Date Published 12/07/2022
GDPR: New Guidelines on Right of Access
The European Data Protection Board (the ‘’EDPB’’) has recently adopted draft guidelines (the ‘’Guidelines’’) on data subject’s right of Access under the General Data Protection Regulation (“GDPR”). This has become an increasingly controversial issue with claims by corporates that it is being “weaponised” by plaintiffs in litigation proceedings. The Guidelines are aimed at providing greater clarity to assist in the application of this right.
Under article 15 of the GDPR data subjects have a right to access all personal data which an organisation prosses relating to them. Data controllers also are obliged to provide individuals with sufficient, transparent, and easily accessible information about the processing of their personal data in order for them ‘to be aware of, and verify, the lawfulness of the processing’. The Guidelines provide a comprehensive breakdown of data access requests, gives guidance on how to effectively manage and fulfil these requests and provides practical related guidance with examples to provide further clarity. The Guidelines provide an analysis on the various aspects of the right.
Scope of the requests and presenting information to data subjects:
The Guidelines reiterate that there must be full disclosure of all data relating to the data subjects and access should only be limited if data subjects explicitly limit the request or where the controller possesses large amounts of data and there are doubts in relation to whether the request aims at receiving information on all data being processed. In this situation, the Guidelines acknowledge that the controller faces a difficulty on how to fully comply while trying to avoid providing information which was not requested or cannot be effectively dealt with by the data subject.
To overcome this, the Guidelines suggest adopting a layered approach to providing the data or providing a self-service tool system. Adopting a layered approach should however only be used where it is considered difficult for the data subject to comprehend the data if given in its entirety. It should not create an extra burden for the data subject. In addition to the above, data controllers should also be aware of the limitations provided for within the GDPR.
Providing appropriate communication channels for requests:
The EDPB encourages controllers to provide user-friendly communication channels to enable data subjects to make an effective request. It acknowledges that they are not obliged to act on requests which are sent to communication channels which are clearly not intended to receive such requests.
Where the Identity of the of the data subject needs to be verified via ID (in line with any national laws and principles of the GDPR) the EDPB recommends that a good practice is to just make a note that the ID card has been checked.
Conclusion and action required:
The Guidelines are a helpful tool for data controllers. However, they confirm the broad nature of Article 15 and the high standard which is expected from controllers in complying with these requests. Controllers are expected to be proactively ready to handle requests which entails being prepared to receive, assess and reply without undue delay. In light of this and the Guidelines, controllers should take time to review their current policies and identify any shortcomings.