the cookie. In most cases, this is the ad network provider. When publishers are joint-controllers, for example in
those cases where they transfer directly identifiable information to ad network providers, they are also bound by the
obligation to provide information to data subjects about the data processing.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to
in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her
rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data
subject.

GDPR training, consulting and DPO outsourcing

페이지 2 / 10
 www.gdpr-text.com/ko

전문 (Recitals)

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including
mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data
and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially
where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject
without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any
such requests.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the
context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to
react to potential requests.

지침 및 사례 법률

(EN)

Documents

Spanish Data Protection Agency (AEPD), Guide on use of cookies (2021).

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject
without undue delay and in any event within one month of receipt of the request. That period may be extended by
two further months where necessary, taking into account the complexity and number of the requests. The
controller shall inform the data subject of any such extension within one month of receipt of the request, together
with the reasons for the delay. Where the data subject makes the request by electronic form means, the
information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data
subject without delay and at the latest within one month of receipt of the request of the reasons for not taking
action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15
to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or
excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or
communication or taking the action requested; or

GDPR training, consulting and DPO outsourcing

페이지 3 / 10
 www.gdpr-text.com/ko

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the
request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the
natural person making the request referred to in Articles 15 to 21, the controller may request the provision of
additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination
with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful
overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of
determining the information to be presented by the icons and the procedures for providing standardised icons.

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2
((EU) 2016/679). Source: EUR-lex.

GDPR training, consulting and DPO outsourcing

페이지 4 / 10
 www.gdpr-text.com/ko

Related information Article 12. Transparent information,

communication and modalities for the exercise of the rights of the
data subject

전문가 해설

(EN) Different provisions of the General Data Protection Regulation provide (EN) Author
for obligations to inform data subjects – the legal term designating common
people – about the processing of their personal information. Controllers –
the persons who control the processing of personal data – have to conform to
certain requirements regarding how they provide the information to the data
subjects, whether beforehand in a privacy notice available to the general
public or when they reply to an individual request.

Article 12 addresses first the form of the information that must be provided.
(EN) Louis-Philippe Gratton
It must be communicated “in a concise, transparent, intelligible, and easily
PhD, LLM
accessible form”. The provision further states that controllers should use
(EN) Privacy Expert
“clear and plain language” in their communication. All these adjectives seem
self-explanatory, but they deserve a closer look to clarify their actual
meaning in the context of data protection laws.

Conciseness refers to the fact that the information must be presented briefly
but also in a comprehensive manner. Controllers may have a large amount of
information to provide to a person depending on the nature of the request,
but they have to present it succinctly nonetheless. The principle can be
translated in the manner that the information is physically presented and
structured (see below). Excluding irrelevant, redundant, or unnecessary
information is another way to keep the communication “concise”.

Transparency is one of the key principles of the GDPR [Article 5(1)(a),

recital 39, and Guidelines on Transparency]. It must be regarded as a general
obligation encompassing openness, honesty, and truthfulness. A company
must proactively divulge all the necessary information about how it
processes personal data or communicate it when asked for. It should not hide
information nor try to bury down important details. The information must be

GDPR training, consulting and DPO outsourcing

페이지 5 / 10
 www.gdpr-text.com/ko

accessible first-handed or freely transmitted when requested.

Intelligibility means that privacy-related information must be

comprehensible. The concept overlaps other principles but the main idea is
that the information must be easy to understand (recitals 39 and 58) and
presented in a form adapted to the audience (adults, children, professionals,
special context, etc.). The writing style should be simple, easily accessible
words should be preferred and complex terms should be explained. The
information communicated should be straightforward, avoid any ambiguity,
and leave no room to interpretation.

Ease of access implies that data protection information should be easy to

access. The way the information is provided should be adapted to the context
or platform where it is presented. A link to the privacy policy can be
prominently presented at the bottom of an email or displayed where people
usually look for it on a website, in the footer, for example. It should not be
hidden in a counterintuitive menu in an application where users will never
think to look for it. As a rule of thumb, information about privacy in an
application should never be more than “two taps away”, according to the
Guidelines on Transparency.

Using clear and plain language coincides with the intelligibility principle.
The language used must be adapted and tailored to the audience. Basic and
easy to understand words must be preferred. Complex legal terminology
should be avoided and if necessary should be clarified. Sentences and
paragraphs should be short and the language structure should be kept as
simple as possible (Guidelines on Transparency). Special attention must be
given to that point when controllers address children (recital 58). The
language used should be easily understandable to a child (see our
commentary under Article 8).

Information in line with these requirements must be transmitted in “writing”

or by any “other means”. The chosen mean depends on the targeted audience
and it includes electronic forms such as applications or websites (recital 58).
It might be provided, if adapted to the situation, through cartoons,
infographics, or flowcharts (Guidelines on Transparency). Another means of
providing the information is through a secure “self-service system” which
would give an individual access to her/his data (recital 63). Information can
even be communicated orally if requested so, provided that the data subject
proves her/his identity by other means.

GDPR training, consulting and DPO outsourcing

페이지 6 / 10
 www.gdpr-text.com/ko

The form and structure of the information are also addressed by the
European regulation. Privacy-related information must be clearly
differentiated from other legal information such as the general terms of use
(Guidelines on Transparency). It can be separated into different logic
paragraphs, each one of them preceded with a heading stating its actual
content. It is sometimes referred to as the “layered” approach in European
documentation. The use of headings, bullets, or indents to logically structure
the document – whether it is a privacy notice or an answer to a request – is a
pragmatic answer to a legal obligation.

Access to information should be facilitated by controllers. They should

maintain mechanisms (recital 59) through which data subjects can exercise
their rights (Articles 15 to 22), receive information – where personal data
are collected from them (Article 13) or obtained from third parties (Article
14) – or be informed of data breaches (Article 34). The information
obligation extends to situations where the exchange of data takes place
between two administrative bodies (CJEU, Smaranda Bara e.a./Președintele
Casei Naționale de Asigurări de Sănătate).

Facilitating access to information can be done by resorting to a standard

form. It could ease the formulation of a request by the data subject, but also
the work of the controller who will receive a structured message with the
needed information to process the request. It has to be noted that the use of
the form cannot be made mandatory, as any other forms of requests are valid
(orally, by email, through a letter, etc.).

Controllers must act quickly on data subjects’ requests. Article 12(3)

imposes strict delays to provide the information requested or inform data
subjects on action taken upon their request. The general rule is that
controllers should proceed “without undue delay”, but the GDPR does not
define the expression. It must be understood as “as soon as possible”, but at
least within a calendar month after receiving the request.

Exceptionally, the period may be extended by two further months. It is

possible only if the request is complex or there are many requests to be
answered at the same time. The controller in such an event has to inform the
data subject within the initial period of one month of her/his intention of
prolonging the delay. The computation of the delay starts the day the request
is received or, if applicable, after getting the confirmation of the identity of
the person requesting the information or the payment of the fee.

GDPR training, consulting and DPO outsourcing

페이지 7 / 10
 www.gdpr-text.com/ko

There are circumstances where controllers may refuse to answer a request

(recital 59). If they deny the request, they have to inform the data subject in
the same delays mentioned above of the reasons why they refuse to act. They
must also notify the data subject of the possibility of lodging a complaint
with a supervisory authority or seeking a judicial remedy.

A request can be denied if it “manifestly unfounded or excessive” [Article 12

(5)]. It can be the case, for example, when a data subject made repetitive
requests over a short period of time. It can also happen if the person is
making a request simply to get something in return from the organization or
the individual is using data protection laws to harass the organization. The
adjective “manifestly” used in the GDPR means that the request must be
clearly or obviously excessive or unfounded. The burden to demonstrate that
the request is “manifestly” excessive or unfounded rests on the controller’s
shoulders.

It would be a better option to open a dialogue with the data subject than
refusing to act on the request. A request may seem excessive or unfounded
simply because it is not correctly formulated or the data subject does not
fully understand her/his rights. Controllers may ask for additional details, for
example, to help find the requested information. A refusal to act should be
kept for extreme cases to make sure that the controller does not expose
herself/himself to sanctions.

Every request should be answered free of charge [Article 12 (5) and recital
59]. A reasonable fee – based on the administrative costs necessary to
provide the answer – may be imposed only in cases where the demand is
deemed excessive. A data subject’s request will not be deemed excessive if
s/he wants to receive additional copies of information already provided, but
a fee can be charged in these circumstances. The data subject should be
informed about the amount payable and the controller has the right to wait
until the payment is cleared before providing the information.

If the controller has a “reasonable doubt” about the identity of the person
making the request, s/he may require additional information to confirm that
s/he is replying to the right person. The requested information should be
proportionate to the aim of completing the identification of the person and
not go beyond what is necessary to do so.

GDPR training, consulting and DPO outsourcing

페이지 8 / 10
 www.gdpr-text.com/ko

전문 (Recitals)

(58) The principle of transparency requires that any information addressed to the public or to the data subject be
concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where
appropriate, visualisation be used. Such information could be provided in electronic form, for example, when
addressed to the public, through a website. This is of particular relevance in situations where the proliferation of
actors and the technological complexity of practice make it difficult for the data subject to know and understand
whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case
of online advertising. Given that children merit specific protection, any information and communication, where
processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation,
including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or
erasure of personal data and the exercise of the right to object. The controller should also provide means for requests
to be made electronically, especially where personal data are processed by electronic means. The controller should be
obliged to respond to requests from the data subject without undue delay and at the latest within one month and to
give reasons where the controller does not intend to comply with any such requests.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in
particular in the context of online services and online identifiers. A controller should not retain personal data for the
sole purpose of being able to react to potential requests.

지침 및 사례 법률

(EN)

Document

Article 29 Working Party, Guidelines on Transparency Under Regulation 2016/679 (2018).

Information Commissioner’s Office, Right of Access (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data
protection Brussels (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).

Case Law

GDPR training, consulting and DPO outsourcing

페이지 9 / 10
 www.gdpr-text.com/ko

CJEU, Smaranda Bara e.a./Președintele Casei Naționale de Asigurări de Sănătate, C-201/14 (2015).

ECHR, López Ribalda v. Spain, nos 1874/13 and 8567/13 (2019).

Belgian DPA Fines Belgian Telecommunications Provider for Several Data Protection Infringements (2020) – brief
description in English.

GDPR training, consulting and DPO outsourcing

페이지 10 / 10

Powered by TCPDF (www.tcpdf.org)