The European Data Protection Board ('EDPB') recently published draft Guidelines ('the Guidelines') on the right of access (www.pdp.ie/docs/11025), bringing some clarity to several operational aspects of responding to access requests. Whilst the Guidelines are informative, they raise the bar in regard to what is expected of controllers. In particular, the EDPB's rejection of any proportionality limit with regard to the efforts a controller has to take to comply with the data subject's request is surprising.

This article examines the new Guidelines and offers guidance on the steps that organisations should take in light of them.

Background

The right of access set out in Article 15 of the GDPR provides individuals with a right to:

  • confirmation as to whether or not personal data relating to them are being processed;
  • certain prescribed information about the processing of their data; and
  • a copy of their personal data.

However, an individual's right of access is not absolute and is subject to certain statutory exemptions under the GDPR and Data Protection Act 2018 ('DPA 2018'). Whilst the Data Protection Commission ('DPC') has published general guidance on subject access requests including FAQs (www.pdp.ie/docs/11026), much uncertainty remains concerning about several operational aspects of responding to requests. The Guidelines have therefore been broadly welcomed.

Four key operational steps when handling access requests

Organisations generally take four key operational steps on receipt of an access request, including:

  • assessing the validity of the access request;
  • searching for personal data relating to the requester;
  • considering whether any statutory exemptions apply; and
  • responding to the request.

The Guidelines provide some helpful clarity in regard to these steps.

Step 1: Assessing the validity of the request

Form of the request: The GDPR does not require an access request to be in any particular form—a request can be made verbally or in writing, and does not need to refer to either the GDPR or the DPA 2018. Whilst controllers may request that individuals use standard or online forms in order to submit access requests, and Recital 59 GDPR even encourages this for electronic requests, the Guidelines warn that use of these forms should not be compulsory. Data subjects must also be permitted to make requests by other means, such as by post, email, or by telephone call.

Searching for personal data relating to the requester: Readers will be aware that under the GDPR, the scope of an access request for 'personal data' only covers personal data relating to the requester. Access by third parties to other people's data can only be requested subject to appropriate authorisation.

The GDPR definition of 'personal data' is very broad. It includes any information 'relating to' an identified or identifiable person. EU case-law and guidance from the Article 29 Working party (the predecessor to the EDPB) indicate that information will 'relate to' an individual where, by reason of its content, or purpose or effect, it is linked to a particular person. The Guidelines point out that the right of access extends not only to data provided by the data subject, but also data observed about the data subject by virtue of use of a service (e.g. transaction history), and data derived from other data (such as credit ratio). It also covers not just objective information about the requester, but also subjective information in the form of opinions and assessments.

'Undergoing processing': The right of access applies to any personal data 'undergoing processing' by controllers. The word 'processing' is defined broadly in the GDPR, and includes storage of personal data. It is not surprising therefore that the Guidelines assert that the right of access also applies in respect of archived and back up data where access to such data are 'technically feasible'.

Identity verification: Having a general policy of asking individuals for additional identity information when they exercise their data protection rights may result in GDPR violations due to the fact that the GDPR only permits proof of identity to be requested where there is 'reasonable doubt' about an individual's identity. Even where reasonable doubt exists, requesting a copy of official ID, such as a passport or driving licence, may be deemed to be excessive and in breach of the GDPR's data minimisation principle when there are other less intrusive authentication measures available, such as sending a verification email or code by text message.

The Guidelines emphasise that the method used for identity verification must be proportionate in light of the nature of the data being processed (for example, Special Category data), and the damage that could result from improper disclosure. Where an identity document is sought, the Guidelines recommend as good practice that the controller, after checking the ID document, makes a note that 'ID was checked', and avoids unnecessary copying or storage of copies of the ID.

In a case study in the DPC's Annual Report for 2021, the DPC warned that a request for official ID is only likely to be proportionate to validate identification where the data being processed are sensitive in nature, and where the information on the official ID, such as a photo, address, or date of birth, can be corroborated with the personal data already held by the controller.

We have seen Supervisory Authorities starting to take enforcement action against organisations for requesting excessive identity verification documentation, with the Spanish SA recently imposing a €240,000 fine, and the Dutch SA imposing a €525,000 fine.

Step 2: Searching for the personal data

Proportionality test: The most difficult part of responding to an access request is often deciding on the scope of the search for personal data. To date, there have been strong grounds to believe that a controller is only required to take reasonable and 'proportionate steps' to search for personal data, in line with the EU principle of proportionality. However, the Guidelines reject the application of any proportionality test with regard to access requests, adopting the view that as the doctrine of proportionality is not expressly referred to in Article 15 of the GDPR, it should not apply to access requests. If this view is endorsed in the finalised guidelines and enforced by Supervisory Authorities, it is likely that it will be subject to challenge in the courts.

Whilst the Irish courts have not to date considered whether the EU principle of proportionality can be invoked by a controller to justify limiting its duty to respond to a costly or burdensome access request, there are good reasons to believe that it is a legally permissible approach. The concept of proportionality is a core doctrine of EU law, and is specifically recognised by Article 5(4) of the Treaty of the European Union, and by the Court of Justice of the EU. In addition, Recital 4 of the GDPR acknowledges in clear terms that the right to data protection is not absolute, and has to be balanced with other fundamental rights, in accordance with the principle of proportionality. Its arguable that this means the right of access should be balanced against a controller's right to conduct a business under Article 16 of the European Charter of Fundamental Rights.

Asking data subjects to specify scope of requests: Whilst clarity from the courts on the application of the proportionality test to access requests is awaited, there are certain steps controllers can take to assist with responding to requests. In particular, where a controller processes a large amount of data relating to the data subject, it can request that the data subject specifies the information or processing activities to which the request relates (as per Recital 63 GDPR). However, if the data subject refuses to specify the particular scope of their request, the controller is obliged to provide all personal data relating to the data subject. This will effectively require the controller to search throughout all electronic information, and structured manual filing systems for any personal data relating to the data subject. 

Use of search terms: The Guidelines state that when searching for personal data, controllers can use search criteria that mirrors the way in which the information is structured. For example, if the information is organised in files according to customer name or number, the search can be limited to those two categories. However, if data are organised by additional categories, such as professional titles or any kind of direct or indirect identifiers, the search should be extended to include these.

It appears that the controller is free to determine the most appropriate search terms to use in order to search unstructured electronic data and structured manual files. There is no requirement or recommendation in the Guidelines to agree these search terms in advance with the data subject. However, the Guidelines assert that the controller should always be able to demonstrate that its handling of an access request aims to give the broadest effect to the right of access.

To view the full article click here.

This article was first published in the  Data Protection Ireland Journal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.