Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

1.   The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2.   The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3.   The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4.   If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5.   Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:


charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or


refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6.   Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7.   The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8.   The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

What does it mean?

Article 12 requires organizations to always communicate clearly about how they process individuals’ personal data. This involves explaining things in plain language, especially when communicating with children.

Companies should provide the information in writing, such as through privacy policies or informative emails, or orally if the individual requests it.

Article 12 of the GDPR states that organizations must make it easy for individuals to exercise their rights as outlined in Chapter 3. This means making it easy for individuals to access, rectify, and restrict their data, among other things.

An organisation must respond and comply with an individuals request as soon as possible, and at the latest within one month.

In complex situations, the organization can take up to three months to comply with the request. However, they must notify the individual about the delay as soon as possible and explain the reason for the delay.

No, it’s free. The only exception occurs if requests become excessively frequent or repetitive. The company may charge a small fee or deny the request in such cases.

The organization then bears the responsibility of justifying why the request was deemed unreasonable.

The individual has the right to file a complaint with a supervisory authority, which are the official data protection agencies in each EU country. They also have the right to take legal action.

According to Article 12, if an organisation has reasonable doubts about the identity of the person making the request, they can ask for more information to confirm their identity.

The identification of an individual can be done in several ways, such as asking for a copy an ID, and it would depend on the specific situation.

The organization is not obligated to comply with a request if it cannot identify the individual. However, the organization bears the responsibility of demonstrating that it cannot identify the individual.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.



Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!