GDPR Article 12 is Transparent information, communication and modalities for the exercise of the rights of the data subject.
What is GDPR Article 12?
This is where the company agrees to act on all the rights in a way that is straightforward and not sneaky.
The organization is obligated to fulfil all the rights of the data subject in a way that is clear to understand, easy to access, and free of charge, especially when in reference to a child.
Why it is important for the Data Subject
This Right assures a user that they not only have the complete picture of how their data is being handled, but they are also able to access, correct, and remove that data when they want to. Many ‘free’ services online, such as social networks and search engines, offer the use of their service in exchange for a user’s data. This Right does not stop companies from selling or using personal data, but it does put the control back on the user to decide if this use is acceptable for them in exchange for the service.
What it means to the organization
If a company hasn’t done so already, they will need to map out their service and product to ensure they have all the details needed to present to the user. Their Privacy Policy should be updated to include the new information. Processes will need to be put in place to support the invoking of the rights (especially Right to Access, Rectification and Deletion).
Real-world example of GDPR Article 12
A company runs a local listing of restaurants that allow users to rate the restaurant. Users sign in with some personal details including name, address, and demographic information. The service also tracks them via GPS to analyze where they go.
As members of the service, they receive discounts and coupons on restaurants. Restaurants pay the service to access the user data. This company needs to be GDPR compliant. They will have to update their privacy policy to explain to users how their data is collected and sold to restaurants. They will need to figure out where data is necessary for the functioning of their system, and what personal data may be extra.
The GPS data is considered sensitive data. Users will need to be told that this kind of data is being taken and they should be able to opt out of being tracked in this way. The company may opt to no longer collect the data because it is not a critical piece of their app. The company will also need to create a process so that users can see what data has been collected, correct it, and ask to be removed if needed.
Questions about GDPR and the Data Subject Rights? Check out our full article on GDPR or contact us.