Artikolu 12 📖 RĠPD (GDPR). Informazzjoni, komunikazzjoni u modalitajiet trasparenti għall-eżerċizzju tad-drittijiet tas-suġġett tad-data

Artikolu 12 RĠPD (GDPR). Informazzjoni, komunikazzjoni u modalitajiet trasparenti għall-eżerċizzju tad-drittijiet tas-suġġett tad-data

Article 12 GDPR. Transparent information, communication and modalities for the exercise of the rights of the data subject

1. Il-kontrollur għandu jieħu miżuri adatti biex jipprovdi kwalunkwe informazzjoni msemmija fl-Artikoli 13 u 14 u kwalunkwe komunikazzjoni skont l-Artikoli 15 sa 22 u 34 relatata mal-ipproċessar lis-suġġett tad-data f’forma konċiża, trasparenti, intelliġibbli u faċilment aċċessibbli, bl-użu ta’ lingwaġġ ċar u sempliċi, b’mod partikolari għal kwalunkwe informazzjoni indirizzata speċifikament lil minorenni. L-informazzjoni għandha tiġi pprovduta bil-miktub, jew b’mezzi oħra, inkluż, fejn xieraq, b’mezzi elettroniċi. Meta tintalab mis-suġġett tad-data, l-informazzjoni tista’ tingħata bil-fomm dment li tingħata prova tal-identità tas-suġġett tad-data b’mezzi oħra.

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Linji ta 'Gwida & Ġurisprudenza Premessi Testi relatati

Linji ta 'Gwida & Ġurisprudenza

(EN)

Documents

Article 29 Working Party, Opinion 2/2010 on behavioural advertising (2010):

The obligation to provide the necessary information and obtain data subjects’ consent ultimately lies with the entity that sends and reads the cookie. In most cases, this is the ad network provider. When publishers are joint-controllers, for example in those cases where they transfer directly identifiable information to ad network providers, they are also bound by the obligation to provide information to data subjects about the data processing.

Premessi

(58) Il-prinċipju tat-trasparenza jeħtieġ li kwalunkwe informazzjoni indirizzata lill-pubbliku jew lis-suġġett tad-data tkun konċiża, aċċessibbli faċilment u faċli li tinftiehem, u li jintuża lingwaġġ ċar u sempliċi u, barra minn hekk, fejn meħtieġ, tintuża l-viżwalizzazzjoni. Tali informazzjoni tista' tingħata f'forma elettronika, pereżempju, meta tiġi indirizzata lill-pubbliku, permezz ta' sit elettroniku. Dan huwa partikolarment rilevanti f'sitwazzjonijiet fejn il-proliferazzjoni ta' atturi u l-kumplessità teknoloġika tal-prattika jagħmluha diffiċli għas-suġġett tad-data li jkun jaf u jifhem jekk hijiex, minn min u għal liema għan qed tinġabar data personali dwaru, bħal fil-każ ta' reklamar online. Minħabba li t-tfal jistħoqqilhom protezzjoni speċifika, kwalunkwe informazzjoni u komunikazzjoni, fejn l-ipproċessar huwa indirizzat lil xi minorenni, għandha tkun f'lingwaġġ ċar u sempliċi li l-minorenni jista' jifhem faċilment.

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Testi relatati

Artikolu 13 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn tinġabar data personali mis-suġġett tad-data

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Artikolu 14 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn id-data personali ma tkunx inkisbet mis-suġġett tad-data

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

Artikolu 15 RĠPD (GDPR). Dritt ta' aċċess mis-suġġett tad-data

Article 15 GDPR. Right of access by the data subject

Artikolu 16 RĠPD (GDPR). Dritt għar-rettifika

Article 16 GDPR. Right to rectification

Artikolu 17 RĠPD (GDPR). Dritt għal tħassir (“dritt li wieħed jintesa”)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Artikolu 18 RĠPD (GDPR). Dritt għal restrizzjoni tal-ipproċessar

Article 18 GDPR. Right to restriction of processing

Artikolu 19 RĠPD (GDPR). Obbligu ta' notifika rigward rettifika jew tħassir ta' data personali jew restrizzjoni tal-ipproċessar

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Artikolu 20 RĠPD (GDPR). Dritt għall-portabbiltà tad-data

Article 20 GDPR. Right to data portability

Artikolu 21 RĠPD (GDPR). Dritt ta' oġġezzjoni

Article 21 GDPR. Right to object

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

Article 22 GDPR. Automated individual decision-making, including profiling

Artikolu 34 RĠPD (GDPR). Komunikazzjoni ta' ksur ta' data personali lis-suġġett tad-data

Article 34 GDPR. Communication of a personal data breach to the data subject

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. «Guidelines on transparency under Regulation 2016/679». WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 — endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility — Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

Article 29 Working Party Guidelines on transparency under Regulation 2016/679

“Concise, transparent, intelligible and easily accessible”

The requirement that the provision of information to, and communication with, data subjects is done in a “concise and transparent” manner means that data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use. In an online context, the use of a layered privacy statement/ notice will enable a data subject to navigate to the particular section of the privacy statement/ notice which they want to immediately access rather than having to scroll through large amounts of text searching for particular issues.

The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc. These mechanisms are further considered below, including at paragraphs 33 to 40).

“Clear and plain language”

With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed.11 A similar language requirement (for “plain, intelligible language”) has previously been used by the EU legislator12 and is also explicitly referred to in the context of consent in Recital 42 of the GDPR13. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. In particular the purposes of, and legal basis for, processing the personal data should be clear.

“In writing or by other means”

Of course, the use of digital layered privacy statements/ notices is not the only written electronic means that can be deployed by controllers. Other electronic means include “justin-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.[25] “Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).

2. Il-kontrollur għandu jiffaċilita l-eżerċizzju tad-drittijiet tas-suġġett tad-data skont l-Artikoli 15 sa 22. Fil-każijiet imsemmija fl-Artikolu 11(1), il-kontrollur ma għandux jirrifjuta li jieħu azzjoni fuq it-talba tas-suġġett tad-data biex jeżerċita d-drittijiet tiegħu skont l-Artikoli 15 sa 22, ħlief jekk il-kontrollur juri li huwa ma jkunx f’pożizzjoni li jidentifika s-suġġett tad-data.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

ISO 27701 Linji ta 'Gwida & Ġurisprudenza Premessi Testi relatati

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 12(2) GDPR:

7.3.1 Determining and fulfilling obligations to PII principals

Control

The organization should determine and document their legal, regulatory and business obligations to PII principals related to the processing of their PII and provide the means to meet these obligations.

(EN) […]

(EN) Sign in
to read the full text

Linji ta 'Gwida & Ġurisprudenza

(EN)

Documents

Spanish Data Protection Agency (AEPD), Guide on use of cookies (2021).

Premessi

(59) Għandhom jiġu pprovduti modalitajiet biex jiffaċilitaw l-eżerċizzju mis-suġġett tad-data tad-drittijiet tiegħu taħt dan ir-Regolament, inklużi mekkaniżmi sabiex jintalab u jekk applikabbli, jinkiseb, bla ħlas, b'mod partikolari, l-aċċess għal u r-rettifika jew it-tħassir ta' data personali u l-eżerċizzju tad-dritt li joġġezzjona. Il-kontrollur għandu jipprovdi wkoll l-mezzi biex isiru talbiet b'mod elettroniku, speċjalment fejn id-data personali tiġi pproċessata b'mezzi elettroniċi. Il-kontrollur għandu jkun obbligat iwieġeb għal talbiet mis-suġġett tad-data mingħajr dewmien żejjed u fi żmien mhux aktar minn xahar u jagħti raġunijiet fejn il-kontrollur ma jkollux l-intenzjoni li jikkonforma ma' kwalunkwe tali talba.

