interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- controller 21
- data 21
- shall 17
- subject 15
- information 14
- request 13
- processing 12
- supervisory_authority 11
- provided 10
- under 7
- means 6
- articles 6
- the 6
- within 6
- taking 5
- article 5
- receipt 5
- requested 5
- protection 5
- referred 5
- icons 4
- applicable 4
- month 4
- particular 4
- communication 4
- rights 4
- provide 4
- action 4
- delay 4
- intended 4
- consultation 4
- electronic 3
- consult 3
- taken 3
- measure 3
- article 3
- articles 3
- identity 3
- period 3
- into 3
- risk 3
- account 3
- prior 3
- inform 3
- measures 3
- paragraph 3
- reasons 3
- pursuant 3
- such 3
- together 2
Article 12
Transparent information, communication and modalities for the exercise of the rights of the data subject
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory_authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
| (a) | charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or |
| (b) | refuse to act on the request. |
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Article 36
Prior consultation
1. The controller shall consult the supervisory_authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2. Where the supervisory_authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory_authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory_authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory_authority has obtained information it has requested for the purposes of the consultation.
3. When consulting the supervisory_authority pursuant to paragraph 1, the controller shall provide the supervisory_authority with:
| (a) | where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group_of_undertakings; |
| (b) | the purposes and means of the intended processing; |
| (c) | the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation; |
| (d) | where applicable, the contact details of the data protection officer; |
| (e) | the data protection impact assessment provided for in Article 35; and |
| (f) | any other information requested by the supervisory_authority. |
4. Member States shall consult the supervisory_authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory_authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
whereas
dal 2004 diritto e informatica