Guidelines 01/2022 on data subject rights – Right of access

At the end of January 2022, on the official website, the European Data Protection Board (EDPB) published “Guidelines 01/2022 on data subject rights – Right of access”. It is supposed to promote common understanding of the right of access under art.15 of the General Data Protection Regulation (GDPR) between a range variety of data processing actors regardless their public or private legal nature.

The right of access is a one of the fundamental principles protected by the GDPR. That is why its construing is significant for law enforcement, business and other practical use.

It is notable that right of access is not isolated from other GDPR’s provision, especially from the articles 12-14.

Three components of the right to access

The EDPB distinguishes three components of the right to access. They are:

  • confirmation whether data is processing or not;
  • access to those data;
  • information on the processing.

The second component is the core of this right. It means access to the actual personal data themselves, not only a general description of the data nor a mere version for public consultation the categories of personal data processed by the controller. The description provided in the privacy policy published on the company’s website will not be likely to suffice: data subject must obtain the tailored, specific information. The response must be clear and describe the relevant information. The Guideline underlines that the responding party must ensure that the response to the access request encompassed the corporation in a whole, cover all its databases and other data storage facilities despite their purpose and location.

Moreover, Guideline 01/2022 describes provisions on modalities, in which there is emphasized the strength point of this right. There is a paragraph 3 of the article 15 which supplements some specific requirements of replying to access requests compared to article 12 of the GDPR. The EDPB identifies three such modalities:

  • providing a data subject with a copy of the personal data;

It means that a data subject’s right to receive such a copy does not widen a right of access, but is an integral element of this right. In most cases, data subjects need to see the personal information, which is in processing, not only temporarily, but study it for a longer time to understand the details of processing. That is why this right should be exercised in the way that provides data subjects with the possibility to retain such information and be back to it when they need it.

  • Providing with additional copy of the personal data;

In this context, it is necessary to validate, if the first copy was appropriate or if there were any information updates. If it is so, an additional copy should be provided without a fee charge.

  • Making the information available in a commonly used electronic form;

A controller is obliged to provide the answer in a commonly used electronic form, unless otherwise requested by the data subject. The data subject should not be obliged to buy specific software in order to get access to the information.

 

Obligation, not a perk

The Guidelines’ author emphasizes that providing the data subject with a copy of personal data is a controller’s obligation. Moreover, in effect, the right to obtain a copy must be treated independently of the general right to access (for example, a rejection to provide the paper copy of personal data does not necessarily imply that the right to access can be rejected altogether).

There is an extraordinary interpretation made by the EDPB in the Guidelines on access rights. It is said that the controller cannot deny the access to the personal data if there is a suspicion or on the ground that the requested data could be used by the data subject against the controller in a commercial dispute (labor disputes are mentioned as an example).

Preparing the answer: principles

Furthermore, the EDPB lists principles used to define the nature of the right of access:

  1. information has to be sent in and according to the request:
    1. the controller must provide the information requested
    2. may ask to clarify the request if the subject matter is too ambiguous to be reasonably complied with;
    3. the request should only cover personal data;
    4. the personal data provided must only concern the data of the person making the request (any representative of a data subject must produce a valid authorization.
  2. “Proportionality assessment” principle: the process of verification of the person to whom the personal data belongs must be carried out, but in a reasonable way
    1. the controller checks the identity of the requesting individual,
    2. national IDs must be provided subject to national limitations;
    3. if the ID is in fact produced, the data subject should blur or erase any data that are not relevant for the verification process (e.g., place and date of birth or place of residence, etc).
  3. Correctness of the information:
    1. the right to change incorrect information;
    2. to find out about the source of inaccurate data being circulated between different controllers;
    3. in case of finding out about overdue of data storage while responding a request, at first the controller has to send an answer to request and only after that erase the personal data.
  4. Compliance with privacy protection acts:
    1. an answer to a request can be sent by a registered mail;
    2. to offer the data subject to pick up the file for signature in one of the controller’s institutions;
    3. the controller should provide privacy protection in electronic means (e.g., encoding or using password) in case of using electronic communication;
    4. to make channels of communication and the content of the request easily accessible for the data subject.

Modalities explained

The controller is generally obliged to act on a request sent to the email address of a controller’s employee (unless a request to the one who does not deal with the data subject’s affairs on a daily basis). For example, cleaning or catering staff can have their own email addresses for procurement and task management purposes, but their roles normally do not include processing of personal data. There is a risk that such requests will not be considered, if the controller has clearly provided the data subject with an appropriate communication channel. However, the company nevertheless should encourage staff and contractors to be transparent and responsible for answering all the requests they can encounter, even if they are provided through the channels other than the email address or website page provided in the privacy policy.

Speaking about content requirements, the data subject has a right to receive the information established in the way that will be easily understood by the data subject. Children deserve extra effort: any information must be provided in such a manner that the child can easily capture the answer and data. To achieve this, the EDPB recommends rethinking the standard response formula, for example, use appropriate headings and paragraphing or standardized icons. Nevertheless, the information must always be given in a plain and clear language. Hence, the controller that offers a service in a country should also offer answers in the language that is understood by the data subjects in that country.

Providing an answer to the request from a visually impaired person or a person with other difficulties in accessing the information, the controller is expected to take measures facilitating the understanding of the information provided (including oral information when adequate).

Response timeframe

The EDPB also emphasizes that responding to the request cannot take too long. Standard timeframe is one (1) calendar month (even if the month consists of 28 days instead of 30 or 31).

The amount of time can be expanded to additional two months, but only in a case when complexity and number of the requests have been taken into account. According to this, there are some facilities that should be taken into consideration while applying an extended period:

  • the amount of data processed by the controller,
  • how the information is stored, especially when it is difficult to retrieve the information,
  • the need to redact information when an exemption applies (e.g., information regarding other data subjects),
  • when the information requires further work in order to be intelligible.

The interesting part of the right of access is that it can be limited. The EDPB said that it could be in case when a request is manifestly unfounded or excessive. It means that requests related to information or processing activities that are clearly and obviously not subject to the processing activities of the controller. In addition, this right might be limited then there is an “excessiveness” of the amount of requested data or how often they are sent. The EDPB emphasizes that it depends on each case and specifics of the sector in which the controller operates, but also gives some points that can be taken into consideration:

  • how often the data is altered;
  • the nature of the data (including a case it is particularly sensitive);
  • the purposes of the processing. These could include whether the processing is likely to cause detriment (harm) to the requester if disclosed;
  • whether the subsequent requests concern the same type of information or processing activities or different ones.

Key takeaways

To sum up, the Guideline 01/2022 is a useful act of interpretation made by the EDPB in order to promote common understanding of the right of access under art.15 of the GDPR. That is why we have considered it for you and would like to mention the most relevant key points for business which acts as the controller. They are:

  • commutation channels have to be easily accessible for data subjects. For example, it might be a mention on a website that the data subject can send the request on a particular email to receive his or her personal data, collected by the controller;
  • carefully verify the data subject’s identity or their representative’s legal authority;
  • do not collect excessive information for identification;
  • try to respond to the request in an appropriate period;
  • the context of the request must be clear and easy to understand, especially if the data subject is a child or a visually impaired person;
  • the response to the request must be sent in a compliance with privacy protection laws;
  • there might be no obligation to respond to requests which are excessive or sent via inappropriate communication channels.

We hope that our article has helped you a lot to discover the EDPB view on the essence of the right of access. If there is any question, please do not be shy to ask us about it.

 

    Your question to IT lawyers


    Subscription