Implements GDPR Article 12 transparent communication rules: plain language, response timelines, fees, refusals, layered notices. For privacy notices and data rights.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
GDPR Article 12 establishes the overarching framework for how controllers must communicate with data subjects about data protection matters. All information under Articles 13-14 and all communications under Articles 15-22 and 34 must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This skill covers the operational requirements for...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
GDPR Article 12 establishes the overarching framework for how controllers must communicate with data subjects about data protection matters. All information under Articles 13-14 and all communications under Articles 15-22 and 34 must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This skill covers the operational requirements for achieving transparent communication.
Art. 12(1) — The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
Art. 12(2) — The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. The controller shall not refuse to act on the request of the data subject unless it demonstrates that it is not in a position to identify the data subject.
Art. 12(3) — Response timeline: without undue delay and in any event within one month of receipt. Extension by two further months where necessary. Notification of extension within one month with reasons.
Art. 12(4) — If the controller does not take action on the request, inform the data subject without delay and at the latest within one month: reasons for not taking action, possibility of lodging a complaint with a supervisory authority, and seeking a judicial remedy.
Art. 12(5) — Information under Articles 13 and 14 and any communication and actions under Articles 15 to 22 and 34 shall be provided free of charge. Where requests are manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act.
Art. 12(6) — Where the controller has reasonable doubts about the identity of the natural person making the request, it may request the provision of additional information necessary to confirm identity.
Art. 12(7) — Information to be provided under Articles 13 and 14 may be provided in combination with standardised icons.
Per EDPB Guidelines on Transparency (WP260 rev.01):
| Scenario | Language Obligation |
|---|---|
| Service offered in one EU/EEA Member State | Language of that Member State |
| Service offered across multiple Member States | Language of each Member State where the service is actively offered |
| Service specifically targeting a linguistic minority | Consider providing in that language |
| Children as intended audience | Language and vocabulary appropriate for the age group |
The EDPB recommends a layered approach to provide transparency without overwhelming the data subject:
Displayed at the point of data collection. Contains the most critical information:
Format: 150-300 words. Visible without scrolling. No click-through required.
The complete privacy notice containing all information required under Art. 13 or Art. 14. Accessible from Layer 1 via a clear link.
Format: Structured with clear headings, table of contents, expandable sections where appropriate. Written in plain language throughout.
Detailed information for specific processing activities, available on request or through contextual links:
| Action | Deadline | Extension | Notification |
|---|---|---|---|
| Acknowledge receipt of request | 3 business days (best practice) | N/A | Send acknowledgement with reference number |
| Respond to data subject right request | 30 calendar days from receipt | Up to 60 additional days | Notify within initial 30 days with reasons |
| Respond to identity verification request | 30 calendar days from verification completion | Up to 60 additional days | Notify within initial 30 days |
| Inform of refusal to act | 30 calendar days from receipt | N/A | Must include: reasons, right to complain, right to judicial remedy |
A reasonable fee based on administrative costs may be charged where requests are:
Meridian Analytics Ltd fee schedule: GBP 10.00 base fee + GBP 0.10 per page exceeding 500 pages.
The controller may refuse to act where the request is manifestly unfounded or excessive, but must:
The burden of proof for demonstrating that a request is manifestly unfounded or excessive lies with the controller.
Every acknowledgement must include:
Every refusal must include: