UK GDPR: Transparency Requirements
Transparency Requirements [Art 12]
Rule: Controllers must provide information to data subjects in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
12.1 — Form and Manner of Communication
| Requirement | Standard |
|---|---|
| Concise | Avoid unnecessary length or detail |
| Transparent | Obvious what’s happening with data |
| Intelligible | Understandable by ordinary person |
| Easily accessible | Not hidden, easy to find |
| Clear and plain language | No legalese or technical jargon |
Written or Other Means
Information may be provided:
- In writing (paper or electronic)
- Orally (if data subject requests and identity verified)
- Using standardised icons (to give meaningful overview)
Electronic Means Preferred
If information provided electronically:
- Layered approach recommended (short notice + full version)
- Must be easily accessible (not buried in T&Cs)
- Machine-readable format for structured data
12.2 — Facilitate Exercise of Rights
Controller must facilitate exercise of data subject rights (Arts 15-22):
| Action Required | Example |
|---|---|
| Make it easy | Clear “Access My Data” button, not email-only |
| Don’t create barriers | No unnecessary identity verification |
| Provide information on rights | Explain rights in privacy notice |
| Respond promptly | Within one month (Art 12.3) |
Prohibited: Making rights exercise unreasonably difficult (e.g., “send notarized letter by post only”).
12.3 — Response Deadlines
| Deadline | Extension | Conditions |
|---|---|---|
| 1 month | +2 months | Complex or numerous requests |
| Day 1 | Starts when request received | |
| Day 30 | Must provide information or explain refusal |
If extension needed:
- Inform data subject within one month
- Explain reasons for delay
- Inform of right to complain to ICO
12.4 — Free of Charge (Default)
Providing information and facilitating rights is free of charge, EXCEPT:
Exceptions to Free Service
-
Manifestly unfounded or excessive
- Repetitive requests (same data requested monthly)
- Clearly no genuine interest
- Controller can charge reasonable fee OR refuse
-
Additional copies of data (Art 15.3)
- First copy: free
- Additional copies: reasonable fee
Fee must be based on administrative costs, not profit.
12.5 — Right to Refuse
Controller may refuse request if:
- Manifestly unfounded
- Excessive (particularly repetitive)
Must:
- Inform data subject within one month
- Explain reasons for refusal
- Inform of right to complain to ICO
- Inform of right to judicial remedy
Standard: High threshold — most legitimate requests must be honored.
12.6 — Identity Verification
If reasonable doubts about identity:
- May request additional information
- Only information necessary to confirm identity
- Proportionate to risk
Examples:
- Email from known business email: no extra verification needed
- Email from unknown address requesting sensitive data: verification required
- Request via online portal with login: authentication sufficient
Prohibited: Excessive identity checks as barrier to rights exercise.
12.7 — Standardised Icons
Controllers may use standardised icons to give meaningful overview:
- Must be machine-readable
- Supplement, not replace, written information
- ICO guidance on acceptable icons
12.8 — Accountability
Controller must be able to demonstrate compliance:
- Evidence of timely responses
- Records of requests and how handled
- Policies on responding to rights requests
- Training for staff handling requests
Communication with Children
Special considerations when data subject is a child:
- Use age-appropriate language
- Shorter, simpler explanations
- Visual aids where helpful
- Consider capacity to understand (Art 8 — age 13 for consent)
Penalties for Non-Compliance
Failure to provide transparent information or respond to requests:
- Administrative fines up to £8.7M or 2% of global turnover (Art 83(4))
- ICO enforcement notices
- Compensation claims from data subjects (Art 82)