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

(64) Il-kontrollur għandu juża l-miżuri kollha raġonevoli sabiex jivverifika l-identità ta' suġġett tad-data li jitlob aċċess, b'mod partikolari fil-kuntest ta' servizzi online u identifikaturi online. Il-kontrollur m'għandux iżomm id-data personali għall-għan uniku li jkun jista' jirreaġixxi għal talbiet potenzjali.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Testi relatati

Artikolu 15 RĠPD (GDPR). Dritt ta' aċċess mis-suġġett tad-data

Article 15 GDPR. Right of access by the data subject

Artikolu 16 RĠPD (GDPR). Dritt għar-rettifika

Article 16 GDPR. Right to rectification

Artikolu 17 RĠPD (GDPR). Dritt għal tħassir (“dritt li wieħed jintesa”)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Artikolu 18 RĠPD (GDPR). Dritt għal restrizzjoni tal-ipproċessar

Article 18 GDPR. Right to restriction of processing

Artikolu 19 RĠPD (GDPR). Obbligu ta' notifika rigward rettifika jew tħassir ta' data personali jew restrizzjoni tal-ipproċessar

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Artikolu 20 RĠPD (GDPR). Dritt għall-portabbiltà tad-data

Article 20 GDPR. Right to data portability

Artikolu 21 RĠPD (GDPR). Dritt ta' oġġezzjoni

Article 21 GDPR. Right to object

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

Article 22 GDPR. Automated individual decision-making, including profiling

Artikolu 11 RĠPD (GDPR). Ipproċessar li ma jeħtieġx identifikazzjoni

Article 11 GDPR. Processing which does not require identification

[…]

2. Fejn, fil-każijiet imsemmija fil-paragrafu 1 ta’ dan l-Artikolu, il-kontrollur ikun jista’ juri li mhuwiex f’pożizzjoni li jidentifika s-suġġett tad-data, il-kontrollur għandu jinforma lis-suġġett tad-data b’dan, jekk possibbli. F’tali każijiet, l-Artikoli 15 sa 20 ma japplikawx għajr fejn is-suġġett tad-data, għall-fini li jeżerċita d-drittijiet tiegħu taħt dawk l-Artikoli, jipprovdi informazzjoni addizzjonali li tippermetti li huwa jiġi identifikat.

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

3. Il-kontrollur għandu jipprovdi informazzjoni dwar l-azzjoni meħuda fuq talba skont l-Artikoli 15 sa 22 lis-suġġett tad-data mingħajr dewmien żejjed u fi kwalunkwe każ, fi żmien xahar minn meta jirċievi t-talba. Dak il-perijodu jista’ jiġi estiż b’ xahrejn oħra fejn meħtieġ, b’kont dovut tal-kumplessità u n-numru ta’ talbiet. Il-kontrollur għandu jinforma s-suġġett tad-data dwar kwalunkwe estensjoni fi żmien xahar minn meta jirċievi t-talba, flimkien mar-raġunijiet għad-dewmien. Fejn is-suġġett tad-data jagħmel it-talba b’mezzi f’forma elettronika, l-informazzjoni għandha tiġi pprovduta b’mezzi elettroniċi, fejn ikun possibbli, sakemm ma jkunx mitlub mod ieħor mis-suġġett tad-data.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Testi relatati

Artikolu 15 RĠPD (GDPR). Dritt ta' aċċess mis-suġġett tad-data

Article 15 GDPR. Right of access by the data subject

Artikolu 16 RĠPD (GDPR). Dritt għar-rettifika

Article 16 GDPR. Right to rectification

Artikolu 17 RĠPD (GDPR). Dritt għal tħassir (“dritt li wieħed jintesa”)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Artikolu 18 RĠPD (GDPR). Dritt għal restrizzjoni tal-ipproċessar

Article 18 GDPR. Right to restriction of processing

Artikolu 19 RĠPD (GDPR). Obbligu ta' notifika rigward rettifika jew tħassir ta' data personali jew restrizzjoni tal-ipproċessar

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Artikolu 20 RĠPD (GDPR). Dritt għall-portabbiltà tad-data

Article 20 GDPR. Right to data portability

Artikolu 21 RĠPD (GDPR). Dritt ta' oġġezzjoni

Article 21 GDPR. Right to object

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

Article 22 GDPR. Automated individual decision-making, including profiling

4. Jekk il-kontrollur ma jiħux azzjoni fuq it-talba tas-suġġett tad-data, il-kontrollur għandu jinforma lis-suġġett tad-data mingħajr dewmien u mhux aktar tard minn xahar minn meta jirċievi t-talba bir-raġunijiet għalfejn ma jkunx ħa azzjoni u dwar il-possibbiltà li jitressaq ilment quddiem awtorità superviżorja u li jitfittex rimedju ġudizzjarju.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. L-informazzjoni pprovduta skont l-Artikoli 13 u 14 u kwalunkwe komunikazzjoni u kwalunkwe azzjoni skont l-Artikoli 15 sa 22 u 34 għandhom jingħataw mingħajr ħlas. Fejn it-talbiet minn suġġett tad-data jkunu manifestament bla bażi jew eċċessivi, b’mod partikolari minħabba n-natura ripetittiva tagħhom, il-kontrollur jista’ jew:

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

Testi relatati

Artikolu 13 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn tinġabar data personali mis-suġġett tad-data

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Artikolu 14 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn id-data personali ma tkunx inkisbet mis-suġġett tad-data

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

Artikolu 15 RĠPD (GDPR). Dritt ta' aċċess mis-suġġett tad-data

Article 15 GDPR. Right of access by the data subject

Artikolu 16 RĠPD (GDPR). Dritt għar-rettifika

Article 16 GDPR. Right to rectification

Artikolu 17 RĠPD (GDPR). Dritt għal tħassir (“dritt li wieħed jintesa”)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Artikolu 18 RĠPD (GDPR). Dritt għal restrizzjoni tal-ipproċessar

Article 18 GDPR. Right to restriction of processing

Artikolu 19 RĠPD (GDPR). Obbligu ta' notifika rigward rettifika jew tħassir ta' data personali jew restrizzjoni tal-ipproċessar

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Artikolu 20 RĠPD (GDPR). Dritt għall-portabbiltà tad-data

Article 20 GDPR. Right to data portability

Artikolu 21 RĠPD (GDPR). Dritt ta' oġġezzjoni

Article 21 GDPR. Right to object

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

Article 22 GDPR. Automated individual decision-making, including profiling

(a) jimponi ħlas raġonevoli waqt li jqis l-ispejjeż amministrattivi talli jipprovdi l-informazzjoni jew il-komunikazzjoni jew talli jieħu l-azzjoni mitluba; jew

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) jirrifjuta li jieħu azzjoni fuq it-talba.

(b) refuse to act on the request.

Il-kontrollur għandu jerfa’ r-responsabbiltà li juri n-natura manifestament mingħajr bażi jew eċċessiva tat-talba.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Mingħajr preġudizzju għall-Artikolu 11, fejn il-kontrollur ikollu dubji raġonevoli dwar l-identità tal-persuna fiżika li tagħmel it-talba msemmija fl-Artikoli 15 sa 21, il-kontrollur jista’ jitlob li tiġi pprovduta informazzjoni addizzjonali meħtieġa biex tiġi kkonfermata l-identità tas-suġġett tad-data.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

Testi relatati

Artikolu 11 RĠPD (GDPR). Ipproċessar li ma jeħtieġx identifikazzjoni

Article 11 GDPR. Processing which does not require identification

Artikolu 15 RĠPD (GDPR). Dritt ta' aċċess mis-suġġett tad-data

Article 15 GDPR. Right of access by the data subject

Artikolu 16 RĠPD (GDPR). Dritt għar-rettifika

Article 16 GDPR. Right to rectification

Artikolu 17 RĠPD (GDPR). Dritt għal tħassir (“dritt li wieħed jintesa”)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

Artikolu 18 RĠPD (GDPR). Dritt għal restrizzjoni tal-ipproċessar

Article 18 GDPR. Right to restriction of processing

Artikolu 19 RĠPD (GDPR). Obbligu ta' notifika rigward rettifika jew tħassir ta' data personali jew restrizzjoni tal-ipproċessar

