Lex.

General Data Protection Regulation

Article 12

Transparent information, communication and modalities for the exercise of the rights of the data subject

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Holdings

/
C-526/2419 Mar 2026

Brillen Rottler GmbH & Co. KG v TC

A first request for access to personal data under Article 15 of Regulation 2016/679 may be 'excessive' within the meaning of Article 12(5) of that regulation even where it formally complies with those provisions, if the controller shows, in the light of all the relevant circumstances, that the request was made not to find out about the processing and verify its lawfulness so that the data subject could then protect his or her rights under that regulation, but with an abusive intention, such as artificially creating the conditions for obtaining an advantage from that regulation. Publicly available information that the data subject has made many access requests to various controllers and then brought claims for compensation may be taken into account in establishing that abusive intention.

C-757/2211 Jul 2024

Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V.

The condition in Article 80(2) that an authorised entity must claim that a data subject's GDPR rights were infringed 'as a result of the processing' is satisfied where the entity alleges that the infringement occurred in the course of processing personal data and resulted from the controller's failure to provide, at the latest when the data were collected, the information required by the first sentence of Article 12(1) and Article 13(1)(c) and (e), in a concise, transparent, intelligible and easily accessible form, using clear and plain language. That includes information on the purposes of the processing and the recipients of the data.

C-307/2226 Oct 2023

FT v DW

A controller must provide the data subject, free of charge, with a first copy of the personal data undergoing processing, even if the request is made for reasons unrelated to those mentioned in the first sentence of recital 63.

C-154/2112 Jan 2023

RW v Österreichische Post AG

Where personal data have been or will be disclosed to recipients, the controller must provide the data subject with the recipients' actual identities. If identifying those recipients is impossible, or if the controller shows that the requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of Regulation 2016/679, it may provide only the categories of recipient concerned.