Bastiaan Bruyndonckx
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
On 18 January 2022, the European Data Protection Board (EDPB) published its draft Guidelines on the right of access (the Guidelines). The Guidelines cover the various aspects of the right of access and clarify how the right of access has to be implemented in different situations. Among others, the Guidelines provide guidance on the scope of the right of access, the information an organisation has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of six (6) weeks, i.e. until 11 March 2022.
Below we will discuss the highlights of the Guidelines in more detail.
The EDPB states that the overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the data processed. Moreover, the right of access is seen as a doorway for the individual to exercise other rights, such as the right to erasure or rectification.
The right of access thereby includes three (3) components for data subjects:
Under Art. 15 (3) GDPR, the organisation shall be obliged to provide a free (first) copy of the personal data which the processing relates to. The EDPB further clarifies that Art. 15 (1) GDPR comprises complete information on all data and cannot be understood as granting only a summary of the data. Organisations that process large quantities of information relating to data subjects may request the data subject to specify the information or processing to which the request relates before the information is delivered, however, this is considered as an exceptional situation according to the EDPB. Nonetheless, such organisations shall provide all information in case the data subject confirms its wish.
Each data subject request for access shall be assessed individually by the organisation. In order to ensure the security of processing, organisations should verify the identity of the data subject but should not ask for additional personal data for this purpose unless necessary. Organisations are advised to implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data which can often be based on information included in the account (such as login and password). Requesting copies of ID cards should generally not be considered an appropriate way of authentication (the case-law of the Litigation Chamber of the Data Protection Authority recently confirmed its case-law in this respect, namely that the systematic requesting of a copy or scan of the data subject's identity card is disproportionate) and such information shall in any case be limited to the information necessary to confirm the identity.
Access requests are not subject to a specific format. Even though the organisation should provide appropriate and user-friendly communication channels that can easily be used by the data subject, the data subject is free to choose to send the request to the contact point of the organisation. It should be noted that, in any case, the data subject cannot send requests to random addressees that are obviously not involved in handling matters concerning the exercise of the rights of data subjects.
The right of access includes all personal data concerning the data subject, whether provided by the data subject or not, including data that is derived from that personal data and data inferred from other data. However, a distinction shall be made between personal and non-personal data and it shall be noted that the right of access does not give data subjects the right to obtain complete access to records or company processes. In this regard, the recommendation of the French CNIL regarding the right of access of employees to their personal data and professional emails is also relevant.
Access requests shall be dealt with by organisations following a routine procedure taking into account the complexity of processing. Within one month of receipt, which can be extended by two further months when necessary, the organisation shall fulfil the request. In doing so, the organisation is obliged to search for personal data throughout its IT systems and non-IT filing systems.
The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, meaning that in case data consists of codes or other “raw data”, these may have to be explained to the data subject.
The data can be sent by e-mail, provided that all necessary safeguards are applied. When the amount of data is very vast and difficult to comprehend all in one bulk, organisations should provide information in different layers to facilitate the data subject’s understanding of the data. The copy of the data should be provided in a permanent form, which could be in a commonly used electronic form, so that the data subject can easily download it. A transcript or a compiled form may be used as long as all the information is included and this does not alter or change the content of the information.
Although there is no general reservation to proportionality with regard to the efforts an organisation has to take to comply with the data subject´s request, the GDPR does allow for certain limitations of the right of access, which have to be demonstrated by the organisation:
Lastly, the EDPB has provided practical flowcharts to interpret and assess requests for access, how to answer such requests and how to verify whether any limits or restrictions apply.
Lydian’s Information Governance & Data Protection (Privacy) team is there to assist you with the drafting of a policy or replying to a data subject access request.
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
Intellectual Property (IP)
Information Governance & Data Protection
Product compliance, product safety and product liability
Dispute Resolution
Life Science
Commercial law
Telecommunications, Media & Technology
olivia.santantonio@lydian.be
Commercial law
Dispute Resolution
Information Communication Technology
Information Governance & Data Protection
Intellectual Property (IP)
Telecommunications, Media & Technology
liese.kuyken@lydian.be