GDPR Article 12 focuses on how data controllers communicate with data subjects, both in terms of how they communicate their internal processes, how they facilitate the flow of information and how they cater to the subject’s rights.
Transparent information, communication and modalities for the exercise of the rights of the data subject
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Information provided by the controller to the principal should be:
Whilst GDPR doesn’t contain a specific set of instructions relating to how organisations should provide ‘mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object’.
The legislation omits any precise definition of what is deemed an acceptable time to response to requests. It’s instead left to organisations to act as quickly as possible (or ‘without undue delay’) within a period of one month – extended to two months for complex requests.
If an organisation doesn’t intend to act upon a request, then the data subject should be informed of the reasons within one month, along with information on how to file a complaint.
Organisations need to document their obligations to PII principals across three key areas:
Organisations should provide transparent documentation and a designated point of contact to PII principals, in order to facilitate the free flow of information and not in any way obstruct the PII principal from establishing the controller’s obligations.
It’s important to note that, to ensure uniformity, any means of contact provided should mirror the way through which the organisation collects PII – e.g. providing an email address or a PoC, if data was collected via email, rather than purely asking a principal to write a letter.
Organisations need to be able to provide information to PII principals that identifies the PII controller, and how data is processed.
Organisations should do their utmost to ensure that they’re using accessible language that avoids industry jargon, and conveys information in plain terms that are easily understood (see ISO 27702 Clause 7.3.2).
Requests from PII principals should be governed by processes and controls that are widely understood throughout the organisation, and cater to the specifics of any legislative or regulatory requirements, including adequate response times.
Requests may include:
Organisations are legally allowed to charge a handling fee, but this is only usually applied to repetitive or excessive requests for data.
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Article 12 (2) | ISO 27701 7.3.1 | None |
EU GDPR Articles 12 (1), (7) | ISO 27701 7.3.3 | ISO 27701 7.3.2 |
EU GDPR Articles 12 (3), (4), (5), (6) | ISO 27701 7.3.9 | None |
ROPA made easy
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
Assessment templates
We provide easy to use templates for recording privacy and legitimate interest assessments.
A secure space for DRR
You’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.
Breach management
If the worst happens, you’ll be ready. We make it easy to plan and communicate your breach workflow, and document and learn from every incident.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.