How to Demonstrate Compliance With GDPR Article 12

UK GDPR Version

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority the Commissioner and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
• Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
• Refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
• [6A. The Commissioner may publish (and amend or withdraw)
• (a) Standardised icons for use in combination with information provided to data subjects under Articles 13 and 14;
• (b) A notice stating that other persons may publish (and amend or withdraw) such icons, provided that the icons satisfy requirements specified in the notice as to the information to be presented by the icons and the procedures for providing the icons.
• 6B. The Commissioner must not publish icons or a notice under paragraph 6A unless satisfied (as appropriate) that the icons give a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner or that the notice will result in icons that do so.]
7. If standardised icons are published as described in paragraph 6A (and not withdrawn), the information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with the icons. Where the icons are presented electronically they shall be machine-readable.

Technical Commentary

Quality of Information Provided

Information provided by the controller to the principal should be:

1. Concise.
2. Transparent.
3. Intelligible.
4. Easily accessible.
5. Easily understood.
6. In the appropriate format.

Facilitating the Data Subject’s Rights

Whilst GDPR doesn’t contain a specific set of instructions relating to how organisations should provide ‘mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object’.

Time Limits

The legislation omits any precise definition of what is deemed an acceptable time to response to requests. It’s instead left to organisations to act as quickly as possible (or ‘without undue delay’) within a period of one month – extended to two months for complex requests.

If an organisation doesn’t intend to act upon a request, then the data subject should be informed of the reasons within one month, along with information on how to file a complaint.

EU GDPR Article 12 (2) and ISO 27701 Clause 7.3.1

Determining and Fulfilling Obligations to Pii Principals

Organisations need to document their obligations to PII principals across three key areas:

1. Legal.
2. Regulatory.
3. Business.

Organisations should provide transparent documentation and a designated point of contact to PII principals, in order to facilitate the free flow of information and not in any way obstruct the PII principal from establishing the controller’s obligations.

It’s important to note that, to ensure uniformity, any means of contact provided should mirror the way through which the organisation collects PII – e.g. providing an email address or a PoC, if data was collected via email, rather than purely asking a principal to write a letter.

EU GDPR Articles 12 (1) and (7) and ISO 27701 Clause 7.3.3

Providing Information to PII Principals

Organisations need to be able to provide information to PII principals that identifies the PII controller, and how data is processed.

Organisations should do their utmost to ensure that they’re using accessible language that avoids industry jargon, and conveys information in plain terms that are easily understood (see ISO 27702 Clause 7.3.2).

Supporting ISO 27701 Clauses

• ISO 27701 7.3.2

EU GDPR Articles 12 (3), (4), (5), (6) and ISO 27701 Clause 7.3.9

Requests from PII principals should be governed by processes and controls that are widely understood throughout the organisation, and cater to the specifics of any legislative or regulatory requirements, including adequate response times.

Requests may include:

1. Copies of data.
2. Complaints.
3. Procedural clarifications.

Organisations are legally allowed to charge a handling fee, but this is only usually applied to repetitive or excessive requests for data.

Supporting Controls From ISO 27701

How ISMS.online Helps

ROPA made easy

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

Assessment templates

We provide easy to use templates for recording privacy and legitimate interest assessments.

A secure space for DRR

You’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.

Breach management

If the worst happens, you’ll be ready. We make it easy to plan and communicate your breach workflow, and document and learn from every incident.

Find out more by booking a demo.