Transparent information, communication and modalities for the exercise of the rights of the data subject
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
There is no recital in the Directive related to article 12.
Article 12 requires the controller to provide procedures and mechanisms for the data subjects to exercise their rights.
A principle of transparency is proclaimed: any information to the public or to the data subject should be easily accessible and easy to understand in a concise and transparent form, and formulated in clear and simple terms - in particular for any information addressed specifically to a child. It applies both to the exercise of the right to information (Art. 13 and 14) and to the right to access (Art. 15 ), the rights to rectification and erasure (Art. 16 and 17), the right to limitation of processing (Art. 18), the right to data portability (Art. 20 ), the right to object (Art. 21 ), the right not to be subject to automated individual decision-making (Art. 22), and regarding the obligation of official notification (Art. 19) And finally, that of the right to communication of a personal data breach (Art. 34).
The information may be provided in writing or by other means, if necessary, electronically, if this is appropriate. If the data subject exercises his or her right in an electronic form, the information can usually be provided electronically, unless the data subject requests it otherwise. If the data subject so requests, the information can even be provided orally, provided that the identity of the data subject is demonstrated by other means.
It is the responsibility of the controller to facilitate the exercise of the rights referred to in Articles 15 to 22 above. In case of application of Article 11, (2) concerning processing that does not require identification, the controller cannot deny the rights of the data subject, unless proven not being able to identify them.
Maximum times for response are provided. Thus, for the rights envisaged in Articles 15-22 , the information must be provided promptly and in any event within one month of receipt of the request. This period may be extended by two months if necessary, given the complexity and the number of requests. In this case, the data subject must be specifically informed of the postponement reasons, within one month of receipt of the request. If the controller does not give any response to the request made by the data subject, he or she shall inform them of the reasons for his inaction and of the possibility to lodge a complaint with a supervisory authority, without delay and within one month of receipt of the request at the latest.
The principle of free exercise of rights is generalized to provide information under Articles 13 and 14 and to proceed with all communication and take any measure under Articles 15 to 22 and Article 34.
When any requests by a data subject are manifestly unfounded or excessive, in particular due to their repetitive character, the controller may either require the payment of a reasonable fee based on administrative costs or refuse to reply. In both cases, it is up to the controller to demonstrate clearly the unfounded or excessive nature of the request.
Without prejudice to Article 11 which provides for an exception based on the rights set in Articles 15 to 20 if the processing does not require identification when having reasonable doubts as to the identity of the person making the request referred to in Articles 15 to 21, it may request the provision of additional information necessary to confirm the identity of the data subject.
The provision states - which is new – that the information to be provided on the basis of Articles 13 and 14 could be accompanied by standardized icons to provide a good overview of the respective processing that should be easily visible and clearly legible and understandable. By delegation, the Commission could accept rules to determine the information presented by the icons as well as the procedures for their standardization.
The Directive did not include a general provision on the general mechanisms for the exercise of rights.
These varied from a national legislation to another, where the rest of the mechanisms for each right were provided for with more or less precision.
The implementation of Article 12 will require a thorough review - or even new right to be set – relevant internal procedures to meet the various requests of the data subjects or simply to make the disclosures required by the Regulation.
Strangely, the exercise of rights is not subject, as a rule, to the provision of proof of the applicant's identity, which opens the way to abuse. Caution nevertheless would require the controller to make sure in data subject’s identity before transmitting, if any, any information of a confidential nature.
Guidelines on the right to data portability (5 April 2017)
(Endorsed by the EDPB)
Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.
Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.
This opinion provides guidance on the way to interpret and implement the right to data portability as introduced by the GDPR. It aims at discussing the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The opinion also provides concrete examples and criteria to explain the circumstances in which this right applies. In this regard, WP29 considers that the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity. This new right cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.
As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.
The opinion also helps data controllers to clearly understand their respective obligations and recommends best practices and tools that support compliance with the right to data portability. Finally, the opinion recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.
Guidelines on transparency under Regulation 2016/679 (11 April 2018)
(Endorsed by the EDPB)
These guidelines provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation1 (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/680, these guidelines also apply to the interpretation of that principle. These guidelines are, like all WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller. As such, these guidelines cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area. However, these guidelines are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.
Transparency is a long established feature of the law of the EU. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an ex
In accordance with Recital 171 of the GDPR, where processing is already under way prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that prior to 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/ notices etc.) to ensure that they adhere to the requirements in relation to transparency which are discussed in these guidelines. Where changes or additions are made to such information, controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR. WP29 recommends that such changes or additions be actively brought to the attention of data subjects but at a minimum controllers should make this information publically available (e.g. on their website). However, if the changes or additions are material or substantive, then in line with paragraphs 29 to 32 below, such changes should be actively brought to the attention of the data subject.
Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12 - 14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.
The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:
- before or at the start of the data processing cycle, i.e. when the personal data is being collected either from the data subject or otherwise obtained;
- throughout the whole processing period, i.e. when communicating with data subjects about their rights; and
- at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing.
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
1st proposal close
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. If the controller refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.
2nd proposal close
1. The controller shall take appropriate measures to provide any information referred to in Articles 14 and 14a and any communication under Articles 15 to 19 and 32 relating to the processing of personal data to the data subject in an intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, where appropriate electronically. Where the data subject makes the request in electronic form, the information may as a rule be provided in electronic form, unless otherwise requested by the data subject. When requested by the data subject, the information may be given orally provided that the identity of the data subject is proven.
1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19. (...) In cases referred to in Article 10 (2) the controller shall not refuse to act on the request of the data subject for exercising his/her rights under Articles 15 to 19, unless the controller demonstrates that he/she is not in a position to identify the data subject.
2. The controller shall provide (...) information on action taken on a request under Articles 15 and 16 to 19 to the data subject without undue delay and at the latest within one month of receipt of the request (...). This period may be extended for a further two months when necessary, taking into account the complexity of the request and the number of requests. Where the extended period applies, the data subject shall be informed within one month of receipt of the request of the reasons for the delay.
3. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint to a supervisory authority (...).
4. Information provided under Articles 14 and 14a (...) and any communicati on under Articles 16 to 19 and 32 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller (...) may refuse to act on the request. In that case, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
4a. Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject
No specific provision
All of the following in force until May 25, 2018:
Obligation to Disclose the Identity of the Controller
§ 25 DSG 2000
(1) In the case of transmissions and communications to data subjects, the controller shall disclose his identity in an appropriate manner, so that the data subjects can pursue their rights. In the case of data application subject to notification, communications to the data subject shall carry the controller registration number.
(2) Where data from a data application are used for purposes of a person other than the controller, without said person receiving a right of disposal and thereby the status of a controller over the used data, the communication to the data subject shall give the identity of the person for whose purposes the data are used as well as the identity of the controller from whose data application the data originate. If this concerns a data application subject to notification, the controller’s registration number shall be included in the correspondence. This obligation applies to both the controller and the person in whose name the correspondence to the data subject is communicated.
Rights of the Data Subject
Right to Information
§ 26 DSG 2000
(1) A controller shall provide any person or group of persons with information about the data being processed about the person or the group of persons who so request in writing and prove his/her identity in an appropriate manner. Subject to the agreement of the controller, the request for information can be made orally. The information shall contain the processed data, the information about their origin, the recipients or categories of recipients of transmissions, the purpose of the use of data as well as its legal basis in intelligible form. Upon request of a data subject, the names and addresses of processors shall be disclosed in case they are charged with processing data relating to him. If no data of the person requesting information exist it is sufficient to disclose this fact (negative information). With the consent of the person requesting information, the information may be provided orally alongside with the possibility to inspect and make duplicates or photocopies instead of being provided in writing.
(3) Upon inquiry, the person requesting information has to cooperate in the information procedure to a reasonable extent to prevent an unwarranted and disproportionate effort on the part of the controller.
(4) Within eight weeks of the receipt of the request, the information shall be provided or a reason given in writing why the information is not or not completely provided. The information may be refused if the person requesting information has failed to cooperate in the procedure according to para. 3 or has not reimbursed the costs.
(6) The information shall be given free of charge if it concerns the current data files of a use of data and if the person requesting information has not yet made a request for information to the same controller regarding the same application purpose in the current year. In all other cases a flat rate compensation of 18, 89 Euro may be charged; deviations are permitted to cover actually incurred higher expenses. A compensation already paid shall be refunded, irrespective of any claims for damages, if data have been used illegally or if the information has otherwise led to a correction.
Right to Rectification and Erasure
§ 27 DSG 2000
(4) The application for rectification or erasure shall be complied with within eight weeks after receipt and the applicant shall be informed thereof, or a reason in writing shall be given why the requested erasure or rectification was not carried out.
Right to Object
§ 28 DSG 2000
(3) § 27 para 4 to 6 shall also be applied in the cases of paras 1 and 2.