This next article, a shorter one, in our GDPR series deals with the transparency, communication, and modalities related to the rights of the data subject. This includes the responsibilities of the data controller to provide information to data subjects, the communication of action taken upon data subject request, explanation for any inaction, and actions the controller can take if the data subject is requesting information in an excessive or inappropriate manner. The information should be provided free of charge and if the controller has reasonable doubt about the identity of the data subject who submitted the request, they may request appropriate documentation from the data subject to confirm their identity.

Article 12

1. The controller shall take appropriate measures to provide any information related to the data subject and any communication relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information can be provided in hard copy, electronically, or orally.
2. The data controller shall not refuse to act on the request of a data subject exercising their right of this regulation unless the controller can demonstrate that they cannot identify the data subject.
3. The controller shall provide the requested information to the data subject without undue delay and within one month of the request. This period can be extended for up to two months depending on the complexity and nature of the request. If such an extension occurs, the controller shall inform the data subject as soon as reasonably possible.
4. If the controller takes no action, they shall inform the data subject within one month of the original request and provide reason for the inaction and upon the reasonable possibility of lodging a complaint with a supervisory authority.
5. All provided information specified in later articles, and the communication, shall be provided free of charge to the data subject. If the requests are unfounded, excessive, or inappropriate, the data controller shall either charge a reasonable fee for the labor or refuse to fulfill the request. The controller must demonstrate the unfoundedness of the request to legal authority if advised to do so.
6. Where the controller has reasonable doubts regarding the identity of the data subject, the controller may request documentation to confirm the identity of the data subject making the request for information.
7. The information provided to the data subject may be provided with standardized icons in order to give an easily visible, intelligible, and clearly legible manner for the data subject to interpret.
8. The Commission shall be empowered to adopt delegated acts for the purpose of determining the information to be presented by the icons and the procedures for providing standardized icons.

HOW DOES THIS APPLY TO YOU AND ME?

We, the consumers, should know that this article gives us a great deal of powerful expectations around when our information must be provided to us. If we submit a request, we can expect our request to be fulfilled in about a month. If it isn’t, we are entitled to communication around why we haven’t received it yet from the data controller. We are also protected by this regulation from our request being denied and we also do not have to pay for said information from the controller.

Where the controller gets protection is when we, the consumer, begin making erroneous requests and the requests are too absurd for a controller to fulfill. Our requests for information can’t be too outlandish and un-fulfillable. If the data controller can prove that our request is unfounded or absurd, then we might not be getting our information. So don’t be absurd, be reasonable and you’ll get what you want.

HARVEY AND ROSS

When we look back at Harvey and Ross’s dilemma, we can notice some areas where Ross fulfilled his duty as the data controller by providing Harvey all of his data as soon as reasonably possible. Ross never doubted Harvey’s identity because of their relationship. This was also provided free of charge. Good work Ross, you fulfilled your obligations… Or did he?

Where Ross failed in his obligations of Article 12 was that he didn’t communicate to Harvey that information was being transported and processed. Ross can save himself from this blunder if he can prove that the information on Harvey that was provided to the third-party was completely de-identified. In other words, if Harvey can’t be identified from the information that was provided by Ross to the third-party clinic, Ross should be in the clear. If you recall from Articles 9-11 for this example, Ross encrypts the data to achieve confidentiality and also anonymizes the data before it is sent out, so he should be in good shape regarding this article at the end of the day. The data, we shouldn’t forget, was in the interest in public health, as if this wasn’t complicated enough.

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.

---

Want the latest Newsletter? Sign-up below!