New EU guidance on GDPR right of access (open for public consultation)

The Guidance entails an extensive and deep-dive analysis on what would fall both within, and outside, the scope of the “right of access” envisaged in art. 15 GDPR. The analysis takes into account the whole “lifespan” of the right beginning when the controller receives the request, and potential limitations that may apply depending on certain criteria and circumstances. Moreover, the Guidance includes several sections that provide useful insight for the exercise of data subjects’ rights in a broader sense. Therefore, this Guidance should not only be construed as a point of reference on access requests, as its contents are relevant in respect to other rights enshrined in the GDPR. It also provides many examples which, in line with most of the guidelines issued by the EDPB, are regarded as highly illustrative and practical by privacy practitioners.

Before going forward, it is always nice starting with a look at art. 15 of the GDPR:

Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   1. the purposes of the processing;
   2. the categories of personal data concerned;
   3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the right to lodge a complaint with a supervisory authority;
   7. where the personal data are not collected from the data subject, any available information as to their source;
   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Without further ado, main highlights of the Guidance include:

Right of Access Basics – Scope, concept of “copy,” general principles, and formal prerequisites of the request / reply

• The Right of Access, as envisaged under the GDPR (i.e. not to be confused with other access rights recognized under local laws or transparency obligations, for instance, in the context of public administration activities ) has three, non-alternative, modalities:

Controllers must perform an initial assessment to determine what the data subject is requesting (the “why” is not generally that relevant), and whether they actually have/processed the data. Unless explicitly stated otherwise, the request should be deemed as referring to all personal data concerning the data subject (although controllers may ask for more specific indications if they process large amounts of data).

• With regard to the provision of a copy of the data (see modality 2 above): The first free copy of the data refers (only) to a copy of the personal data that is undergoing processing, and not necessarily to a reproduction of the original documents. This would allow the data subject to be aware, and verify the lawfulness, of the processing performed by the controller. The notion of a “copy” should be interpreted broadly, and allow the data subject to retain the information and to come back to it as needed

Controllers may charge a reasonable fee for additional copies. Further copies can be understood, in terms of time and scope, as those concerning different datasets from those referred to in the initial request. Therefore, controllers must carefully assess when they need to address a request that seeks a “first copy” and distinguish it from those that would entail a “further copy” before considering charging a fee (e.g. [re]requesting access because the data subject considers the answer was incomplete or unlawful cannot be regarded as a “new” request). Data subjects must be informed beforehand of any applicable fee in this regard. The Guidance briefly analyses the possible allocation of costs in such scenarios.

Controllers must perform an initial assessment to determine what the data subject is requesting (the “why” is not generally that relevant), and whether they actually have/processed the data. Unless explicitly stated otherwise, the request should be deemed as referring to all personal data concerning the data subject (although controllers may ask for more specific indications if they process large amounts of data).

• The general principles that inform the Right of Access refer to:
  • Completeness of the information – providing access to all data related to the data subject (including in additional requests). Information can be limited when (i) data subjects expressly request a subset of such data; (ii) when the information is sizable (the Guidance provides for alternatives on this point); and (iii) where exceptions to the right of access may be deemed applicable (more on this below).
  • Correctness of the information – the information has to comprise the actual personal data held about the data subject (including data that are inaccurate or even about processing operations that are not/no longer lawful).
  • Time reference point of the assessment – the assessment of the processed data shall reflect, as close as possible, the actual situation at the time when the controller receives the request, and the response should cover all data available at that point.
  • Compliance with data security requirements – adequate level of security must be implemented and ensured when granting access to the personal data.
• The are no formal requirements regarding the exercise of rights. Interestingly, the Guidance clearly establishes the following:

“It should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights, if the controller has provided an appropriate communication channel, that can be used by the data subject.

The controller is also not obliged to act on a request sent to the e-mail address of a controller’s employee who may not be involved in the processing of requests concerning data subjects’ rights (e.g. drivers, cleaning staff, etc.). Such requests shall not be considered effective, if the controller has clearly provided the data subject with appropriate communication channel.”

Notwithstanding the above clarifications, caution is always advised when taking this approach.

• The Guidance provides further details on how controllers should retrieve the data and reply to the access request, linking the former to the privacy-by-design and privacy-by-default principles, as well as to the transparency principle with regard to the latter. It also describes different ways to provide access to the data (not limited to the provision of a copy thereof) in a “concise, transparent, intelligible and easily accessible form using clear and plain language” particularly where a vast amount of information needs to be provided, and taking into account the format (e.g. self-service tools).

