On January 28, 2022, the European Data Protection Board (“EDPB”) published draft regulatory guidelines (“draft guidance”) on the right of data subjects to have access to their personal data under the EU General Data Protection Regulation (“GDPR”). In the draft guidance, the EDPB explains the aim and components of the right. This analysis is followed by general considerations on the assessment of access requests and the scope of the right. The EDPB also provides guidance on the practicalities of providing access as well as the limitations and restrictions that the GDPR imposes on the right of access.
The right of access
The draft guidance discusses data subjects’ right of access in Article 15 GDPR, which consists of three components. Data subjects have the right to receive from the relevant controller: (i) confirmation of whether or not personal data are processed; (ii) access to such personal data; and (iii) specific information about the processing itself (including the purpose of the data processing, the categories of personal data and recipients, and duration of the processing). Pursuant to Article 15 GDPR, the controller must also provide a copy of the personal data undergoing processing.
The right of access is designed to put data subjects in control over their personal, by enabling them “to be aware of, and verify, the lawfulness of the processing”. The right of access therefore aims to provide data subjects with sufficient, transparent, and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the personal data. The EDPB stresses that this right makes it easier for data subjects to exercise other GDPR rights, such as the right to erasure or rectification – but that exercise of the right of access is not a condition for exercising other data subject rights.
General considerations regarding the assessment of access requests
The EDPB underlines that controllers should be “proactively ready” to handle access requests and to assess each request individually. When handling an access request, controllers should consider at least the following questions:
- Does the request concern personal data?
The scope of the request can only cover personal data (including pseudonymized data), information on the processing itself and on data subject rights. Requests about other issues, including general information about the controller, are not considered as an access request under Article 15 GDPR.
The right of access also needs to be distinguished from similar rights with other objectives, for example the right of access to public documents, which aim at guaranteeing transparency in public authorities’ decision-making and good administrative practice.
- Who is the individual requesting access?
An access request should either concern the personal data of: (a) the requesting person; or (b) the person authorizing the request. The controller needs to be able to identify the data subject making the request, and confirm the identity of that person in case of doubt. This implies that anonymous requests cannot be considered as valid access requests under Article 15 GDPR.
The GDPR does not impose requirements regarding the methods for determining the identity of data subjects requesting access. In case of reasonable doubt, the controller can ask for additional information to confirm the identity of the data subject, however the request must be proportionate to the type of personal data processed, the damage that could occur, etc. in order to avoid excessive data collection.
If identification is not possible based on the information included in the access request, the controller must inform the data subject, and is entitled to refuse the request unless the data subject provides the additional information that is needed to allow identification.
- Does the request fall within the scope of Article 15 GDPR?
The GDPR does not include formal requirements for data subjects requesting access to their personal data. The controller should provide data subjects with appropriate and user-friendly communication channels that are easy to use. However, data subjects are not required to use these channels in order to submit an access request.
It is not necessary for data subjects to give any reasons for their access request: it is not up to the controller to assess whether exercising the right of access will actually be helpful to the data subject whose has submitted a request. The controller should process the request unless it is clear that the request is made under rules other than data protection rules. Therefore, in order to make a valid request, the EDPB considers it sufficient for data subjects to indicate that they wish to obtain access to the personal data concerning them, that they are exercising their right of access, or that they wish to know the information concerning them that the controller processes. In this context, the EDPB advises controllers to be lenient towards persons exercising their right of access, because the data subjects may not be familiar with the intricacies of the GDPR, in particular when the request is submitted by minors. In case of doubt, it is recommended for the controller to ask the data subject making the request to specify the subject matter of the request.
- Are there more specific provisions that regulate the access request?
In their request data subjects are not required to specify whether they are requesting access to their personal data on the basis of the GDPR, or on the basis of some other (national or sectoral) legislation. However, if the data subject specifies that the request is based on any sectoral or national legislation providing a right to access to certain categories of data, the controller needs to handle the request accordingly, and this may require a separate response from the response in relation to the right of access request (under Article 15 GDPR).
- Does the request refer to all or only parts of the data processed about the data subject?
The controller needs to assess whether the request made by the requesting data subject refers to all or parts of the personal data processed about that individual, and respond accordingly.
Unless explicitly stated otherwise, the access request should be understood as referring to all personal data concerning the data subject. The controller may ask the data subject to specify the request if they process a large amount of personal data.
Practicalities of providing access to personal data
The draft guidance also contains some practical recommendations on different ways that controllers can provide access to personal data. For example, it provides guidance on:
- How the controller can retrieve the requested personal data (which may depend on how the personal data is structured);
- Different possible means of providing access – which may in some cases include providing information verbally, permitting inspection of files or providing remote access to personal data;
- Ways to ensure that the personal data is provided in a “concise, transparent, intelligible and easily accessible form”, such as by including additional information that explains the personal data provided.
Limitations and restrictions to the right of access
The right of access is subject to the limitations that result from Article 15(4) GDPR (which protects the rights and freedoms of others) and Article 12(5) GDPR (which governs “manifestly unfounded or excessive” requests). In addition, the draft guidance underlines that controllers should take into account further restrictions to the right of access contained in EU or in EU Member State laws, in accordance with Article 23 GDPR.
Rights and freedoms of others
Article 15(4) GDPR states that the right to obtain a copy of personal data shall not adversely affect the rights and freedoms of others.
However, the EDPB stresses that the controller cannot rely on these considerations to justify refusing the request altogether, but only to justify leaving out or rendering illegible those parts of the personal data that may negatively affect the rights and freedoms of others.
Manifestly unfounded or excessive requests
Article 12(5) GDPR allows controllers to reject or charge a reasonable fee for requests that they consider to be “manifestly unfounded or excessive”.
The EDPB notes that a request is “manifestly unfounded” if the requirements of Article 15 GDPR are objectively, clearly and obviously not met. A request should not be considered manifestly unfounded (i) because the data subject has previously submitted requests which were manifestly unfounded or excessive; or (ii) if the request includes, what the EDPB refers to as, “unobjective or improper language”.
Whether a request is “excessive” or not will depend on the specific circumstances of the request. Excessiveness is typically linked to the repetitiveness of subsequent requests, and whether the data subject is making requests at reasonable intervals. The draft guidance notes that the controller could consider – in the light of the reasonable expectations of the data subject – how often the personal data is altered, the nature of the personal data, the purposes of the processing, and whether the subsequent requests concern the same type of information or processing activities or different ones.
The EDPB further emphasizes that these concepts must be interpreted narrowly, as the principles of transparency and cost-free data subject rights should not be undermined.
It should be noted that the draft guidelines are open for public consultation. Stakeholders may provide feedback until March 11, 2022, after which the EDPB is expected to adopt its final guidelines.
Source: EDPB, Guidelines 01/2022 on data subject rights – Right of access, adopted on 18 January 2022 (version for public consultation) –https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf