On 28 March 2023, the European Data Protection Board (EDPB) adopted its final Guidelines 01/2022 on data subject rights – Right of access at the end of the public consultation period. The aim of the Guidelines is to provide insight into different aspects of right of access and how it must be implemented in different circumstances.
The main objective of the right of access is to provide the data subject with appropriate information held on them in a transparent and easily accessible manner, irrespective of the technology that is in use.
The Guidelines offer detail and clarity on all aspects of the right of access, response and compliance. This article selects and expands on the following four topics:
- The definition of personal data;
- The scope of right of access;
- How data controller should provide access when requested; and
- Limitation on the right of access.
The right of access includes three different components:
- Confirmation as to whether data about an individual is processed or not,
- Access to this personal data, and
- Access to information about the processing, such as purpose, categories of data and recipients, as well as data subjects’ rights as per Art. 15 of the GDPR.
The data subject shall have the right to obtain from a data controller confirmation as to whether or not personal data concerning them are being processed and where that is the case, have access to the personal data.
Key discussion points in the new Guidelines
- The definition of personal data
The Guidelines confirm that the scope of the right of access is determined by the scope of the concept of personal data and therefore, clarifies the definition of personal data. The right of access can only be exercised with regard to processing of personal data that is within the material and territorial scope of the GDPR. Personal data that are not processed by automated means or that are not part of or intended to become part of a filing system as per Art. 2 (1) of the GDPR are not covered by the right of access.
- The scope of right of access
Data subjects are entitled to have access to all data processed relating to them, or parts of the data depending on the scope of the request. The data controller must provide full disclosure of all data unless the individual explicitly requested otherwise. For example, if the data subject has explicitly submitted a request for a subset of data, a data controller may consider only the data requested.
- How the data controller should provide access when requested
The right of access may be easy and straightforward to apply in some situations, but can also be less so in complex data processing activities. Depending on the situation, when a data controller is responding to a request it must use the most appropriate technical and organisational measures.
Furthermore, when providing a large amount of information the data controller should use layered approach to ease understanding for the data subject.
- Limitation on the right of access
A request can be considered as “manifestly unfounded” if the requirements of Art. 15 of the GDPR are clearly and obviously not met. Hence, to what extent can a data controller set aside requests that are manifestly unfounded or excessive in the meaning given in Art. 12 of the GDPR?
One of the reasons to qualify a request as such can be when a data subject submits repetitive requests at unreasonable intervals. In this regard, a data controller should take into account:
- how often the data is altered (is information unlikely to have changed between requests),
- the nature of the data,
- the purpose of the processing, and
- whether the subsequent requests concern the same type of information or processing activities or different ones.
The data controller should analyse the content and scope of the request irrespective of similar request made in the past by the data subject.
A data controller may charge an administrative fee or refuse to comply with the request if the request is deemed to be manifestly unfounded or excessive.
How to improve compliance
- Review current right of access processes against the adopted Guidelines and update appropriately.
- Review internal policies for example, data protection and SAR policies.
- Draw on the Guidelines for updating training on SARs, how to recognise them, and how to respond in a compliant manner.
How we can help?
Trilateral’s Data Protection and Cyber Risk Team have a dedicated data protection specialists with extensive expertise and experience in supporting public and private sector organisations. We can assist you with all aspects of the right of access, e.g., SAR Policies and Procedures, as well as Data Subject Access Requests by providing you with a comprehensive analysis of each request you may have. Please contact us, we would be very happy to assist you.