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Artikolu 20 RĠPD (GDPR). Dritt għall-portabbiltà tad-data

Article 20 GDPR. Right to data portability

Artikolu 21 RĠPD (GDPR). Dritt ta' oġġezzjoni

Article 21 GDPR. Right to object

7. L-informazzjoni li għandha tiġi pprovduta lis-suġġetti tad-data skont l-Artikolu 13 u 14 tista’ tingħata flimkien ma’ ikoni standardizzati sabiex tingħata ħarsa ġenerali lejn l-ipproċessar intenzjonat b’mod li jidher faċilment, li jinftiehem u li jinqara sew. Fejn l-ikoni jkunu ppreżentati b’mod elettroniku, dawn għandhom ikunu jistgħu jinqraw minn magna.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

Testi relatati

Artikolu 13 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn tinġabar data personali mis-suġġett tad-data

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Artikolu 14 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn id-data personali ma tkunx inkisbet mis-suġġett tad-data

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

8. Il-Kummissjoni hija mogħtija s-setgħa li tadotta atti delegati f’konformità mal-Artikolu 92 għall-finijiet li tiddetermina l-informazzjoni li għandha tiġi ppreżentata permezz tal-ikoni u l-proċeduri għall-għoti ta’ ikoni standardizzati.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Testi relatati

Artikolu 92 RĠPD (GDPR). Eżerċizzju tad-delega

Article 92 GDPR. Exercise of the delegation

Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Kummentarju ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment

Kummentarju

(EN) Different provisions of the General Data Protection Regulation provide for obligations to inform data subjects – the legal term designating common people – about the processing of their personal information. Controllers – the persons who control the processing of personal data – have to conform to certain requirements regarding how they provide the information to the data subjects, whether beforehand in a privacy notice available to the general public or when they reply to an individual request.

Article 12 addresses first the form of the information that must be provided. It must be communicated “in a concise, transparent, intelligible, and easily accessible form”. The provision further states that controllers should use “clear and plain language” in their communication. All these adjectives seem self-explanatory, but they deserve a closer look to clarify their actual meaning in the context of data protection laws.

Conciseness refers to the fact that the information must be presented briefly but also in a comprehensive manner. Controllers may have a large amount of information to provide to a person depending on the nature of the request, but they have to present it succinctly nonetheless. The principle can be translated in the manner that the information is physically presented and structured (see below). Excluding irrelevant, redundant, or unnecessary information is another way to keep the communication “concise”.

Transparency is one of the key principles of the GDPR [Article 5(1)(a), recital 39, and Guidelines on Transparency]. It must be regarded as a general obligation encompassing openness, honesty, and truthfulness. A company must proactively divulge all the necessary information about how it processes personal data or communicate it when asked for. It should not hide information nor try to bury down important details. The information must be accessible first-handed or freely transmitted when requested.

Intelligibility means that privacy-related information must be comprehensible. The concept overlaps other principles but the main idea is that the information must be easy to understand (recitals 39 and 58) and presented in a form adapted to the audience (adults, children, professionals, special context, etc.). The writing style should be simple, easily accessible words should be preferred and complex terms should be explained. The information communicated should be straightforward, avoid any ambiguity, and leave no room to interpretation.

Ease of access implies that data protection information should be easy to access. The way the information is provided should be adapted to the context or platform where it is presented. A link to the privacy policy can be prominently presented at the bottom of an email or displayed where people usually look for it on a website, in the footer, for example. It should not be hidden in a counterintuitive menu in an application where users will never think to look for it. As a rule of thumb, information about privacy in an application should never be more than “two taps away”, according to the Guidelines on Transparency.

Using clear and plain language coincides with the intelligibility principle. The language used must be adapted and tailored to the audience. Basic and easy to understand words must be preferred. Complex legal terminology should be avoided and if necessary should be clarified. Sentences and paragraphs should be short and the language structure should be kept as simple as possible (Guidelines on Transparency). Special attention must be given to that point when controllers address children (recital 58). The language used should be easily understandable to a child (see our commentary under Article 8).

