Chapter 3 of the GDPR enumerates the rights of the data subjects. Data subjects are the identifiable natural persons as per the Definition clause. We have already discussed in detail the principles based on which the GDPR functions. But it is equally important to be aware of the rights of the data subjects because the law does not help the individual who is ignorant of his/her rights.
Article 12 throws light on the duties of the data controller when a request is put forth by the data subject in exercise of his or her rights as provided for in the GDPR:
- The first and foremost duty of the data controller is to provide information based on the principle of transparency i.e. the data controller shall provide information to the data subject especially when it relates to Articles 13 to 22 in a very clear, concise and intelligible manner. This very simple to understand information must be given to the data subject preferably in writing or by electronic means as deemed appropriate. However, there is no bar to information being provided orally as long as the identity of the data subject is established.
- Under Article 12, the data controller is obliged to concede to the request of the data subject if the request falls under the categories of Articles 15-22. But, an exception to this would be that the data controller shall reject the request if it is unable to identify the data subject.
- It must be noted that when a data subject requests information under Articles 15-22, the data controller must respond within a time period of one month. This time period can be extended to 2 months depending on the nature and number of requests. Also, the data subject must be intimated about the time extension.
- Failure to take action by the data controller shall make it liable to inform the data subject about the delay within one month of receiving a request from the data subject to provide him/her with reasons for the delay. The data subject also has the right to know if the data controller is considering approaching a supervisory authority in relation to the request put forth by himself/herself.
- Information provided in response to requests made by way of Articles 13-22 shall be free of charge. The data subject shall not incur any expenses. However, if the GDPR is being misused by the data subject under the garb of exercise of rights, then the data controller has the right to charge a fee to provide the information or even outright refuse to concede to the request.
This is a balanced approach since if a free hand is given to the data subjects, there are high chances of data subjects putting in constant requests for information which might be frivolous.
- The data controller shall request additional information from the data subject to ascertain his or her identity to respond to the request made under Articles 15-22. This shall be without prejudice to Article 11.
- Lastly, the information provided by the data controller in response to a request made under Articles 13 and 14 shall be articulated with the help of icons so that the data subject gets a complete understanding of how his or her data is being processed.
The above lists the obligations of the data controller when a request is made by the data subject. But the above obligations, duties and rights are not absolute. When these conflict with the restrictions imposed by the Union or Member State law, the latter shall prevail as they have been imposed keeping in mind the public interest. Again, the restrictions must not be arbitrary but in consonance with the European Convention for the Protection of Human Rights and Fundamental Freedoms.