GDPR Article 12: Transparency and Modalities for Data Subject Rights

In one sentence. GDPR Article 12 sets the modalities that govern how the controller communicates with data subjects: information must be provided in concise, transparent, intelligible and easily accessible form, using clear and plain language, free of charge, and within a one-month deadline (extendable by two months for complex requests). Identity verification is allowed only when there is reasonable doubt — and must be proportionate.

Article 12 is the procedural backbone for every data subject right — access, rectification, erasure, objection, portability. While Articles 15-22 define the rights themselves, Article 12 governs how the controller responds. Most CNIL sanctions for “denied data subject requests” actually cite Article 12 violations: language too legal, response too late, asymmetric ID verification.

For the rights themselves, see right of access (Article 15), right to erasure (Article 17), right to data portability (Article 20). For the French-language deep-dive, droit d’accès aux données personnelles (FR).

Key takeaways

• All communication with data subjects must be in clear, plain language — no legalese.
• One-month response deadline (Article 12(3)) — extendable by two months for complex requests, with notice in the original month.
• Free of charge by default — fees only allowed for manifestly unfounded or excessive requests.
• Identity verification proportionate to risk — copy of ID card cannot be required by default.
• Refusal must be motivated and include a complaint pathway (CNIL + judicial recourse).

1. Article 12 text — the operational rules

Article 12 has 8 paragraphs. The substantive rules:

• (1) Information provided in concise, transparent, intelligible, easily accessible form, with clear and plain language, especially for information addressed to a child
• (2) Controller facilitates exercise of rights under Articles 15-22
• (3) Information provided without undue delay and in any case within one month of receipt; extendable by two further months for complex requests, with notice in the initial month
• (4) If no action taken, controller informs the data subject without delay (within one month) of the reasons and the right to lodge a complaint with the supervisory authority
• (5) Information and action provided free of charge; reasonable fee allowed only for manifestly unfounded or excessive requests
• (6) Where reasonable doubts about identity, controller may request additional information
• (7) Information may be combined with standardized icons (delegated act pending)
• (8) Commission may adopt implementing acts on icons (open)

2. The “clear and plain language” requirement

Most-violated clause. The CNIL has sanctioned controllers for:

• Privacy notices using direct GDPR article references with no explanation
• “Standard contractual clauses” mentioned without explaining what they are
• “Legitimate interest” invoked without describing the actual interest
• Notices longer than the actual contract

Test: a typical user (not a lawyer) reads the notice and can answer:

• Who is processing my data?
• What data?
• Why?
• For how long?
• Who else gets it?
• What can I do?

If any answer requires re-reading or follow-up research, the notice fails Article 12(1).

3. The one-month response deadline (Article 12(3))

Counted from the date the request is received (not the date it’s understood, qualified, or assigned to a team).

Extension: up to two more months, total maximum three months. Conditions:

• Complex request (e.g., extensive volume, multiple systems)
• Notification to the data subject within the initial one-month explaining the extension and the reason
• Extension is the exception, not the rule

Common failure: silently missing the deadline. Article 12(4) requires a response (even if just to refuse) within one month — silence itself is a violation.

4. Free of charge — and when fees are allowed (Article 12(5))

Default: free. The controller may charge only when the request is:

• Manifestly unfounded — clearly without merit
• Manifestly excessive — particularly because of repetition

Practical bar is high. The EDPB has clarified that “manifestly” means obvious to a reasonable observer. Slight inconvenience to the controller doesn’t qualify.

When fees are allowed: must be reasonable, based on actual administrative cost, transparent.

5. Identity verification — proportionate to risk (Article 12(6))

The controller may request additional information where reasonable doubts about the requester’s identity exist. Two conditions:

• Reasonable doubt must exist (not blanket policy)
• Request must be necessary to confirm identity — not gather additional data

Common failure (sanctioned by CNIL): requiring a copy of national ID for every data subject request. The CNIL has stated this is disproportionate and itself a violation of data minimization.

