Modalities - to whom, how, and when
Article 12(2) requires controllers to facilitate the exercise of rights. Unlike the Directive, the GDPR requires the controller to use all reasonable efforts to verify the data subject's identity and, where there is reasonable doubt, request extra information - but it need not collect new data just to link records. The normal response window is one month from receipt, extendable by two further months for complex or numerous requests. Responses are generally free, and electronic requests get electronic answers unless another format is asked for.
requires controllers to facilitate rights. The GDPR - unlike the Directive - requires the controller to use all reasonable efforts to verify identity. Where there are reasonable doubts, it may request additional information, but it is not obliged to collect new personal data just to link records to a data subject.
On timing, sets one month from receipt as the normal window, extendable by two further months for specific or especially complex requests. Within the first month the controller must decide whether it can act at all; if it declines, it must tell the data subject and advise them of the right to lodge a complaint with a regulator.
Honouring rights electronically has security implications. Email encryption is not yet widespread, so controllers must find safe, accountable ways to deliver sensitive information electronically.
- Electronic requests get electronic answers - unless the data subject asks for another format
- Someone who discloses a disability may, for example, ask for data in hard copy
- Responses are generally free of charge
- Acknowledge receipt and clarify what is requested before acting