Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter III Rights of the data subject

Section 1 Transparency and modalities

Article 12 Procedures and mechanisms for exercising the rights of the data subject

October 2013

Article 12(1)

1. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically where possible.

Article 12(2)

2. The controller shall inform the data subject without undue delay and, at the latest within 40 calendar days of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing and, where possible, the data controller may provide remote access to a secure system which would provide the data subject with direct access to their personal data. Where the data subject makes the request in electronic form, the information shall be provided in electronic form where possible, unless otherwise requested by the data subject.

Article 12(3)

3. If the controller does not take action on the request of the data subject, the controller shall inform the data subject of the reasons for the inaction and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

Article 12(4)

4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs for providing the information or taking the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

Article 12(5)

5. (deleted)

Article 12(6)

6. (deleted)

[Source: October 2013]

Recital 47

(47) Modalities should be provided for facilitating the data subjectís exercise of their rights provided by this Regulation, including mechanisms to obtain, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a reasonable deadline and give reasons, in case he does not comply with the data subjectís request.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 12 obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined deadline, and the motivation of refusals.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 12(1) [Amended: October 2013]

1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.

Article 12(2) [Amended: October 2013]

2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.

Article 12(3) [Amended: October 2013]

3. If the controller refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

Article 12(4) [Amended: October 2013]

4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

Article 12(5) [Deleted: October 2013]

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.

Article 12(6) [Deleted: October 2013]

6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 47 [Amended: October 2013]

(47) Modalities should be provided for facilitating the data subjectís exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixed deadline and give reasons, in case he does not comply with the data subject's request.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]