Regarding the rules on how to reply to the access request and relevant timeframes, art. 12 GDPR should be taken into account as pointed out in the Guidance.

Questions controllers must ask themselves when receiving an access request

• Does the request concern personal data (including pseudonymised data)? Otherwise, the request would not be within the scope of art. 15 GDPR.
• Does the request relate to the requesting person (or the one on whose behalf it is exercised)? Access to other peoples’ data is not generally covered and can only be requested subject to appropriate authorisation/deed of representation issued by the third parties concerned. The Guidance includes a highly detailed and extensive analysis on the proper identification of the data subject who is exercising the right (by interpreting how, and in what conditions, art. 11 GDPR would apply), as well as of the scenario in which the right is exercised through proxies (including examples that could be deemed abusive by controllers; appropriate authentication measures such as requesting ID cards or PoAs, or cases where the rights are requested on behalf of children, etc.). This provides interesting insights into the criteria that should be applied not only in connection with the right of access, but more generally in respect of all the data subject rights recognized by the GDPR.
• Are there other applicable provisions (different from the GDPR) regulating access to a certain category of data? In this case, it will be important for the controller to confirm if, by complying with non-GDPR laws, the request can be adequately complied with (or asking the data subject for clarification to find out whether the request also relates to data protection).
• Does the request fall within the scope of Article 15? Controllers will need to ascertain whether, regardless of the wording used in the request, it actually relates to a right of access (e.g. someone just looking to find out what information the company has about him/her).
• Is the data subject interested in accessing the information processed about him/her as a whole or just in part? Controllers will need to assess whether the request refers to all or parts of the information processed about them. Any limitation of the scope of a request of access made by the data subjects must be clear and unambiguous.

Limits and Restrictions of the Right of Access

• The right to obtain a copy shall not adversely affect the rights and freedoms of others: this includes others’ (also processors’) right to personal data protection, confidentiality of correspondence, trade secrets or intellectual property and, in particular, the relevant copyright over the software. The financial interests of a company cannot be construed as a limit to the potential disclosure of personal data to the extent that such disclosure would not compromise trade secret or other protected rights.
• Controller may override the access request if manifestly unfounded or excessive:
  • Manifestly unfounded: that is, where the requirements of Art. 15 GDPR are clearly and obviously not met, or the requests cannot be deemed subject to the controllers’ actual processing activities.
  • Excessive: this includes, not is not limited to, the quantity of incoming requests that cannot be justified within a given timeframe. This has to be carefully assessed depending on elements such as: how often the data is altered/modified, the nature of such data, the purposes for processing, relevant information concerned in each request, if the controller can address the request easily, etc. Elements such as failure to provide reasons explaining the exercise of the right, the use of impolite language, or data subjects’ intentions should not be considered. Other aspects, such as the individual proposing to withdraw the request in exchange of some form of benefit or gain, or where malicious intent to harass a controller is apparent, should indeed be taken into account for this purpose.
  • In these cases, controllers may charge a fee or refuse to comply with the request (depending on the specific case). In any event, controllers should adequately document their actions and, in case of refusal, inform the data subject of: the reason why, the right to lodge a complaint with a supervisory authority, and the possibility to seek judicial redress.
• Other restriction under Union or Member States law based on art. 23 GDPR. It should be highlighted that the right of access cannot be limited or restricted as part of a contract entered into with the data subject.

Flowcharts

On a final note, the Guidance includes a set of very useful FAQ-like flowcharts meant to illustrate the main issues underlying the exercise of, and response to, the right of access as addressed throughout the Guidance (and briefly summarized above).

Next steps

The public consultation period for this Guidance is expected to run until the 11^th March 2022. The guidelines issued by the EDPB are always a more than welcome addition as they help clarify many questions that have been interpreted/solved by different Supervisory Authorities in the EU in a rather heterogeneous manner, and this particular Guidance will hopefully bring us a step closer to a more uniform understanding and application of the right of access - even though it nevertheless still leaves some open questions once again up to the criteria of national regulators.

This Guidance follows in the steps of the previous one related to portability, and it would not be at all surprising if the EDPB decides to take on other data subject rights in the future.

Authored by Santiago de Ampuero, Laur Badin, and Graciela Martín.