In this post we summarise the key takeaways from the European Data Protection Board's recently published draft guidelines on data subject access requests under the GDPR (commonly known as DSARs), and what they mean for companies that process personal data.
Art. 15 GDPR provides data subjects with a right to access their data, enabling them to find out what personal data particular companies (controllers) have collected and are processing about them.
The Article requires a controller that receives a DSAR to provide information on the three main components of the right of access:
- confirmation of whether or not personal data are processed;
- access to the personal data; and
- information about the processing itself, such as the purpose, categories of data and recipients, the duration of processing and any appropriate safeguards that have been put in place in case of transfer to third countries.
These requirements may place a high administrative burden on the party receiving the request, particularly given that, in principle, they have to respond within a month. This can be challenging, for example, for companies that process large amounts of data or that receive a significant number of DSARs at the same time.
We see that companies are increasingly receiving DSARs and are dealing with the accompanying challenges. However, until now, limited guidance (in case law or from regulators) on what the scope and requirements of DSARs mean in practice was available.
This was acknowledged by the European Data Protection Board (EDPB), which considered it necessary to provide more precise guidance. Following a stakeholder workshop in November 2019, (in which we participated), its long-awaited draft guidance was adopted during the EDPB's plenary session on 18 January 2022. This has now been published and is subject to public consultation until 11 March 2022 (the Draft Guidelines).
The Draft Guidelines include practical recommendations on how the right of access should be implemented in different situations. Among other things, they address the scope of the right of access, the information the controller has to provide to the data subject, the format of the DSAR, the main modalities for providing access, and clarify what constitute manifestly unfounded or excessive requests.
The key aspects of the Draft Guidelines are:
- Scope of the request. The controller is required to provide the requestor with information about their personal data being processed, to the extent the requestor demands it. As a result, if the requestor asks for all of their personal data processed by the controller in general, the controller is required to provide it. However, if the data controller processes large amounts of data and doubts whether the request is really designed to obtain all the data, the controller may ask the requestor to be more specific rather than responding straight away.
- Scope of the right to obtain 'copies'. According to the Draft Guidelines, the obligation to provide a copy is not intended to broaden the scope of the right of access. In other words, alongside the information the controller is required to provide in accordance with Art. 15(1) and (2), the notion of copy pursuant to Art. 15(3) does not require the controller to provide any additional information. The copy must, however, contain complete information on all personal data; a summary data may not be sufficient. Large amounts of data may be presented in a layered approach if appropriate.
- Format of the request. The Draft Guidelines require that the controller provides appropriate and user-friendly communication channels for the data subject. A DSAR is also not subject to formal requirements - that is, data subjects are not obliged to use specific channels provided by the controller and may instead send their request to an official contact point of the controller. However, the controller is not obliged to process requests sent to random addresses (for example an email to cleaning staff) or those that are obviously false.
- No substantiation requirement. According to the Draft Guidelines, data subjects do not have to justify their request. For example, the data controller may, in general, not refuse access on the grounds or suspicion that the data requested could be used by the data subject for his or her defence in court.
- Identification of the requestor. The Draft Guidelines acknowledge that if the controller has reasonable doubts about the identity of the requestor, it may request additional information. The identification process must be proportionate, meaning excessive data collection should be avoided while ensuring an adequate level of security. According to the EDPB, copies of ID cards should not be considered an appropriate way of authentication. Instead, an e-mail or text message containing confirmation links, security questions or confirmation codes may be used to identify a data subject who has been previously authenticated by the controller. In case IDs are checked and this can be considered proportionate, the EDPB recommends that the controller makes a note (for example 'ID card was checked') to avoid unnecessary copying or storage of copies of ID cards.
- Requests via third parties or proxies. According to the Draft Guidelines, a data subject may request access to personal data via a third party or proxy. In these cases, the controller must ensure that the third party or proxy is legally authorised to act on the data subject's behalf. However, the controller does not have to use the third party’s or proxy’s portal to fulfil the request, but can disclose the requested data to the data subject in another way.
- Limits and restrictions to the right of access.
- Rights and freedom of others. According to Art. 15(4) GDPR, the right of access may not affect the right and freedoms of others. As a result, the controller may (and in certain circumstances may even be obliged to) withhold certain information. In these cases, the controller is required to provide information about its reasons for holding back information. Moreover, the Draft Guidelines state that a redaction of the information concerning others is preferable to refusing to provide a copy.
- Manifestly unfounded or excessive requests. Further, the Draft Guidelines allow the controller to reject requests that are ‘manifestly unfounded or excessive’, but state that this is to be interpreted narrowly, as the principles of transparency and cost-free data subjects' rights should not be undermined. For instance, if a vast amount of time and effort is required to provide the information, this would not in itself be considered sufficient to render a request excessive.
- Possible restrictions in local laws based on Art. 23 GDPR. The right of access may also be restricted by local Member State laws. For example, a Member State’s national law could limit the scope of information to be provided in the context of ongoing legal proceedings or restrict access of personnel files by (former) employees, provided that such provisions comply with the standards set out in Art. 23 GDPR.
As stated above, the Draft Guidelines are subject to public consultation, for which the deadline for submitting feedback is 11 March 2022. The EDPB takes the stakeholder consultation process seriously and, as we saw recently with its recommendations on supplementary measures, it is willing to reflect feedback from stakeholders in its final guidelines.
Although the Draft Guidelines (even in their final version) are not legally binding, they describe the European data protection authorities’ common position and understanding of the GDPR and thereby provide valuable insights. Companies should consider setting up standardised, automated processes for (i) gathering relevant information from various systems and (ii) preparing responses to DSARs, including redacting sensitive information within the time limit even if they process vast amounts of personal data.
The EDPB has based its Draft Guidelines on current CJEU case law. Looking ahead, given the importance of the right of access, it expects further case law (and thus further guidance?) to evolve 'significantly' in the future.
