On January 28, 2022, the European Data Protection Board (“EDPB”) published draft guidelines on the right of access (Article 15 GDPR), which is seen as one of the fundamental rights of the data subject under the GDPR. For most companies, complying with the right of access can be quite a challenge, especially if they process large amounts of personal data (think of marketing companies that use enhanced profiling technologies). Because of this, the EDPB decided to clarify some aspects of the right of access.
This blogpost will summarize the main points in the guidance and will highlight some remaining points of discussion.
In general, the right of access provides the data subject the possibility of finding out whether or not data relating to him or her are being processed, to have access to these personal data, and to access the information about the processing itself (purpose, duration, data subjects’ rights and appropriate measures for third country transfers).
The objective of the right of access is twofold:
The aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the personal data. In addition to this, it will also facilitate the exercise of other rights in the GDPR (such as the right to erasure or the right to rectification).
1. Right to receive a confirmation as the “whether” or not personal data are being processed
It is important to note that there could be a possibility that the controller in fact does not process any information regarding the data subject requesting the access. In this case, the controller can just confirm that it processes no personal data relating to the data subject.
2. Right to access the personal data being processed
This is the core of the right of access. The controller will have to provide access to the actual personal data themselves, a general summary of the data or a mere reference to the categories that are being processed will not be sufficient, according to the EDPB.
In principle, a data subject is entitled to have access to all data processed relating to him or her, or to a part of that data (if specified by him or her, or if restricted by one of the limitations in Article 15 GDPR).
3. Right to access information on the processing and on data subject rights
The controller has to provide the information covered under Article 15(1) and 15(2) GDPR, which will generally be covered in the controller’s privacy notice or record of processing activities.
With regard to the modalities of providing access to the information, the EDPB clarifies that a controller must provide a first free copy of the personal data being processed, even when the cost of reproduction are high. The copy should be complete (it must contain all the information requested) and it must be durable (the data subject must be able to come back to it later). For any additional copies, the controller can ask for a reasonable fee.
However, before considering charging such a fee, it is advisable to look at the request and assess whether or not this is a ‘new’ request. Only when the request is not ‘new’, and the data subject asks the same copy again, it is allowed to charge a fee. In any case, the request should be considered as ‘new’ when the data subject requests information on data which were processed at a different time or relating to a different set of data than the data initially requested. If the information concerns the same set of personal data as the initial request, it could be seen as asking for an additional copy (and then it should be allowed to charge a reasonable fee).
In principle, the controller must provide the information on the processing in a complete, correct and up-to-date way. This obligation could be quite burdensome for controllers that process large amounts of personal data concerning data subjects (even more so if we take into account the high rise in access request in recent years). The EDPB acknowledges this potential burden by stating: “The controller then faces problems of how to give a full answer while simultaneously avoiding the creation of an overflow of information for the data subject that the data subject is not interested in and cannot effectively handle”. The solution suggested by the EDPB is to provide a ‘self-service tool’ in online contexts.
If this is not possible, another possibility is to ask the data subject to specify the information or processing to which the request relates before providing all the information. However, if the data subject still requests the information in general terms, the EDPB states that the data controller should provide all the information relating to the processing of the personal data of that data subject.
This is a question that the GDPR does not answer. The EDPB clarifies that “as a rule, the controller cannot request more personal data than is necessary to enable this identification, and the use of such information should be strictly limited to fulfilling the data subject’s request”.
Article 12(6) GDPR gives controllers the possibility (when having reasonable doubts concerning the identity of the natural personal making the request) to ask the data subject to provide additional information to confirm his or her identity.
The EDPB provides some important guidance on requesting a copy of an identity document as a part of the authentication process. According to the EDPB, this can create a risk for the security of personal data and may lead to unauthorized or unlawful processing. Therefore, it can only be implemented if it is strictly necessary, suitable and in line with national law. In any case, when a copy of an ID card is used for confirming the identity of the data subject, it should be possible for data subjects to black out certain information that are not necessary for identification. The EDPB states that, in principle, the date of issue or expiry, the issuing authority and the full name of the individual should be sufficient. The EDPB even suggests that “if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.” After confirming the identity of the data subject by checking the copy of the ID card, the controller should delete the copy immediately because the storage of the copy might constitute a breach of the principles of purpose limitation and storage limitation (art. 5.1(b) and (e) GDPR). The EDPB recommends, as good practice, that the controller, after checking the ID card, makes a note e.g. "ID card was checked" to avoid unnecessary copying or storage of copies of ID cards. In this context, we would also like to refer to Article 11 GDPR, on the basis of which it is not required to retain personal data for the sole purpose of demonstrating compliance with the GDPR.
The EDPB discusses a number of instances in which the right of access can be restricted, but gives them a rather limited scope. It should be highlighted that the EDPB clearly states that “the right of access cannot be limited or restricted as part of a contract entered into with the data subject”.
A first instance where the right of access can be restricted is when providing a copy would adversely affect “the right and freedoms of others”. Recital 63 GDPR gives some examples of “right and freedoms of others” such as:
The EDPB clarifies that “these should be regarded as examples, as in principle any right or freedom based on Union or Member State law may be considered to invoke the limitation of Art. 15(4) GDPR”. Other examples that are mentioned in the guidelines are:
Secondly, a controller can override a requests for access which it considers unfounded or excessive. “Excessive” is linked to the quantity of requests of the data subject for the right of access. The EDPB defends the view that if a request requires “a vast amount of time and effort” to satisfy, this does not in itself make it excessive. The EDPB does provide some examples of what may be excessive. For example:
The EDPB’s guidance takes a strong position and states that beyond the mentioned specific limitations there is no proportionality limitation in the search to comply with the request of access. Hence, the controller will have to search throughout all IT systems and non-IT filing systems for information on the processing of personal data of the data subject making the request. This position could be considered as quite controversial, as the concept of proportionality is an established principle of EU law (see Article 5(4) TFEU).
The EDPB’s guidance is very welcome, but some open questions remain. For example, a question that remains unanswered is what to do when an employee wants to obtain a copy of all emails that mention his or her name? A German Federal Labour Court ruled previously that these types of requests are not sufficiently precise.
It will be interesting to see whether the Court of Justice will follow the guidance provided by the EDPB in some preliminary proceedings that are currently pending. These include:
The consultation period will end on 11 March 2022. It remains to be seen whether there will be any changes in the final version of the guidelines. Do you want to stay up to date on this topic? Follow us on LinkedIn!
Do you have any questions and would you like an introductory meeting? Book a free 15-minute call with Bernd at bernd.lawyer.brussels (reserved for organisations).