On January 18, 2022, the European Data Protection Board (the "EDPB") issued the Guidelines 01/2022 on data subject rights - Right of access (the "Draft Guidelines"), laying out its interpretation of Article 15 GDPR on the right of data subjects to request access to, or copies of, their personal data and information about the processing of the data from the relevant controller. Overall, the EDPB adopts an expansive interpretation of the right of access that potentially increases the burden on controllers when responding to a data subject access request ("DSAR"). The Draft Guidelines are currently in draft form for public consultation, and comments can be submitted to the EDPB up to 11 March 2022.
Substance of the Draft Guidelines
Scope of Data Subject Request
The Draft Guidelines provide that a DSAR shall be understood to encompass "all personal data concerning the data subject" unless explicitly limited by the requesting data subject. The Draft Guidelines also direct controllers "to give the broadest effect to the right of access" and to give "complete access to the requested information." These phrases provide an expansive interpretation of the right of access that would likely impose significant obligations on controllers (especially technology companies that process large volume of data) in responding to DSARs.
The Draft Guidelines clarify that, where a controller processes a large amount of data concerning the requesting data subject such that providing all personal data would create an "overflow of information" that the data subject cannot effectively handle, the controller may request the data subject to specify the scope of the request and identify the specific information or processing related to the request before delivering the information.
The Draft Guidelines also note that in response to a DSAR that requests information about the processing of data, such as the purpose of processing, it may be insufficient for controllers to simply refer to the relevant information framed in general terms in their privacy policies. Instead, in order to comply with Art. 15(1)(a)-(h) GDPR, in certain circumstances, controllers may need to specifically tailor the requested information to each requesting data subject, "unless the tailored information is the same as the general information" in the privacy policies. Depending on the size and nature of the controller, this requirement of tailored information about data processing in response to DSARs would create a significant burden for companies to comply with Art. 15 GDPR.
Communication Channel for DSAR
The Draft Guidelines support the view that, while data subjects do not necessarily have to submit their DSARs through controllers’ preferred channels of communication, controllers are "not obligated to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject’s rights." For instance, a controller does not have to respond to requests sent to the email address of the controller’s employee who is not involved in processing DSARs. On the other hand, if the employee deals with data subjects’ affairs on a daily basis, a DSAR sent to the employee should not be deemed as random and the controller should make all reasonable effort to handle the request.
Disclosure of Data to Data Subjects
The Draft Guidelines provide that controllers should disclose all the information processed about a requesting data subject in response to a DSAR, which means that controllers are obliged to search for all personal data throughout both IT and non-IT filing systems. The Draft Guidelines do not prescribe specific mechanisms through which controllers should disclose requested personal data, although the Draft Guidelines specifically support the use of self-servicing tools, which many global technology companies use, to allow data subjects to access their personal data.
The Draft Guidelines require that requested information be disclosed to data subjects in a "concise, transparent, intelligible and easily accessible form using clear and plain language." Accordingly, if the personal data provided is complex and difficult to understand (such as raw data or machine-readable code), controllers may need to provide additional information so that it makes sense in a "human readable format." For example, if the requested data is stored in hundreds of pages of log files, controllers may need to take additional measures to facilitate the understanding of the log files in addition to just providing the log files. This obligation is a material extension of Article 15 GDPR (which contains no explicit obligation to "explain" personal data) and may add a significant burden on some controllers.
Limits and Exemptions
The Draft Guidelines recognize three main categories of limits on the right of access, as provided in Art. 15(4) GDPR (where the disclosure of personal data undergoing processing would adversely affect the rights and freedoms of others), Art. 12(5) GDPR (where the requests are manifestly unfounded or excessive), and Art. 23 GDPR (where Member State laws restrict the right of access). The Draft Guidelines note that, besides the limits explicitly provided in the GDPR, "the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects request under Art. 15 GDPR." The Draft Guidelines indicate that controllers that are subject to the GDPR cannot limit their searches on the basis of proportionality. This is in contrast to the position taken by some local courts that have considered this issue. See, e.g., Regional Court of Heidelberg, decision of February 21, 2020 – 4 O 6/19.
White & Case Insight
The Draft Guidelines adopt a relatively expansive interpretation of the right of access, particularly the position that the right of access is not restrained by the consideration of proportionality in light of the burden on controllers to provide requested information. The Draft Guidelines, although instructive, are not legally binding. Some of the positions that the EDPB takes in the Draft Guidelines, such as the position on proportionality, appear likely to attract resistance from many controllers. It remains to be seen whether these aspects of the Draft Guidelines will be softened in response to the public consultation.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2022 White & Case LLP