Earlier this year, the European Data Protection Board (EDPB) issued new guidelines on data subject rights.
According to the EDPB, these guidelines aim to analyse the various aspects of the right of access and to provide more precise guidance on how the right of access must be implemented in different situations.
The guidelines remain in draft for now and interested stakeholders were able to submit feedback to the EDPB up until 11 March 2022. This feedback, which can be viewed on the EDPB website, provides an interesting insight into the various concerns and struggles that individuals and organisations have in relation to the regime.
While the guidelines are not binding, when coupled with the ICO’s detailed guidance on subject access, data controllers now have considerable regulatory resources to lean on when considering how to proceed with data subject access requests (DSARs).
At 60 pages, the guidelines are fairly lengthy, and while data controllers might be advised to read them in full, we have compiled edited highlights below.
The guidelines open with an introduction, which attempts to put to bed (again) an issue that case law has already confirmed: namely that individuals do not need to explain why they have made their request, and having a collateral purpose is not a reason not to comply with a DSAR. The introduction states: ‘The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data […] However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights.’
The EDPB has taken a fairly expansive view of what information will fall within the scope of a DSAR, noting: ‘The right of access refers to personal data concerning the person making the request. This should not be interpreted overly restrictively...’ and that ‘the GDPR allows for certain limitations of the right of access. There are no further exemptions or derogations. The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject's request.’ (Author’s emphasis)
The comments on proportionality will provide ammunition to committed requestors and cause concern to data controllers, and are not clearly in line with all case law across the EU. See, for example, the Court of Appeal’s decision in the case of Ittahediah. Controllers will need to take a view on the extent to which the specifics of a particular case might justify a more limited approach than that envisaged by the EDPB – does this equate to no stone being left unturned?
One of the statutory exemptions set out in the GDPR relates to third party information. It is clear that the right to receive information under a DSAR should not adversely affect the rights and freedoms of others. However, it is also clear that it is for the controller to ‘demonstrate that the rights or freedoms of others would be adversely affected ‘in the concrete situation’’, and that this ‘should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others.’ Ultimately this will require controllers to conduct a balancing exercise.
A couple of interesting points in relation to ‘rights and freedoms’ come out of the guidelines:
However, while these statements can certainly be interpreted in a data-controller friendly way, ‘it is important to note that not every interest amounts to ‘rights and freedoms’ […] For example, economical interests of a company not to disclose personal data are not to be taken into account… as they are not trade secrets, intellectual property or other protected rights.’
The application of these principles will also need to be considered carefully depending on the particular facts of each request.
Outside of information relating to others, controllers can reject requests that are manifestly unfounded or excessive, or charge a reasonable fee for such requests.
The EDPB guidelines are clear that these concepts have to be interpreted narrowly and that it will be for the controller to demonstrate the manifestly unfounded or excessive character of a request.
Scale alone is not going to cut it in terms of relying on these exemptions: ‘The fact that it would take the controller a vast amount of time and effort to provide the information or the copy to the data subject cannot on its own render a request excessive.’
History is also not necessarily to be taken into account: ‘A controller should not presume that a request is manifestly unfounded because the data subject has previously submitted requests which have been manifestly unfounded or excessive or if it includes unobjective or improper language.’
The guidelines specify that ‘a request should not be regarded as excessive on the ground that:
However, an overlapping request can generally be regarded as excessive, if and insofar as it covers exactly the same information or processing activities, and the previous request has not yet been complied with by the controller. In addition, requests may be found excessive if:
The EDPB points out that controllers are not generally obliged to charge a reasonable fee before refusing to act on a request. However, they also aren't completely free to choose between the two alternatives! Controllers have to make an adequate decision depending on the specific circumstances of the case.
One further point of interest for large data controllers with many employees is the guidance on communication channels. The guidelines state: ‘If the data subject makes a request using a communication channel provided by the controller, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request accordingly.’ However, ‘it should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights, if the controller has provided an appropriate communication channel, that can be used by the data subject.’
This could be helpful where a data subject objects to the timeliness of a controller’s handling of their request in circumstances where it has taken time for it to reach the correct team.
The guidelines may yet be updated further to the now closed consultation. The comments in relation to proportionality, in particular, are likely to cause controllers a degree of difficulty if they remain unchanged, and this was an area that was picked up in the consultation responses.
However, despite this, there are some positives for data controllers to take from the guidelines. In addition, all controllers, even those still in the EU, should note that, while the guidelines provide a detailed steer for data controllers and the courts, they are not legally binding, and a court may choose not to follow them. Data controllers would, however, be advised to bear the guidelines in mind when responding to a DSAR.