Chapter III of GDPR, Section 1 provides for some of the transparency requirements placed upon data controllers as they communicate with data subjects. It explicitly refers to several Articles 13 – 22 and Article 34. In plain English, that means:
- The controller has to provide certain information to data subjects depending on whether the personal data was collected from the data subject or was obtained elsewhere (Art. 13 & 14).
- The data subject has the right to access information related to his/her personal data and the processing activities carried out by the controller in relation to his/her data (Art. 15).
- The data subject can insist upon correction of any incorrect personal data held in relation to him/her (Art. 16).
- The data subject can request erasure of his/her personal data under certain conditions (Art. 17).
- The data subject can also demand restrictions of any data processing under certain conditions (Art. 18).
- The controller must inform anyone with whom they have shared a data subject’s personal data if there is a processing restriction or if the data needs to be erased. They must also update the data subject with a list of all recipients if the data subject requests one (Art. 19).
- The data subject has the right to port his/her data to another service provider without restriction and can receive personal data relating to him/her under certain conditions (Art. 20).
- The data subject can object to the processing of his/her information under certain conditions (Art. 21).
- The data subject has the right to not have a decision based entirely on automated processing which might lead to legal (or similarly) ramifications (Art. 22).
- The data subject has the right to be informed in the case of a data breach under certain conditions (Art. 34).
Transparency requirements (Art. 12)
We will flesh out some of these articles in some detail, but for now let's consider the transparency requirements themselves under Article 12, which sets out the various communication and related requirements placed upon a controller in the above scenarios.
First and foremost, when communicating with a data subject, the controller must ensure such communication is in a "concise, transparent, intelligible and easily accessible form, using clear and plain language". This is especially true when the data subject is a child.
Communications should be in writing most of the time. If the controller can prove the identity of the data subject, then they can deliver the information orally, however, this must be at the behest of the data subject themselves.
Controllers should also respect and facilitate the exercise of the above rights (depending on eligibility criteria). GDPR states that they may only refuse if they can prove that they cannot verify the identity of the data subject.
Article 12 also sets out some turnaround times for controllers. With the exception of Article 34, which relates to data breach notifications, controllers must provide updates on any action taken (or not taken, for that matter) to the data subject(s) as soon as possible - although realistically they are allowed up to one month from receipt of the request to do so. In some complex cases, this can be extended to three months total, and that extension triggers a further requirement to update the data subject(s) with the reasons for the delay, again within one month. Furthermore, if the controller hasn't complied with the request, they have to include information on the complaint procedure with the relevant supervisory authority and judicial remedies
Finally, a data subject can't be charged for making a request based on a data subject right, at least most of the time. If a data subject makes an unreasonable request eg, due to the size or repetitive nature of the request, then the controller can take administrative costs into account and charge a "reasonable fee" or just refuse to help at all. If that's the case, the controller better have an excellent justification for doing so because the burden of proof will lie with them.