EDPB draft guidelines on data subject access requests (“DSARs”): key points
The right of data subjects to access their personal data and information on the processing of their personal data, as contained in Article 15 of the General Data Protection Regulation (GDPR), is at the heart of European data protection law.
The goal of the right of access is to provide data subjects with transparent and easily accessible information so that they may verify the lawfulness of the processing, the accuracy of the data, and to enable them to exercise their other data subject rights. However, DSARs often pose issues for the organisations controlling the data, and the individuals who are charged with receiving, investigating and responding to these requests, all within the narrow one-month timeframe provided for by the GDPR.
Against this background, the EDPB has recently issued its draft Guidelines 01/2022 on data subject rights – Right of access for public consultation, seeking to assist both controllers and data subjects in submitting and responding to DSARs. Although the Guidelines bring much-needed clarity to several operational aspects of a standard DSAR response, many controllers will consider the Guidelines to have raised the bar considerably in relation to what is expected of them.
As the Guidelines remain open for public consultation, controllers need not introduce any far-reaching changes to their policies at this juncture, but they should certainly take this opportunity to consider if they are falling short in any significant respect. We set out some points of interest from the Guidelines and some of our key recommendations below.
Valid receipt of a DSAR
The timeline for responding to a DSAR runs from the time the DSAR reaches the controller through an official channel, and the clock may start running even if the correct person within the controller has not received it.
A response must be provided to the data subject “without undue delay” and in any event within one month of receipt of the request. Where retention periods for certain personal data are short, the EDPB advises that the timing in such situations be adapted accordingly to ensure access is guaranteed.
Time may be suspended where the controller requests additional information to verify the identity of the requester, provided this is sought without undue delay, and time may also be suspended where the controller has asked the requester to specify the processing operations to which the request relates per Recital 63. The one month period may be extended by up to an additional two months where the complexity and number of DSARs justifies it. However, extensions should be the exception and not the rule, and where a controller finds themselves routinely seeking extensions, they should review their procedures for handling DSARs.
|It is worth asking the requester to specify the processing to which their request relates to ensure that they receive the personal data they require, while affording the controller sufficient time to respond.|
By virtue of Article 12(2), a controller cannot refuse to act on a DSAR unless they can illustrate that they are unable to identify the data subject. Pre-existing authentication methods should be utilised to the extent possible, e.g. issuing of confirmation emails or text messages to the contact number or email address used by the data subject to register with the controller.
Generally, official identification documents, such as passports and national ID cards, should not be requested (unless legally required). The EDPB suggest that in reviewing identification documentation, the controller should take a simple note that the identification documents were checked instead of engaging in any unnecessary processing such as storing copies.
“Information” to be provided to the requester
Controllers are reminded that an unlimited variety of data may fall within the scope of personal data and, therefore, the parameters of information that may be covered are broad and includes archived and back-up data. Somewhat surprisingly the EDPB has stated that “the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject’s request,” particularly when Recital 4 of the GDPR recognises that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
Personal data includes not only information provided directly from the data subject to the controller, but also any assessments, summaries or comments made around that personal data. The Guidelines contain an indicative list of what is considered to be personal data, which includes data processed by connected objects, transaction history, handwriting, keystrokes, particular ways of walking or speaking, audio recordings and data derived or inferred from data provided by the data subject e.g. results of a health assessment, credit ratio.
|Controllers should remember that a search for direct identifiers alone will not suffice for the purposes of complying with Article 15 GDPR and appropriate indirect identifiers should also be used.|
Provision of Access
Controllers are reminded that the most appropriate method of access for the data subject should take account of any vulnerabilities or special requirements of which the controller is aware. The Guidelines refer to the provision of data by way of a “commonly used electronic form” that the data subject can download, where data is provided electronically; in response to a DSAR which has been made electronically, and contextualising data where “raw data” is being provided, or where the data subject is a child, to enable the data subject to fully understand the personal data. Where it would be difficult for the data subject to understand the information in its entirety, the controller may consider making the personal data available in a layered format to explain the data. However controllers cannot make access to additional layers conditional upon a new request being submitted and cannot place a disproportionate burden on the data subject to access same.
Restrictions that may be applied to the right of access
The right of a data subject to obtain a copy of their personal data shall not adversely affect the rights and freedoms of others (Article 15(4)). Controllers should bear in mind that this should not result in refusing the DSAR altogether. It can only result in the leaving out or rendering illegible those parts of the data that will have negative effects on the rights and freedoms of others, and controllers must inform the data subject without undue delay of the reasons for any limitation of access.
The EDPB has noted that any right or freedom provided for under Union or Member State law may trigger the restriction in Article 15(4), such as the right to confidentiality of correspondence with regard to private email correspondence in an employment context. Conversely, the EDPB has indicated that the economic interests of a company in not disclosing personal data, outside of trade secrets and intellectual property rights (considered valid rights and freedoms per Recital 63), are not relevant for the purposes of Article 15(4).
|When considering whether Article 15(4) is invoked, the controller should engage in the step-by-step assessment outlined by the EDPB. The controller should firstly assess if complying with the DSAR will have an adverse effect on the rights or freedoms or others. It should then weigh the rights and freedoms of the parties concerned, in light of the specific circumstances of the matter and the severity of the risks to each party, and attempt to reconcile the competing rights, including through mitigation measures. Only where reconciliation is impossible should the controller determine which of the competing rights and freedoms prevails.|
Manifestly unfounded or excessive requests
The controller may charge a reasonable fee or refuse to act on a request that is “manifestly unfounded” or “excessive” (Article 12(5)). While excessive requests are not defined, they most often arise in the context of subsequent DSARs by the same data subject. The Guidelines warn that where access to personal data can be provided remotely or by electronic means, it is unlikely that subsequent DSARs can be regarded as excessive. Interestingly, the EDPB considers data subjects making repeated DSARs with “the only intent of causing damage or harm to the controller” to be “excessive” and to constitute an abuse of the Article 15 process. (The position of the Irish Data Protection Commission has been that each DSAR must be evaluated on a case-by-case basis without speculation as to the perceived intention of the data subject in making the request.)
A DSAR may also be excessive where the data subject submits the DSAR while simultaneously offering to withdraw the DSAR in return for some benefit or where the request is being made with malicious intent and is being used to harass the controller or processor(s) or their employees with no purpose other than causing disruption. The strict letter of the law implies that the controller is permitted to interrogate the motives behind a DSAR to ascertain if it is “excessive” and if any EU or national law restrictions may apply.
|Where a controller is of the opinion that a request is manifestly unfounded or excessive, it should document its thought process and while a controller is not entitled to opine on the reason for which the data subject has made a DSAR, the controller is permitted to interrogate the DSAR in order to determine whether the request is “manifestly unfounded” or “excessive” within the meaning of Article 12(5), or if a national law exemption applies to the data in question.|