On January 28, 2022, the European Data Protection Board (“EDPB”) initiated a public consultation on its draft Guidelines 01/2022 on data subject rights – Right of access (“draft Guidelines”). Running to 60 pages, the draft Guidelines cover a range of topics relating to the right of access, including analyzing a request; establishing the identity of the requesting data subject; assessing the scope of the right of access; guidance on how controllers can comply with a request; and limitations on the right of access. The draft Guidelines provide important clarifications as to how EU supervisory authorities interpret the GDPR’s access right, which we set out below.
Complying with a Request
- Form of the request: Controllers can receive access requests through any number of communication channels. The EDPB confirms that a controller is not obliged to act on requests sent to “a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests concerning data subject’s right, if the controller has provided an appropriate communication channel, that can be used by the data subject.” The EDPB clarifies that this point applies only to requests sent to communication channels where the data subject cannot reasonably expect that it is the appropriate contact address for such requests. This would not include situations where a data subject sends a request to the controller’s employee who deals with the data subject’s affairs on a daily basis (e.g., a personal account manager). In practice, therefore, it is unlikely that controllers will routinely be able to rely on this guidance to not comply with a request.
- Wording of the request: The EDPB states that an access request should be understood in broad terms. The draft Guidelines recognize, however, that it is possible to limit access to information in various situations, including:
- When the data subject’s own request is for a subset of data.
- Where a controller processes a large amount of personal data about a data subject and “may have doubts” as to whether the data subject does want to receive “all” data processed about them; in such cases, the controller may ask a data subject to specify the scope of their request (the controller is expected to play a role in helping the data subject to understand the processing activities that may affect them as part of clarifying the scope of their request).
- Where an exception or restriction of the access right applies (on which, see more detail, below).
- Providing a copy: Many data subjects understand their right of access to relate to access to documents, rather than the personal data contained in those documents. The EDPB confirms the position, as set out in CJEU case law, that data subjects have a right to access their personal data, and not necessarily to the documents in which that personal data is contained. This guidance supports the approach, taken by some controllers, of extracting personal data from original documents and putting it into a new document that is then furnished to the data subject.
- Deadline for responding: Many controllers take the full 3 months, as permitted by the GDPR, in order to comply with access requests. The EDPB, however, emphasizes that extending the default timeframe of 1 month, by a further 2 months as is permitted, to respond to a request “is an exemption from the general rule and should not be overused.” In the EDPB’s view, the mere fact that complying with the request would require a great effort does not make a request complex, and that “[i]f controllers often find themselves forced to extend the time limit, it could be an indication of a need to further develop their general procedures to handle requests.”
- Information rights: Currently, many controllers provide data subjects with a copy of an applicable privacy notice under Article 13 and/or 14 of the GDPR to comply with requests under Article 15(1) and (2) of the GDPR. The EDPB considers that to some extent, this is appropriate, and that there will be certain information about processing activities that will not change across different access requests (e.g., information about data subject rights); this information may be “communicated in general terms” such as via a privacy notice. In other cases, however, it is necessary for controllers to tailor the information provided to data subjects in order to reflect processing operations actually carried out with regard to the requesting data subject.
Limiting Access based on the Rights and Freedoms of Others
The EDPB also discusses some of the GDPR exemptions to the access right in the draft Guidelines, including where personal data might interfere with the rights of third parties. In accordance with Article 15(4) of the GDPR, the right to obtain a copy of personal data “shall not adversely affect the rights and freedoms of others.” Recital 63 of the GDPR further explains that the right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular, the copyright protecting software.
The EDPB explains that “[t]hese explicitly mentioned rights and freedoms should be regarded as examples, as in principle any right or freedom based on Union or Member State law may be considered” to invoke the limitation of Article 15(4) of the GDPR. In particular, the EDPB gives an example of the right to confidentiality of email correspondence in an employment context as a right that should be taken into account. This will be particularly relevant for controllers dealing with access requests from employees, where they are asked to search other employees’ email inboxes.
The EDPB confirms, however, that “the result of those considerations should not be a refusal to provide all information to the data subject.” Where a controller considers that complying with an access request would adversely affect the rights and freedoms of others, the controller should try to reconcile the conflicting rights (e.g., by removing or redacting third-party information). If it is not possible to reconcile the competing rights in this way, the controller will have to decide which party’s rights will prevail.
The public consultation ends on March 11, 2022. Please contact us if you would like to respond to the public consultation, or if you would like advice on the draft Guidelines.