EDPB publishes guidelines on DSARs
On 18 January 2022, the European Data Protection Board (EDPB) published its draft Guidelines on the right of access (the Guidelines). The Guidelines cover the various aspects of the right of access and clarify how the right of access has to be implemented in different situations. Among others, the Guidelines provide guidance on the scope of the right of access, the information an organisation has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of six (6) weeks, i.e. until 11 March 2022.
Below we will discuss the highlights of the Guidelines in more detail.
Aim of the right of access
The EDPB states that the overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the data processed. Moreover, the right of access is seen as a doorway for the individual to exercise other rights, such as the right to erasure or rectification.
The right of access thereby includes three (3) components for data subjects:
- a confirmation as to whether personal data is processed by the organisation or not;
- access to the personal data processed by the organisation; and
- access to more information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.
Under Art. 15 (3) GDPR, the organisation shall be obliged to provide a free (first) copy of the personal data which the processing relates to. The EDPB further clarifies that Art. 15 (1) GDPR comprises complete information on all data and cannot be understood as granting only a summary of the data. Organisations that process large quantities of information relating to data subjects may request the data subject to specify the information or processing to which the request relates before the information is delivered, however, this is considered as an exceptional situation according to the EDPB. Nonetheless, such organisations shall provide all information in case the data subject confirms its wish.
The assessment of access requests
Each data subject request for access shall be assessed individually by the organisation. In order to ensure the security of processing, organisations should verify the identity of the data subject but should not ask for additional personal data for this purpose unless necessary. Organisations are advised to implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data which can often be based on information included in the account (such as login and password). Requesting copies of ID cards should generally not be considered an appropriate way of authentication (the case-law of the Litigation Chamber of the Data Protection Authority recently confirmed its case-law in this respect, namely that the systematic requesting of a copy or scan of the data subject's identity card is disproportionate) and such information shall in any case be limited to the information necessary to confirm the identity.
Access requests are not subject to a specific format. Even though the organisation should provide appropriate and user-friendly communication channels that can easily be used by the data subject, the data subject is free to choose to send the request to the contact point of the organisation. It should be noted that, in any case, the data subject cannot send requests to random addressees that are obviously not involved in handling matters concerning the exercise of the rights of data subjects.
The scope of the right of access
The right of access includes all personal data concerning the data subject, whether provided by the data subject or not, including data that is derived from that personal data and data inferred from other data. However, a distinction shall be made between personal and non-personal data and it shall be noted that the right of access does not give data subjects the right to obtain complete access to records or company processes. In this regard, the recommendation of the French CNIL regarding the right of access of employees to their personal data and professional emails is also relevant.
Providing access as a organisation
Access requests shall be dealt with by organisations following a routine procedure taking into account the complexity of processing. Within one month of receipt, which can be extended by two further months when necessary, the organisation shall fulfil the request. In doing so, the organisation is obliged to search for personal data throughout its IT systems and non-IT filing systems.
The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, meaning that in case data consists of codes or other “raw data”, these may have to be explained to the data subject.
The data can be sent by e-mail, provided that all necessary safeguards are applied. When the amount of data is very vast and difficult to comprehend all in one bulk, organisations should provide information in different layers to facilitate the data subject’s understanding of the data. The copy of the data should be provided in a permanent form, which could be in a commonly used electronic form, so that the data subject can easily download it. A transcript or a compiled form may be used as long as all the information is included and this does not alter or change the content of the information.
Limits and restrictions of the right of access
Although there is no general reservation to proportionality with regard to the efforts an organisation has to take to comply with the data subject´s request, the GDPR does allow for certain limitations of the right of access, which have to be demonstrated by the organisation:
- the copy shall not adversely affect the rights and freedoms of others (Art. 15 (4) GDPR): this limitation should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others;
- organisations may reject requests that are manifestly unfounded or excessive, or to charge a reasonable fee for such requests (Art. 12 (5) GDPR): the application thereof is rather limited; and
- national law may restrict the right of access as well. It may also exist in Member States’ national law as per Art. 23 GDPR and the derogations therein. In this respect, we refer to Guidelines 10/2020 on restrictions under Article 23 GDPR issued by the EDPB. Under Belgian law, the GDPR Implementation Act somewhat restricts the rights of data subjects. It is foreseen that intelligence agencies, the Coordination Unit for Threat Analysis and other specialised police forces can process personal data without being subject to transparency obligations towards data subjects. In addition, there are exemptions from several obligations when processing is done for journalistic purposes or for the purposes of academic, artistic or literary expression, such as the duty to inform the data subject and the requirement to give access to the data at the data subject’s request.
Practical help from the EDPB
Lastly, the EDPB has provided practical flowcharts to interpret and assess requests for access, how to answer such requests and how to verify whether any limits or restrictions apply.
Lydian’s Information Governance & Data Protection (Privacy) team is there to assist you with the drafting of a policy or replying to a data subject access request.