CHAPTER III Rights of the data subject

Section 1 Transparency and modalities

 

Author: Alexander Dix

 

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

 

A. Preliminary remarks

Information and transparency are the basis of informational self-determination. One of the principles laid down in Art. 5 para. 1 lit. a state that personal data shall be processed in a transparent manner in relation to the data subject. Furthermore clear and precise rights of the data subject which controllers have to respect form another basis of data protection. Only the data subject’s “informed” consent can form a legal basis for the processing of his data (Art. 4 No. 11) . The European Union has increased transparency requirements for processing personal data in the GDPR considerably in comparison with the Directive 46/95. Recitals 39 and 58 explicitly mention the principle of transparency which is to be followed when processing personal data. This is not only reflected by the rights of the data subject in Chapter III but also by the duty to notify the supervisory authority and the data subject of certain personal data breaches under Art. 34. Furthermore, controllers shall take measures under Art. 25 which consist inter alia of “transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing” (Recital 78). Strengthening the rights of the data subject – in addition to tightening controllers’ duties – is a central element of the reform of European data protection law in view of the still prevailing concealed data practices by many controllers. In particular, as the Court of Justice has pointed out, the data subject’s rights to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data are an essential part of the fundamental right to effective judicial protection under Art. 47 of the Charter which have to be taken into account when ascertaining the adequate level of protection in any third country under Art. 45 para. 2 lit. a (“effective and enforceable data subjects’ rights”).

The catalogue of data subject’s right is preceded by a list of horizontal duties of the controller in Art. 12 which is not limited to the generic duty to respect the rights of the data subject. The Regulation goes further in requiring the controller to provide the data subject with the prescribed information in a certain manner and within a specific time limit and to generally facilitate the exercise of his rights. Thus, the rights of the data subject to information (Art. 12–15) as well as to control the data processing (Art. 16–22) are strengthened considerably. In addition, the Regulation increases the duties to actively provide for transparency which the controller must comply with irrespectively of the data subject exercising his right.

In general Chapter III of the Regulation illustrates that access to information is a prerequisite of the right to informational self-determination in the same way as it is a prerequisite for exercising freedom of expression. Therefore the rights to be informed and the corresponding duties to inform substantiate the primary guarantees of Art. 8 of the European Charter of Fundamental Rights and Art. 16 TFEU. The Regulation secures the exercise of fundamental rights by specific procedural rules. Art. 12 highlights the close link between data protection and transparency, which has led to suggestions to integrate data protection law in general transparency laws. The relationship between the GDPR and national rules on public access to official documents is addressed in Art. 86. The Province of Québec and the Kanton Zürich have regulated for data protection and freedom of information in consolidated Acts.

Information and transparency are only necessary but not sufficient (exclusive) conditions for the lawful processing of personal data. If e.g., a provider of a website in his privacy policy informs users that he will not honour “Do-not-track”-settings in browsers this will not in itself justify the processing of personal data generated using the website. Likewise, the controller’s notice that he will collect and process personal data which are not necessary for the performance of a contract (Art. 6 para. 1 lit. b) or for the purposes of the legitimate interests pursued by the controller of by a third party (Art. 6 para. 1 lit. f) does not legalise such a collection or processing of personal data.

Rights of the data subject are not restricted to Chapter III of the GDPR. Furthermore, the right of the data subject to revoke a consent given (Art. 7 para. 3), to lodge a complaint with a supervisory authority (Art. 77) or to go to court (Art. 78, 79), to mandate a non-for-profit body, organisation or association to lodge a complaint on his behalf (Art. 80) or to claim compensation (Art. 82). All these rights as well corresponding obligations of controllers are non-negotiable, i.e., they cannot be waived by contract.

 

 

[…]