Skip to content
AuditFront
Art.12 GDPR

GDPR Art.12: Transparent Information, Communication and Modalities

What This Control Requires

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proved by other means.

In Plain Language

When a DPA reviews your data subject communications, they are not looking for legal thoroughness - they are looking for whether a normal person can actually understand what you are telling them. Article 12 sets the quality bar for every privacy communication your organisation sends: concise, transparent, intelligible, and easily accessible. This applies across the board - privacy notices (Articles 13-14), responses to access requests (Article 15), all rights-related communications (Articles 16-22), and breach notifications (Article 34). If your privacy policy reads like a contract drafted by lawyers for lawyers, you have a problem. Information addressed to children must be even simpler and age-appropriate. Article 12 also sets the operational rules: respond to data subject requests within one month (extendable by two months for complex cases), provide information free of charge (with limited exceptions for manifestly unfounded or excessive requests), and verify identity before disclosing personal data. These deadlines are strict, and DPAs track compliance closely.

How to Implement

Build a complete data subject rights handling procedure covering the full lifecycle of a request. Define how requests come in (web form, email, post, phone), how they get logged and tracked, who handles them, how you verify identity, and how responses go out. Cover every right from Articles 15 through 22. Create response templates for each type of request. Write them in clear, plain language - not legalese. Structure them logically, include all required information, and have them available in every language your data subjects use. Give staff guidance on customising templates while staying compliant. Set up a request tracking system with deadline management built in. Log the date received, request type, assigned handler, any extensions (with justification), and response date. Configure automated reminders well before the one-month deadline hits. Keep a full audit trail. Design an identity verification process that matches the risk level. Someone unsubscribing from marketing emails needs lightweight verification. Someone requesting access to sensitive data or deletion of their account needs something more robust. But do not make verification so burdensome that it becomes a barrier to exercising rights - DPAs take a dim view of that. Audit all your privacy notices and communications against Article 12 standards. Run them through readability tools. Use layered notices, icons, or visual aids to improve accessibility. If you can, test them with real users. Pay special attention to anything directed at children - regulators scrutinise these closely.

Evidence Your Auditor Will Request

  • Documented data subject rights handling procedures with defined workflows and responsibilities
  • Response templates for each type of data subject right request
  • Request tracking system showing compliance with one-month deadline
  • Identity verification procedures for data subject requests
  • Examples of privacy notices demonstrating clear and plain language

Common Mistakes

  • Privacy notices written in dense legal language that is not understandable by the average person
  • No formal process for handling data subject requests, leading to missed deadlines or inconsistent responses
  • Failure to respond to data subject requests within the one-month timeframe
  • Identity verification requirements that are so burdensome they effectively prevent data subjects from exercising their rights
  • No tracking system for data subject requests, making it impossible to demonstrate compliance with response timelines

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Can we charge a fee for responding to data subject requests?
In most cases, no - responses must be free of charge. The only exception is when a request is manifestly unfounded or excessive (particularly if someone keeps sending the same request repeatedly). In that case, you can charge a reasonable administrative fee or refuse to act. But the burden of proving the request is unfounded or excessive falls on you, and regulators set a high bar for that.
What if we need more than one month to respond?
You can extend by up to two additional months if the request is genuinely complex or you are dealing with a high volume of requests. But you must tell the data subject about the extension within the original one-month window, along with the reason for the delay. Three months total is the absolute maximum, and you should treat extensions as the exception, not the default.
How do we verify the identity of someone making a request?
Keep it proportionate. If the person is an existing customer, their account login credentials might be enough. For someone you cannot readily identify, requesting a copy of photo ID is reasonable. The key is not to overcollect data for verification purposes, and not to make the process so difficult that people give up. Regulators view overly burdensome verification as a tactic to discourage rights exercise.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment