Earlier this year, the European Data Protection Board (EDPB) issued new guidelines on data subject rights.
According to the EDPB, these guidelines aim to analyse the various aspects of the right of access and to provide more precise guidance on how the right of access must be implemented in different situations.
The guidelines remain in draft for now and interested stakeholders were able to submit feedback to the EDPB up until 11 March 2022. This feedback, which can be viewed on the EDPB website, provides an interesting insight into the various concerns and struggles that individuals and organisations have in relation to the regime.
While the guidelines are not binding, when coupled with the ICO’s detailed guidance on subject access, data controllers now have considerable regulatory resources to lean on when considering how to proceed with data subject access requests (DSARs).
At 60 pages, the guidelines are fairly lengthy, and while data controllers might be advised to read them in full, we have compiled edited highlights below.
The guidelines open with an introduction, which attempts to put to bed (again) an issue that case law has already confirmed: namely that individuals do not need to explain why they have made their request, and having a collateral purpose is not a reason not to comply with a DSAR. The introduction states: ‘The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data […] However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights.’
The EDPB has taken a fairly expansive view of what information will fall within the scope of a DSAR, noting: ‘The right of access refers to personal data concerning the person making the request. This should not be interpreted overly restrictively...’ and that ‘the GDPR allows for certain limitations of the right of access. There are no further exemptions or derogations. The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject's request.’ (Author’s emphasis)
The comments on proportionality will provide ammunition to committed requestors and cause concern to data controllers, and are not clearly in line with all case law across the EU. See, for example, the Court of Appeal’s decision in the case of Ittahediah. Controllers will need to take a view on the extent to which the specifics of a particular case might justify a more limited approach than that envisaged by the EDPB – does this equate to no stone being left unturned?
Third party information
One of the statutory exemptions set out in the GDPR relates to third party information. It is clear that the right to receive information under a DSAR should not adversely affect the rights and freedoms of others. However, it is also clear that it is for the controller to ‘demonstrate that the rights or freedoms of others would be adversely affected ‘in the concrete situation’’, and that this ‘should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others.’ Ultimately this will require controllers to conduct a balancing exercise.
A couple of interesting points in relation to ‘rights and freedoms’ come out of the guidelines:
- that ‘rights and freedoms’ includes certain economic rights - trade secrets or intellectual property - and that they include ‘any other person or entity apart from the data subject who is exercising their right of access. Hence, the rights and freedoms of the controller or processor (trade secrets and intellectual property for example) might come into consideration’; and
- in relation to expansive and difficult DSARs in an employment context, that ‘the right to confidentiality of correspondence has to be taken into account, for example with regard to private e-Mail-correspondence in the employment context.’
However, while these statements can certainly be interpreted in a data-controller friendly way, ‘it is important to note that not every interest amounts to ‘rights and freedoms’ […] For example, economical interests of a company not to disclose personal data are not to be taken into account… as they are not trade secrets, intellectual property or other protected rights.’
The application of these principles will also need to be considered carefully depending on the particular facts of each request.
Excessive or unreasonable?
Outside of information relating to others, controllers can reject requests that are manifestly unfounded or excessive, or charge a reasonable fee for such requests.
The EDPB guidelines are clear that these concepts have to be interpreted narrowly and that it will be for the controller to demonstrate the manifestly unfounded or excessive character of a request.
Scale alone is not going to cut it in terms of relying on these exemptions: ‘The fact that it would take the controller a vast amount of time and effort to provide the information or the copy to the data subject cannot on its own render a request excessive.’
History is also not necessarily to be taken into account: ‘A controller should not presume that a request is manifestly unfounded because the data subject has previously submitted requests which have been manifestly unfounded or excessive or if it includes unobjective or improper language.’
The guidelines specify that ‘a request should not be regarded as excessive on the ground that:
- no reasons are given by the data subject for the request or the controller regards the request as meaningless;
- improper or impolite language is used by the data subject;
- the data subject intends to use the data to file further claims against the controller.’
However, an overlapping request can generally be regarded as excessive, if and insofar as it covers exactly the same information or processing activities, and the previous request has not yet been complied with by the controller. In addition, requests may be found excessive if:
- ‘an individual makes a request, but at the same time offers to withdraw it in return for some form of benefit from the controller; or
- the request is malicious in intent and is being used to harass a controller or its employees with no other purposes than to cause disruption, for example based on the fact that the individual has explicitly stated, in the request itself or in other communications, that it intends to cause disruption and nothing else; or
- the individual systematically sends different requests to a controller as part of a campaign, e.g. once a week, with the intention and the effect of causing disruption.’
The EDPB points out that controllers are not generally obliged to charge a reasonable fee before refusing to act on a request. However, they also aren't completely free to choose between the two alternatives! Controllers have to make an adequate decision depending on the specific circumstances of the case.
Channel for requests
One further point of interest for large data controllers with many employees is the guidance on communication channels. The guidelines state: ‘If the data subject makes a request using a communication channel provided by the controller, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request accordingly.’ However, ‘it should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights, if the controller has provided an appropriate communication channel, that can be used by the data subject.’
This could be helpful where a data subject objects to the timeliness of a controller’s handling of their request in circumstances where it has taken time for it to reach the correct team.
The guidelines may yet be updated further to the now closed consultation. The comments in relation to proportionality, in particular, are likely to cause controllers a degree of difficulty if they remain unchanged, and this was an area that was picked up in the consultation responses.
However, despite this, there are some positives for data controllers to take from the guidelines. In addition, all controllers, even those still in the EU, should note that, while the guidelines provide a detailed steer for data controllers and the courts, they are not legally binding, and a court may choose not to follow them. Data controllers would, however, be advised to bear the guidelines in mind when responding to a DSAR.