The European Data Protection Board (EDPB) has published new guidelines on individuals' right to access their data, including that held by employers and former or prospective employers.

Under the GDPR, every 'data subject', including job applicants, (former) employees, etc. has the right to request access to all data held on him or her by the data controller (employer). In addition, the data subject may even request a copy of all this data. At the end of January 2022, the European Data Protection Board (EDPB) published new guidelines on the scope of this right. After the end of the public consultation period, the guidelines will be definitively adopted.

What is the 'right of access'?

The right of access is foreseen by Article 15 of the GDPR. The purpose of this right is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data, to enable them to verify the lawfulness of the processing and the accuracy of the data processed.

The right of access has three components:

  • confirmation whether or not personal data relating to the data subject is being processed;
  • access to this personal data; and
  • access to information regarding the processing, such as the purpose, the categories of data and recipients, the duration of processing, the rights of the data subject and the appropriate safeguards in the event of data transfer to third countries.

What is the procedure for requests?

There are no specific formal or substantive requirements for the request, nor does the data subject have to provide a justification for his or her request. The requester does not have to explicitly refer to the right of access or the GDPR.

The data controller must provide appropriate and user-friendly communication channels that the data subject can easily use. However, the data subject is not obliged to use these specific channels and may instead send a request to an official contact point of the company. The controller may only disregard the request if it is sent to a completely random or manifestly incorrect (email) address. In other words, a request cannot be ignored if it is not addressed to the contact person and/or the email address listed in the organisation's privacy policy. If the controller has doubts about the authenticity of (the submitter of) the request, s/he may request additional information to confirm the identity of the person involved.

What personal data must be provided?

The right of access has a broad scope: in addition to basic personal data, according to the EDPB it also includes, for example, subjective notes made during a job application, a history of internet and search engine activity, etc.

Unless explicitly stated otherwise, the request must be understood to relate to all personal data relating to the data subject, but the controller may ask the data subject to specify the request if it processes a large amount of data. This applies to each request: if a data subject makes more than one request, it would therefore not be sufficient to provide access only to the changes since the last request.

Even data that may have been processed incorrectly or unlawfully should be provided. Data that has already been deleted, for example in accordance with a retention policy, and is therefore no longer available to the controller, does not need to be provided.

Specifically, the controller will have to search all IT systems and other archives for personal data using search criteria that reflect the way the information is structured, for example, name and customer or employee number.

How should the request be answered?

The main way to respond to a request for access is to provide the data subject with a copy of his or her data, but other approaches (such as providing information orally or through on-site access) may be provided if the data subject requests. It is up to the data controller to decide what is the most appropriate form to provide the data: by post, email (provided that all necessary security safeguards such as encryption are applied), by USB, etc.

In any event, the communication of data and other information relating to the processing must be sent in a concise, transparent, intelligible and easily accessible form, using clear and simple language. As regards the information on the processing, it is not sufficient to simply copy the text of the privacy notice in the reply to the data subject: the text from the privacy notice will have to be specified according to the processing activities relevant to the data subject. For example, if the privacy notice mentions in general terms that employees' personal data may be transferred to 'hotels' for business trips, the reply to the data subject will have to specify to which hotels the employee's personal data has been transferred.

What is the deadline for replying to the request?

The request must be answered as soon as possible and in any event within one month of receipt (e.g. a request received on 5 March must be answered by 5 April at the latest). If the last day of the deadline falls on a weekend or public holiday, the deadline will be extended to the next working day. If it is necessary to verify the requester's identity (e.g. by requesting a copy of his or her identity card), the period will only start from the time when the controller has obtained the necessary security.

This one-month period may be extended by two months if necessary, taking into account the complexity of the request and the number of requests. The data subject must then be informed of the reason for the delay. This exception should be interpreted restrictively, as according to the EDPB, the data controller must proactively put in place systems to respond quickly and accurately to a request to exercise the right of access.

The data controller should take the necessary measures to deal with requests as soon as possible. When processing a large amount of data, the controller will therefore have to build in mechanisms that are appropriate to the complexity of the processing. According to the EDPB, the mere fact that an organisation is large and receives many requests should not automatically lead to an extension of the deadline.

Can access be denied for certain reasons?

The GDPR allows certain restrictions to the right of access:

  • The right of access may not infringe the rights and freedoms of others. According to the EDPB, however, this should not lead to a complete denial of the request: it could only lead to parts that could negatively affect the rights and freedoms of others being either removed or redacted.
  • Requests that are manifestly unfounded or excessive may be refused or may justify the imposition of a reasonable charge to cover administrative costs. However, these notions are to be interpreted narrowly according to the EDPB, which means that the scope to consider a request as manifestly unfounded or excessive is rather limited.

Action point

Ensure that you have clear internal procedures in place within your company that enable you to respond in a timely and accurate manner to requests for access from data subjects such as employees, former employees and customers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.