Information in line with these requirements must be transmitted in “writing” or by any “other means”. The chosen mean depends on the targeted audience and it includes electronic forms such as applications or websites (recital 58). It might be provided, if adapted to the situation, through cartoons, infographics, or flowcharts (Guidelines on Transparency). Another means of providing the information is through a secure “self-service system” which would give an individual access to her/his data (recital 63). Information can even be communicated orally if requested so, provided that the data subject proves her/his identity by other means.

The form and structure of the information are also addressed by the European regulation. Privacy-related information must be clearly differentiated from other legal information such as the general terms of use (Guidelines on Transparency). It can be separated into different logic paragraphs, each one of them preceded with a heading stating its actual content. It is sometimes referred to as the “layered” approach in European documentation. The use of headings, bullets, or indents to logically structure the document – whether it is a privacy notice or an answer to a request – is a pragmatic answer to a legal obligation.

Access to information should be facilitated by controllers. They should maintain mechanisms (recital 59) through which data subjects can exercise their rights (Articles 15 to 22), receive information – where personal data are collected from them (Article 13) or obtained from third parties (Article 14) – or be informed of data breaches (Article 34). The information obligation extends to situations where the exchange of data takes place between two administrative bodies (CJEU, Smaranda Bara e.a./Președintele Casei Naționale de Asigurări de Sănătate).

Facilitating access to information can be done by resorting to a standard form. It could ease the formulation of a request by the data subject, but also the work of the controller who will receive a structured message with the needed information to process the request. It has to be noted that the use of the form cannot be made mandatory, as any other forms of requests are valid (orally, by email, through a letter, etc.).

Controllers must act quickly on data subjects’ requests. Article 12(3) imposes strict delays to provide the information requested or inform data subjects on action taken upon their request. The general rule is that controllers should proceed “without undue delay”, but the GDPR does not define the expression. It must be understood as “as soon as possible”, but at least within a calendar month after receiving the request.

Exceptionally, the period may be extended by two further months. It is possible only if the request is complex or there are many requests to be answered at the same time. The controller in such an event has to inform the data subject within the initial period of one month of her/his intention of prolonging the delay. The computation of the delay starts the day the request is received or, if applicable, after getting the confirmation of the identity of the person requesting the information or the payment of the fee.

There are circumstances where controllers may refuse to answer a request (recital 59). If they deny the request, they have to inform the data subject in the same delays mentioned above of the reasons why they refuse to act. They must also notify the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.

A request can be denied if it “manifestly unfounded or excessive” [Article 12 (5)]. It can be the case, for example, when a data subject made repetitive requests over a short period of time. It can also happen if the person is making a request simply to get something in return from the organization or the individual is using data protection laws to harass the organization. The adjective “manifestly” used in the GDPR means that the request must be clearly or obviously excessive or unfounded. The burden to demonstrate that the request is “manifestly” excessive or unfounded rests on the controller’s shoulders.

It would be a better option to open a dialogue with the data subject than refusing to act on the request. A request may seem excessive or unfounded simply because it is not correctly formulated or the data subject does not fully understand her/his rights. Controllers may ask for additional details, for example, to help find the requested information. A refusal to act should be kept for extreme cases to make sure that the controller does not expose herself/himself to sanctions.

Every request should be answered free of charge [Article 12 (5) and recital 59]. A reasonable fee – based on the administrative costs necessary to provide the answer – may be imposed only in cases where the demand is deemed excessive. A data subject’s request will not be deemed excessive if s/he wants to receive additional copies of information already provided, but a fee can be charged in these circumstances. The data subject should be informed about the amount payable and the controller has the right to wait until the payment is cleared before providing the information.

If the controller has a “reasonable doubt” about the identity of the person making the request, s/he may require additional information to confirm that s/he is replying to the right person. The requested information should be proportionate to the aim of completing the identification of the person and not go beyond what is necessary to do so.

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 12 GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.

(EN) […]

(EN) Sign in
to read the full text

Premessi