The goal of the right of access is to provide data subjects with transparent and easily accessible information so that they may verify the lawfulness of the processing, the accuracy of the data, and to enable them to exercise their other data subject rights. However, DSARs often pose issues for the organisations controlling the data, and the individuals who are charged with receiving, investigating and responding to these requests, all within the narrow one-month timeframe provided for by the GDPR.

Against this background, the EDPB has recently issued its draft Guidelines 01/2022 on data subject rights – Right of access for public consultation, seeking to assist both controllers and data subjects in submitting and responding to DSARs. Although the Guidelines bring much-needed clarity to several operational aspects of a standard DSAR response, many controllers will consider the Guidelines to have raised the bar considerably in relation to what is expected of them.

As the Guidelines remain open for public consultation, controllers need not introduce any far-reaching changes to their policies at this juncture, but they should certainly take this opportunity to consider if they are falling short in any significant respect. We set out some points of interest from the Guidelines and some of our key recommendations below.

Valid receipt of a DSAR

The timeline for responding to a DSAR runs from the time the DSAR reaches the controller through an official channel, and the clock may start running even if the correct person within the controller has not received it.

Our recommendations:
Given the tight statutory timeframe for responding to DSARs, controllers should ensure that there are procedures in place to facilitate DSARs being efficiently identified and subsequently funnelled to the relevant person so that a response may be prepared as soon as possible, which may require data protection training for most, if not all, staff members.
Where a DSAR emanates from anyone other than the data subject, the controller should ensure a valid authorisation is in place. Where data subjects use third party portals to make valid DSARs, controllers should be aware that they are not obliged to provide the DSAR response to the third party portal, and they may opt to provide it directly to the data subject.

Timing

A response must be provided to the data subject “without undue delay” and in any event within one month of receipt of the request. Where retention periods for certain personal data are short, the EDPB advises that the timing in such situations be adapted accordingly to ensure access is guaranteed.

Time may be suspended where the controller requests additional information to verify the identity of the requester, provided this is sought without undue delay, and time may also be suspended where the controller has asked the requester to specify the processing operations to which the request relates per Recital 63. The one month period may be extended by up to an additional two months where the complexity and number of DSARs justifies it. However, extensions should be the exception and not the rule, and where a controller finds themselves routinely seeking extensions, they should review their procedures for handling DSARs.

Our recommendation:
It is worth asking the requester to specify the processing to which their request relates to ensure that they receive the personal data they require, while affording the controller sufficient time to respond.

Identity Verification

By virtue of Article 12(2), a controller cannot refuse to act on a DSAR unless they can illustrate that they are unable to identify the data subject. Pre-existing authentication methods should be utilised to the extent possible, e.g. issuing of confirmation emails or text messages to the contact number or email address used by the data subject to register with the controller.

Generally, official identification documents, such as passports and national ID cards, should not be requested (unless legally required). The EDPB suggest that in reviewing identification documentation, the controller should take a simple note that the identification documents were checked instead of engaging in any unnecessary processing such as storing copies.

“Information” to be provided to the requester

Article 15 entitles the data subject to copies of their personal data, and also to confirmation as to whether or not personal data is processed and information about the processing and their data subject rights. Controllers should note that the EDPB has suggested that there is a greater onus on controllers to provide tailored information, and that a privacy policy will only suffice where it can be said that the “general information” contained therein is specific to the data subject.

The Search

Controllers are reminded that an unlimited variety of data may fall within the scope of personal data and, therefore, the parameters of information that may be covered are broad and includes archived and back-up data. Somewhat surprisingly the EDPB has stated that “the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject’s request,” particularly when Recital 4 of the GDPR recognises that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”

Our recommendations:
Where there is a large volume of data involved in the search, the controller may consider asking the data subject to narrow the scope of the search notwithstanding that the data subject is under no obligation to do so. Such requests for specification should not be done as a matter of course and the controller cannot use same as a way of “hiding” certain personal data.
Controllers should examine the information available to them that is capable of identifying the data subject and any identifiers, both direct and indirect, should be searched against where the structure of the data is such that those identifiers would be likely to return results.

Personal Data

Personal data includes not only information provided directly from the data subject to the controller, but also any assessments, summaries or comments made around that personal data. The Guidelines contain an indicative list of what is considered to be personal data, which includes data processed by connected objects, transaction history, handwriting, keystrokes, particular ways of walking or speaking, audio recordings and data derived or inferred from data provided by the data subject e.g. results of a health assessment, credit ratio.

Our recommendation:
Controllers should remember that a search for direct identifiers alone will not suffice for the purposes of complying with Article 15 GDPR and appropriate indirect identifiers should also be used.

Provision of Access

Controllers are reminded that the most appropriate method of access for the data subject should take account of any vulnerabilities or special requirements of which the controller is aware. The Guidelines refer to the provision of data by way of a “commonly used electronic form” that the data subject can download, where data is provided electronically; in response to a DSAR which has been made electronically, and contextualising data where “raw data” is being provided, or where the data subject is a child, to enable the data subject to fully understand the personal data. Where it would be difficult for the data subject to understand the information in its entirety, the controller may consider making the personal data available in a layered format to explain the data.  However controllers cannot make access to additional layers conditional upon a new request being submitted and cannot place a disproportionate burden on the data subject to access same.

Restrictions that may be applied to the right of access

The right of a data subject to obtain a copy of their personal data shall not adversely affect the rights and freedoms of others (Article 15(4)). Controllers should bear in mind that this should not result in refusing the DSAR altogether. It can only result in the leaving out or rendering illegible those parts of the data that will have negative effects on the rights and freedoms of others, and controllers must inform the data subject without undue delay of the reasons for any limitation of access.

The EDPB has noted that any right or freedom provided for under Union or Member State law may trigger the restriction in Article 15(4), such as the right to confidentiality of correspondence with regard to private email correspondence in an employment context. Conversely, the EDPB has indicated that the economic interests of a company in not disclosing personal data, outside of trade secrets and intellectual property rights (considered valid rights and freedoms per Recital 63), are not relevant for the purposes of Article 15(4).

Our recommendation:

When considering whether Article 15(4) is invoked, the controller should engage in the step-by-step assessment outlined by the EDPB. The controller should firstly assess if complying with the DSAR will have an adverse effect on the rights or freedoms or others. It should then weigh the rights and freedoms of the parties concerned, in light of the specific circumstances of the matter and the severity of the risks to each party, and attempt to reconcile the competing rights, including through mitigation measures. Only where reconciliation is impossible should the controller determine which of the competing rights and freedoms prevails.

Manifestly unfounded or excessive requests

The controller may charge a reasonable fee or refuse to act on a request that is “manifestly unfounded” or “excessive” (Article 12(5)). While excessive requests are not defined, they most often arise in the context of subsequent DSARs by the same data subject. The Guidelines warn that where access to personal data can be provided remotely or by electronic means, it is unlikely that subsequent DSARs can be regarded as excessive. Interestingly, the EDPB considers data subjects making repeated DSARs with “the only intent of causing damage or harm to the controller” to be “excessive” and to constitute an abuse of the Article 15 process. (The position of the Irish Data Protection Commission has been that each DSAR must be evaluated on a case-by-case basis without speculation as to the perceived intention of the data subject in making the request.)

A DSAR may also be excessive where the data subject submits the DSAR while simultaneously offering to withdraw the DSAR in return for some benefit or where the request is being made with malicious intent and is being used to harass the controller or processor(s) or their employees with no purpose other than causing disruption. The strict letter of the law implies that the controller is permitted to interrogate the motives behind a DSAR to ascertain if it is “excessive” and if any EU or national law restrictions may apply.

Our recommendation:

Where a controller is of the opinion that a request is manifestly unfounded or excessive, it should document its thought process and while a controller is not entitled to opine on the reason for which the data subject has made a DSAR, the controller is permitted to interrogate the DSAR in order to determine whether the request is “manifestly unfounded” or “excessive” within the meaning of Article 12(5), or if a national law exemption applies to the data in question.