Want to keep learning?

This content is taken from the University of Groningen's online course, Understanding the GDPR. Join the course to learn more.
Girl looking through shades

Transparency and modalities

At this stage, we should discuss additional requirements introduced by the GDPR that must be taken into account by those engaged in the processing of personal data, such as companies, educational institutions and governments.

It needs to be mentioned that controllers need to take certain actions to ensure the rights of data subjects that will be discussed this week. These are the so-called transparency and modality requirements that can be found in Article 12 of the GDPR. By modalities, we mean different mechanisms that are used to facilitate the exercise of data subjects’ rights under the GDPR, such as those relating to different forms of information provision (in writing, spoken, electronically) and other actions to be taken when data subjects invoke their rights.


In the first place, measures must be taken by data controllers to provide any information or any communication relating to the processing to these individuals in a concise, transparent, intelligible and easily accessible form, using the language that is clear and plain. For instance, it should be done when personal data are collected from data subjects or when the latter exercise their rights, such as the right of access. This requirement of transparent information and communication is especially important when children are data subjects.


But how should this information be provided? It can be done in writing or by other means that include electronic means where it is appropriate. It is, however, also possible to provide the information orally, when it is requested by the data subject and when his or her identity is proven by other means, such as in writing or electronically.

This information and any actions associated with data subjects’ rights must be taken free of charge. In certain scenarios – when requests from data subject are clearly unfounded or excessive (specifically, when they have a repetitive character) – controllers may charge a reasonable fee or even refuse to act on the request.

Share this article:

This article is from the free online course:

Understanding the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: