5 Examples of GDPR Article 12: How Controllers Must Communicate with Data Subjects

Nov 13, 2025

Transparency is one of the most important principles of the General Data Protection Regulation. It defines how organizations must communicate with people whose personal data they collect. GDPR Article 12 focuses on exactly this: how controllers must provide information and facilitate the exercise of data subject rights in a clear, accessible, and timely manner.

Article 12 lays out practical rules for communication between organizations and individuals, requiring controllers to act in a transparent, understandable, and efficient way. The article also includes rules about timelines, identification, fees, refusal rights, and how to respond to requests.

To better understand these obligations, it is helpful to explore realistic examples that show how Article 12 works in everyday scenarios. Below are five detailed examples that demonstrate the practical application of this GDPR rule.

Example 1: A Clear and Understandable Privacy Notice for a Mobile App

Transparency begins at the moment data is collected. Article 12 requires that information must be provided in a concise, transparent, intelligible, and easily accessible form, especially when the processing involves online platforms or mobile applications.

Scenario

A fitness mobile app collects:

  • Name and email
  • GPS data for tracking running routes
  • Health-related metrics such as heart rate
  • Device identifiers

Article 12 requires the app to provide a privacy notice that meets strict clarity and transparency criteria.

How Article 12 applies

To comply, the app must:

  1. Present the privacy policy in plain, simple language that the average user can understand.
  2. Avoid unnecessary legal jargon and complex sentence structures.
  3. Provide the information at the moment when the user signs up or first opens the app.
  4. Make the policy accessible at any time through the app settings.
  5. Explain purposes, legal bases, retention periods, and user rights clearly.

This notice must answer common questions such as:

  • What data is collected?
  • Why is it collected?
  • For how long?
  • What rights does the user have?
  • How can they request deletion or access?

A key requirement is clarity. The controller cannot hide essential information deep in multiple layers of text or obscure it behind unclear terms. Article 12 requires the information to be presented in a user-friendly way. This could include:

  • Short paragraphs
  • Bullet-point summaries
  • Section separators
  • A clean visual layout

Why this matters

Modern users often skip long legal documents. Article 12 ensures that companies must respect people's ability to understand how their data is used. The responsibility is on the controller—not the user—to make communication clear, accessible, and intelligible.

Example 2: Responding to a Data Subject Access Request (DSAR) within One Month

GDPR Article 12 sets strict rules for how organizations must respond to user requests, including:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Objection requests
  • Restriction requests
  • Portability requests

The controller must respond “without undue delay and in any event within one month.”

Scenario

A customer emails an online retailer asking:

“I want a copy of all the personal data you have about me, including my order history and associated information.”

This is a classic data subject access request.

How Article 12 applies

The retailer must:

  1. Acknowledge receipt of the request.
  2. Verify the identity of the requester if necessary—but only using reasonable, proportionate methods.
  3. Locate all relevant data relating to the customer.
  4. Provide the information in a structured, commonly used, and easily accessible form.
  5. Deliver the response within one month.

If the retailer anticipates delays because the request is complex or involves large volumes of data, Article 12 allows an extension of up to two additional months, but only if:

  • The customer is notified within the first month
  • The controller explains the reason for the delay

The retailer cannot ignore the request or delay it indefinitely. Article 12 ensures that data subjects have a meaningful way to exercise their rights.

Practical responsibilities under Article 12

The response must be:

  • Transparent
  • Free of charge (unless excessive or repetitive)
  • Complete
  • Written in plain language
  • Delivered securely

A simple example of compliance would be emailing the customer a structured file containing:

  • Their account information
  • Their shipping addresses
  • Their communication preferences
  • Their order history
  • Metadata associated with their activity

This example highlights how Article 12 guarantees timely, efficient, and transparent communication when users exercise their rights.

Example 3: Providing Information About Data Processing in a Child-Friendly Format

Article 12 emphasizes that communication must use clear and plain language, especially when directed to a child. Children require special protection because they may be less aware of risks and consequences.

Scenario

A children’s educational platform collects:

  • First name
  • Age
  • Progress in online learning modules
  • IP address
  • Device data

Since the service is aimed at children, Article 12 requires the controller to communicate in a way suitable for young users.

How Article 12 applies

The privacy notice must be:

  • Age-appropriate
  • Easy to read
  • Visually accessible
  • Free from technical language
  • Presented in short, simple sentences

Instead of legal wording such as:

“We process your personal data under the legal basis of legitimate interests,”

the notice should say something like:

“We use your information to make your lessons work and to help you keep track of what you’ve learned.”

