The European Data Protection Board (“EDPB“) published its Guidelines 01/2022 on data subject rights – Right of access (the “Guidelines“) for public consultation. The right of access to personal data is one of the data subject rights provided in Chapter III of the General Data Protection Regulation (“GDPR“), among other rights.

In its Guidelines, the EDPB stresses that this right aims to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data, which will make it easier for them to exercise other rights granted under the GDPR.  According to the EDPB, the right of access consists of three components:

1. Confirmation as to ‘whether’ or not personal data are being processed;

2. Access to the personal data being processed: if no limits or restrictions (as further detailed below) apply, data subjects are entitled to have access to all data processed related to them, depending on the scope of their requests; and

3. Information on the processing and on data subject rights: such information can be based on the controller’s privacy policy, but may have to be updated and tailored to the data subject making the request.

The EDPB underlines that controllers should be proactively ready to handle data subject access requests, and the way of doing so should be adequate and proportionate depending on the nature, scope, context and purpose of processing, as well as the risks to the rights and freedoms of natural persons. For example, controllers may be required to implement an appropriate procedure that guarantees the security of the personal data when exercising the data subjects’ rights.

According to the Guidelines, when handling data subject access requests, controllers should address the following issues:

1. Does the request concern personal data? Any request for information which is not considered as personal data under the GDPR, such as information about the controller or about anonymous data, is outside the scope of the right of access.

2. Does the request relate to the requesting person? Access request can be made only by the data subjects whose personal data is requested, or subject to appropriate authorization.

3. Do provisions, other than the GDPR, regulating access to a certain category pf data apply? In cases where the data subjects clarify that the request is based on sectorial legislation or on national legislation regulating the specific access rights in addition to the GDPR, the controller may be required to provide separate replies, depending on the case. In any case, if the request is aimed at obtaining access under the GDPR, the existence of a specific legislation should not override the obligations under the GDPR, to the extent that no restrictions set out by the EU or a national law apply.

4. Does the request fall within the scope of Article 15? There are no formal requirements for requesting access to data under the GDPR, and the EDPB guides that controllers will be lenient towards persons indicating that they wish to obtain access to their personal data, especially when the requesting person is a minor.

5. What is the scope of the request? Unless specifically requested otherwise, the access request should be understood as referring to all personal data processed by the data subject.

The EDPB further clarifies that a controller is not obliged to act on a request sent to a random or incorrect address or to any communication channel that is clearly not intended to receive requests regarding data subject’s rights, including in cases where the request was sent to the email address of a controller’s employee who may not be involved in the processing of data subjects request, if the controller provided an appropriate communication channels for this purpose. In this regard, the EDPB recommends that controllers will implement mechanisms to improve internal communications between employees for such matters.

Furthermore, the Guidelines address the limits and restrictions of the right of access. The EDPB clarifies that the limitation provided under Article 15(4) GDPR, according to which the right to obtain a copy of personal data shall not adversely affect the rights and freedoms of others, cannot lead to a general refusal to provide information to the data subject. As for the limitation provided under Article 12(5) GDPR, which enables controllers to reject or charge a reasonable fee for “manifestly unfounded or excessive” requests, the EDPB stress that a request can be considered as “manifestly unfounded” only if the requirements of Article 15 GDPR are not met and as “excessive” if the data subject is making repetitive requests at unreasonable intervals, depending on the specific circumstances of the request. Therefore, the mere fact that it would take the controller a vast amount of time and effort to provide the requested information will not render a request excessive.

Lastly, the EDPB underlines that controllers should take into account further restrictions to the right of access contained in EU or in EU Member State laws, in accordance with Article 23 GDPR.

The draft Guidelines are open for public consultation until 11 March 2022.

Please feel free to contact us if you have any questions regarding the implications of these Guidelines and other data subject rights under the GDPR on your practices.

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation