Earlier this year, the European Data Protection Board (EDPB) published new guidelines on data subject rights.
According to the EDPS, these guidelines aim to analyze the different aspects of the right of access and to provide more precise guidance on how the right of access should be implemented in different situations.
The guidelines remain in draft form at this time and interested stakeholders were able to submit their comments to the EDPB until March 11, 2022. These comments, which can be viewed on the EDPB website , provide an interesting insight into the various concerns and struggles that individuals and organizations have in relation to the regime.
Although the guidelines are non-binding, when combined with the ICO’s detailed Subject Access Guidelines, data controllers now have considerable regulatory resources to draw upon when considering how proceed with data subject access requests (DSARs).
At 60 pages, the guidelines are quite lengthy, and while data controllers may be urged to read them in their entirety, we’ve compiled edited highlights below.
The guidelines open with an introduction, which attempts to (re)put to bed an issue that case law has already confirmed: namely that individuals do not need to explain why they have applied, and have an ancillary purpose is not a reason not to comply with a DSAR. The introduction states: “The general objective of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can become acquainted with and verify the lawfulness of the processing. and accuracy of the data processed […] However, the data subject does not have to justify the request for access and it is not for the data controller to analyze whether the request will actually help the data subject to verify the lawfulness of the processing concerned or to exercise other rights.
The EDPS took a fairly broad view of the information that will fall within the scope of a DSAR, noting: “The right of access refers to personal data relating to the person making the request. This should not be interpreted too restrictively…” and that “the GDPR allows certain limitations to the right of access. There are no other exemptions or derogations. The right of access is exercised without any general reservation of proportionality with regard to the efforts that the controller must make to comply with the request of the data subject. (Emphasis by author)
Comments on proportionality will provide arguments to committed claimants and worry data controllers, and are not clearly in line with all EU case law. See, for example, the decision of the Court of Appeal in the case Ittahediah. Supervisors will need to assess to what extent the specifics of a particular case might warrant a more limited approach than that envisaged by the EDPB – does this mean that no stone is left unturned?
Third Party Information
One of the legal exemptions set out in the GDPR is for third party information. It is clear that the right to receive information under a DSAR must not infringe the rights and freedoms of others. However, it is also clear that it is up to the data controller to “demonstrate that the rights or freedoms of others would be prejudiced ‘in the concrete situation'”, and that this “should not lead to a total refusal of the request of the data subject; this would only have the effect of omitting or rendering illegible the parts likely to have negative effects on the rights and freedoms of others. Ultimately, this will force controllers to perform a balancing act.
A few interesting points about “rights and freedoms” emerge from the guidelines:
- that “rights and freedoms” include certain economic rights – trade secrets or intellectual property – and that they include “any other person or entity with the exception of the data subject who exercises his right of access. Therefore, the rights and freedoms of the controller or processor (trade secrets and intellectual property, for example) could come into consideration”; and
- with regard to expansive and difficult DSARs in an employment context, that “the right to privacy of correspondence should be considered, for example with regard to private correspondence by e-mail in the context of the use”.
However, while these statements can certainly be interpreted in a data controller-friendly manner, “it is important to note that not all interests equate to ‘rights and freedoms’ […] For example, a company’s economic interests in not disclosing personal data should not be taken into account…because it is not trade secrets, intellectual property or other protected rights.
The application of these principles will also need to be carefully considered on the particular facts of each claim.
Excessive or unreasonable?
Apart from third-party information, controllers may reject manifestly unfounded or excessive requests, or charge a reasonable fee for such requests.
The EDPS guidelines specify that these concepts must be interpreted restrictively and that it will be up to the controller to demonstrate the manifestly unfounded or excessive nature of a request.
Scale alone will not be enough to rely on these exemptions: “the fact that it would take a lot of time and effort for the controller to provide the information or the copy to the data subject cannot alone make excessive demand.’
Nor is the history necessarily to be taken into account: “A controller should not assume that a request is manifestly unfounded because the data subject has previously submitted manifestly unfounded or excessive requests or if it contains a non-objective or inappropriate language.”
The guidelines state that “a request should not be considered excessive on the grounds that:
- no reason is given by the data subject for the request or the controller considers the request to be meaningless;
- inappropriate or rude language is used by the data subject;
- the data subject intends to use the data to lodge further claims against the controller. »
However, an overlapping request can generally be considered excessive if and to the extent that it relates to exactly the same information or processing activities and the previous request has not yet been satisfied by the controller. In addition, requests may be considered excessive if:
- “an individual makes a request, but at the same time offers to withdraw it in exchange for some form of benefit from the controller; Where
- the request has malicious intent and is used to harass a controller or its employees for the sole purpose of causing disruption, for example on the basis that the person has explicitly stated, in the request itself or in other other communications, that it intends to cause disruption and nothing else; Where
- the individual consistently sends different requests to a controller as part of a campaign, such as once a week, with the intent and effect of causing disruption.
The EDPS stresses that controllers are generally not required to charge a reasonable fee before refusing to act on a request. However, they are not completely free to choose between the two alternatives either! Monitors must make an appropriate decision based on the specific circumstances of the case.
Channel for requests
Another point of interest for large data controllers with many employees is the orientation on communication channels. The guidelines state: “If the data subject makes a request using a communication channel provided by the data controller, which is different from the one indicated as being preferable, this request is, in general, considered effective and the data controller processing should process such a request accordingly.’ However, “it should be noted that the data controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not provided directly by the data controller, or to any communication which is clearly not intended to receive requests concerning the rights of the data subject, if the controller has provided an appropriate channel of communication, which can be used by the data subject.
This could be useful when a data subject objects to the speed with which a controller processes their request in circumstances where it took time for it to reach the right team.
The guidelines could still be updated following the now closed consultation. Comments relating to proportionality, in particular, are likely to cause difficulties for supervisors if left unchanged, and this is an area that was picked up in the responses to the consultation.
However, despite this, data controllers have some positives to take from the guidelines. Additionally, all controllers, even those still in the EU, should note that while the Guidelines provide detailed guidance to data controllers and courts, they are not legally binding and a court may choose not to follow them. However, Data Controllers would be advised to keep the Guidelines in mind when responding to a DSAR.