The platform may also use:

  • Icons
  • Illustrations
  • Step-by-step explanations
  • Simple examples

Article 12 does not prescribe a specific design, but it requires that the child must be able to understand what is happening with their data.

Why this matters

Children deserve special transparency. Article 12 ensures that:

  • Companies cannot hide behind complex legal wording
  • Parents understand what data is being collected
  • Children understand the basics of how their information is used

This example shows that Article 12 is not merely about transparency—it is also about accessibility, fairness, and protecting the most vulnerable users.

Example 4: Handling a Request When the Controller Cannot Identify the User

Article 12 also covers situations where a controller receives a rights request but cannot identify the individual making it. This often happens when the system processes limited, anonymous, or pseudonymous data.

Scenario

A news website allows users to comment without creating accounts. They only require a nickname. The website stores:

  • The comment text
  • A pseudonymous ID
  • A timestamp
  • General IP information used for moderation purposes

A user writes to the website requesting that “all personal data associated with me be deleted.”

How Article 12 applies

The website must:

  1. Evaluate whether the data they collect can identify the requester.
  2. Decide whether further identification is needed to fulfil the request.
  3. Inform the requester that the controller cannot identify them unless they provide additional information.

Under Article 12, the controller is not required to:

  • Collect additional identifiers to search for the user
  • Re-engineer their systems to make users identifiable
  • Retain identifying data specifically for future GDPR requests

However, they must still communicate transparently and explain:

  • Why identification is not possible
  • What additional information would be necessary
  • That the request cannot be fulfilled without identification

Why this matters

This protects both sides:

  • Users: They can still exercise rights, provided they identify themselves appropriately.
  • Controllers: They are not forced to collect unnecessary personal data, supporting the principle of data minimisation.

This example demonstrates how Article 12 interacts with Article 11 but adds clarity about how to handle communication when identity verification is required.

Example 5: Informing the Data Subject When a Controller Refuses a Request

Article 12 also describes how controllers must communicate when they refuse to act on a data subject request. Refusal is allowed only under certain circumstances, such as:

  • When the request is manifestly unfounded
  • When the request is excessive
  • When requests are repetitive
  • When the controller has legitimate grounds to decline
  • When fulfilling the request would unreasonably affect others’ rights

Scenario

A customer asks an airline to erase all their flight history, but the airline is legally required to retain these records for safety, tax, and audit purposes. Erasure rights do not override legal obligations.

How Article 12 applies

The controller must:

  1. Provide a clear written explanation for the refusal.
  2. State the specific legal basis for the refusal.
  3. Inform the data subject of their right to lodge a complaint with a supervisory authority.
  4. Do so without undue delay and no later than one month after receiving the request.
  5. Communicate the refusal using plain, understandable language.

The communication cannot be vague. It must state concrete reasons such as:

  • Recordkeeping obligations
  • Public interest requirements
  • Contractual obligations
  • Legal compliance needs

The controller must also ensure that the refusal does not appear arbitrary.

Why this matters

The ability to refuse requests is necessary to protect:

  • Public interest
  • Legitimate business obligations
  • Legal compliance frameworks
  • Security and fraud prevention measures

But Article 12 ensures that refusals are handled in a transparent, fair, and accountable manner. Users must always receive clear communication and have a path to escalate their concerns.

Why GDPR Article 12 Is Critical for Trust and Communication

The examples above highlight the broad practical scope of Article 12. It is not limited to privacy notices or data subject access responses—it influences every aspect of communication between controllers and individuals. Its core purpose is to ensure that data subjects can understand how their data is used and can exercise their rights effectively.

Article 12 strengthens:

1. Transparency

Controllers must explain data processing in clear language.

2. Accountability

Organizations must justify refusals and actions.

3. Accessibility

Information cannot be buried, hidden, or written in complex legal terminology.

4. Timeliness

All requests must be addressed within GDPR’s required deadlines.

5. Fairness

People must be able to exercise their rights meaningfully.

Article 12 is one of the most practical and frequently used parts of GDPR, because it governs:

  • Privacy notices
  • Communication channels
  • DSAR responses
  • Refusal letters
  • Child-focused information
  • Identity verification interactions

All these responsibilities shape a system where communication is not an afterthought but a core legal requirement.

Conclusion

GDPR Article 12 ensures that organizations communicate with individuals in a transparent, accessible, and respectful manner. From providing clear privacy notices to responding to access requests within one month, from creating child-friendly explanations to handling situations where identity cannot be confirmed, Article 12 shapes how every data subject interacts with modern digital services. It also ensures fair treatment when requests must be refused, strengthening trust and establishing accountability.