Key points from EDPB’s guidelines on the right of access

Arts. 12 and 15 of the EU Data Protection Regulation (EU) 2016/679 (“GDPR“) regulate the right of access (“RoA“). This right consists of three main components: (i) confirmation of whether personal data are processed; (ii) access to the personal data; and (iii) information about the processing itself.

The European Data Protection Board (“EDPB“) adopted, on 18 January 2022, the Guidelines 01/2022 on data subject rights – Right of access (“Guidelines“), to provide more precise guidance on how to implement the RoA on different situations. The Guidelines are available for public consultation until 11 March.

Below, we have summarized those aspects of the Guidelines which have drawn our attention:

  • Controllers cannot condition data subject’s exercise of RoA on the nature of the data subject’s intention behind the request for access. Data subjects are not even required to explain such intention when they make an access request. Therefore, even when the controller suspects that the purposes behind the request might bring negative consequences to him (e.g., where the data subject intends to use the requested data to defend himself in the event of a dismissal or in a commercial dispute with the controller), the controller should not deny access. The above is, of course, without prejudice to the right of controllers to refuse manifestly unfounded or excessive requests (art. 12.5 GDPR).
  • Access requests shall be understood in general terms, encompassing all personal data concerning the data subject (unless the data subject has explicitly limited the request to a subset). However, there might be some situations in which the controller is entitled to ask the data subject to specify the scope of the request. This may be the case where it is not clear from the wording of the request if the data subject wants a copy of all the data or not, or in cases of very large amounts of data if the controller doubts that the data subject is aware of the full extent of the request.
  • The main modality of access is through the obtaining of a copy of the data. Controllers must generally provide the data in a way which allows the data subject to retain and come back to the information. The data subject must be able to download the data in a commonly used electronic form. Formats that are considered not to be appropriate when complying with a data portability request (e.g. pdf files, for not being machine readable) might be suitable under the RoA.

Under some circumstances, access to the data through non-permanent methods might be appropriate – e.g. to satisfy the need of a data subject to verify that the data in certain record are correct, it might be sufficient to give him a glance at the original record.

  • The data controller may provide the information about the processing itself by relying on text of the controller’s privacy notice or on text present in the records of the processing activities (ROPAs). Still, the information must be tailored to the data subject making the request. For example, the information should name the actual recipients of the personal data concerning the data subject, the categories or sources of the processed data, as well as the purposes of the processing concerning the data subject. In addition, controllers should be as specific as possible when it comes to retention periods and avoid informing about rights that are not applicable to the specific data subject.
  • In case the data controller retains only briefly personal data about the data subject – i.e. for a retention period shorter than one month (which is the maximum timeframe to answer a data subject’s access request) – the controller has to respond to the access request before the expiration of that retention period. This is important because, if the data controller responded after it ceased the processing, the data subject would be faced with the permanent impossibility of having access to the relevant information.
  • The time to respond to RoA’s requests might be extended by two further months, due to the complexity and number of the requests. Relevant factors to assess the complexity of a request are: (i) the amount of the data; (ii) how the information is stored (especially, when it is difficult to retrieve the information); (iii) the need to redact information when an exemption applies; and (iv) the information requires further work to be intelligible.

As for the number of requests, the fact that a controller temporarily receives a large amount of requests (e.g. due to an extraordinary publicity regarding their activities), could be regarded as a legitimate reason for prolonging the time of the response.

  • Where controllers provide an appropriate communication channel, they are not obliged to act on requests sent to random or incorrect addresses, not directly provided by the controllers, or to any communication channels that are clearly not intended to receive this type of requests. Nevertheless, the EDPB recommends having mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with these requests.
  • Requesting a copy of identity documents of those exercising the RoA (to verify his identity) is generally inappropriate, unless it is strictly necessary, suitable, and in line with national laws. This might be the case, for example, for entities processing special categories of data or undertaking data processing which may pose a risk for data subject (e.g. medical or health information).
  • There might be situations in which the data subject would likely be unable to cope with and understand the data made available by the controller: for example, where the personal data are present in raw format, or buried in hundreds of pages of log files indicating the activity of the data subject in certain website. In these cases, controllers should take measures to facility the understanding of the data, for example by using a layered approach, providing an explanatory document translating raw data into a user-friendly form, or similar.
  • Controllers can charge a fee for further copies of the personal data. However, assessing whether the subject-matter of a request is a first or a further copy might be challenging, unless the data subject expressly acknowledges it (e.g. if the data subject states in the request that he lost the original copy, he would be acknowledging that what he is now requesting is a further copy). In other cases, the main factor to consider is the time between the requests, although even a repeated request after a short period of time might be considered as new, independent request. Therefore, data subjects may exercise their RoA through a subsequent request and obtain a free copy, unless the request is regarded as excessive (in relation to “excessiveness”, see further below).

Controllers should indicate in an initial response to the data subject’s access request the amount of the costs that they intend to charge beforehand, so that data subjects can decide whether to keep or withdraw the request. Controllers should deploy their human and material resources efficiently to keep the costs of the copies low – otherwise, the exercise of this fundamental right could be compromised.

  • Controllers can refuse to act on manifestly unfounded or excessive requests.
    • A request is manifestly unfounded if the requirements of Art. 15 GDPR are clearly and obviously not met. However, as there are very few prerequisites that these requests must meet (e.g. the request must refer to personal data of the requester), the scope for concluding that a request is manifestly unfounded is very limited.
    • As for the excessiveness, an important factor to consider is whether the time between the requests has exceeded the threshold of reasonable intervals. The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without the risk of being considered excessive. For example, in the context of social media, personal data change a lot (making less probable that repetitive requests are regarded as excessive). Conversely, repetitive access requests to data pools not subject to a processing other than storage might, more easily, be seen as excessive.

Excessive requests are also those where the only intent of the data subject is causing damage or harm to the controller. Some examples given by the EDPB include: (i) an individual makes a request but at the same time offers to withdraw it in exchange of some benefit; (ii) the request is malicious in intent and is being used to harass the controller or its employees to cause disruption – this conclusion can, for example, be based on the fact that the individual has explicitly stated its intention in the request; or the individually systematically sends different requests to a controller as part of a campaign (e.g. once a week) with the obvious intention and effect of causing disruption.

[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]