Acceptable identity verification:

• For account holders: login credentials, security question, email confirmation to address on file
• For non-account holders: name + email + last interaction date + an additional unique fact (postal address, customer reference)
• For doubt cases only: copy of ID with sensitive fields (photo, ID number, biometrics) masked

6. Refusal of requests — Article 12(4)

If the controller doesn’t act on a request, they must respond within one month with:

• Motivation — why the request is refused
• Right to complain to the supervisory authority (specifically: name and contact of the relevant DPA — CNIL, BfDI, etc.)
• Right to judicial recourse

A refusal without these elements is itself a violation.

Legitimate refusal grounds (limited):

• Article 11 — controller can no longer identify the data subject
• Article 12(5) — manifestly unfounded or excessive
• Article 14(5) — exemptions to information obligations
• Article 23 — Member State legislative restrictions (national security, defense, prevention of crime, etc.)

7. Standardized icons (Article 12(7))

The Commission has not yet adopted the implementing act for standardized icons (delegated act under Article 12(8)). In the meantime, controllers may use icons but they don’t have legal weight. Some Member States (Germany, France) have produced unofficial icon guidance.

8. Practical implementation

Communication channel

• Dedicated email (privacy@…, dpo@…, rgpd@…)
• Optional: in-app form for account holders
• Postal mail address (must be available for non-digital users)

Internal workflow

1. Reception — log timestamp, classify request type
2. Acknowledgment — within 5 working days (best practice)
3. Identity check — proportionate to risk (account login OR name + 2 distinguishing facts)
4. Coordination — IT + relevant business units (HR, marketing, support)
5. Response — in clear language, all data + the 8 Article 15(1) info items
6. Logging — keep the response on file for 5 years (proof of compliance)

Templates

• Acknowledgment email
• Identity verification request (when needed)
• Response template for each right (access, erasure, etc.)
• Refusal template with complaint pathway

9. Sanctions for Article 12 violations

The CNIL sanctioned several controllers in 2023-2025 specifically on Article 12 grounds:

• Brico Privé (CNIL, 2023): €50K — failure to respond within deadline
• Cdiscount (CNIL, 2023): €250K — partial response, language unclear
• Dedalus (CNIL, 2022): €1.5M — partly Article 12 (response inadequate)
• Multiple SMB sanctions €5K-€50K — silent refusal, missed deadline

Article 83(5)(b) places Article 12 violations at the highest tier — up to €20M or 4% of global turnover.

10. Tooling

Legiscope handles the data subject request workflow: ticketing, identity verification protocol, coordination across business units, response template generation, deadline tracking. For a company receiving 10+ requests/month, the time saving is 30-60 minutes per request.

For related deep-dives: right of access GDPR, right to erasure GDPR, data portability right, GDPR information notices.

Conclusion

Article 12 turns the abstract “data subject rights” of Articles 15-22 into operational obligations: respond in clear language, on time, free, with proportionate ID verification. Its violations are visible to regulators on first audit — the response email itself is the evidence. Build the workflow before the first request arrives, not after.

FAQ

What is the deadline to respond to a data subject request under GDPR?

One month from receipt, extendable by two more months for complex or numerous requests. The extension must be notified to the data subject within the initial one-month period with the reason.

Can I charge a fee for a data subject access request?

No, unless the request is manifestly unfounded or excessive. The fee bar is high — the EDPB has clarified “manifestly” means obvious to a reasonable observer. Slight inconvenience doesn’t qualify. When fees are charged, they must be reasonable and based on actual administrative cost.

Can I require a copy of national ID for every request?

No — it’s disproportionate. Article 12(6) allows additional identity information only when reasonable doubts exist. The CNIL has sanctioned this practice. Acceptable verification: account login, name + email + a distinguishing fact, or for doubt cases an ID with sensitive fields masked.

What if I refuse a data subject request?

You must respond within one month with: the reason for refusal, the right to lodge a complaint with the supervisory authority (CNIL, BfDI, etc.), and the right to judicial recourse. A silent refusal is itself a violation.

Does Article 12 apply to children’s information?

Yes, with heightened obligations — Article 12(1) explicitly mentions information addressed to a child. Use simpler language, larger fonts, and visual aids where appropriate.