On 18 January 2022, the European Data Protection Board (“EDPB”) adopted new guidelines on the data subject’s right of access. The guidelines aim to clarify the various aspects of the right of access and to provide guidance on how to implement this right in practice.
Running up to 60 pages, the guidelines adopt an extensive interpretation of the right of access. This right can be understood as (i) the possibility of the data subject to ask the controller if personal data about him or her are processed, and (ii) the possibility to access and to verify these data. Following a request to exercise the right of access, the data controller has to provide the data subject with the information listed in Article 15 of the General Data Protection Regulation (“GDPR”). As such, the data subject can be aware of and verify the lawfulness of the processing and the accuracy of the processed data.
In its guidance, the EDPB addresses the following key aspects using practical examples:
• The analysis of a request. The EDPB specifies the elements that a controller should take into account when assessing a data subject’s request, including (i) whether the request concerns personal data of the individual making the request, (ii) whether the request falls within the scope of Article 15 of the GDPR, and (iii) whether the request refers to all or only parts of the data processed about the data subject.
The EDPB also highlights that there are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject. However, the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller.
• The scope of the right of access. The EDPB confirms that the scope of the right of access is determined by the scope of the concept of personal data. The guidelines therefore clarify the definition of personal data and specify that, although the right of access refers to personal data concerning the person making the request, this should not be interpreted overly restrictively. The EDPB gives as an example the case of an interview during which the HR officer takes notes. If the job applicant requests access to personal data, the controller will have to provide the personal data actively communicated by the applicant (e.g. CV and motivation letter) and the summary of the interview, including the subjective comments on the behaviour of the applicant written by the HR officer during the job interview.
The EDPB also specifies the additional information about the processing and on data subjects’ rights that has to be provided by the controller in addition to the access to the personal data.
• How a controller must provide access. The right of access may be easy and straightforward to apply in some situations, but can also be more complicated in complex data processing activities. The appropriate way to provide access may therefore vary accordingly, and guidance from the EDPB is welcome. Among others, the EDPB clarifies that access requests can, depending on the situation at hand, be handled e.g. by providing a copy of the personal data by e-mail or by a physical mail, but also by using automated processes. This could for example be the case for controllers that receive a large number of requests. Social media can for example offer their users a “self-service” tool allowing them to download a file containing their personal data directly from the user account to their own computer. In any case, the controller has to consider appropriate technical and organisational measures, including adequate encryption when providing information via e-mail or online-self-service tools. The EDPB also explains that, when the amount of data is very vast and it would be difficult for the data subject to comprehend the information if given all in one bulk, the most appropriate measure could be a layered approach in order to facilitate the data subject’s understanding of the data.
• Limitations on the right of access. The EDPB notes that, in accordance with Article 15(4) of the GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. The controller must be able to demonstrate that the rights or freedoms of others would be adversely affected in the specific situation. Applying Article 15(4) should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others.
The EDPB also explains to what extent controllers can set aside requests that are manifestly unfounded or excessive in the meaning of Article 12 of the GDPR. According to the EDPB, these concepts have to be interpreted narrowly. A request can be considered as “manifestly unfounded” if the requirements of Article 15 of the GDPR are clearly and obviously not met. One of the reasons to qualify a request as “excessive” can be when a data subject submits repetitive requests at unreasonable intervals. In this regard, the controller should take into account (i) how often the data is altered (is information unlikely to have changed between requests?), (ii) the nature of the data, (iii) the purpose of the processing, and (iv) whether the subsequent requests concern the same type of information or processing activities or different ones. Various examples by the EDPB illustrate these criteria.
These guidelines were subject to public consultation for a period of 6 weeks ending on 11 March 2022. We will of course continue to monitor this.
Please contact Karel Janssens for further information about the above and/or for general legal advice relating to privacy and data protection law.