Treść wytycznych

Version 1.0 Adopted on 18 January 2022

Adopted – version for public consultation

EXECUTIVE SUMMARY

The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

Aim and overall structure of the right of access

The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier – but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification.

The right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice.

However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights. The controller will have to deal with the request unless it is clear that the request is made under other rules than data protection rules.

The right of access includes three different components:

• Confirmation as to whether data about the person is processed or not,
• Access to this personal data and
• Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

General considerations on the assessment of the data subject’s request

When analysing the content of the request, the controller must assess whether the request concerns personal data of the individual making the request, whether the request falls within the scope of Art. 15 and whether there are other, more specific, provisions that regulate access in a certain sector. It must also assess whether the request refers to all or only parts of the data processed about the data subject.

There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject. However, the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller. The controller is not obliged to act on requests that are sent to completely random, or apparently incorrect, addresses.

Where the controller is not able to identify data that refers to the data subject, it shall inform the data subject about this and may refuse to give access unless the data subject provides additional information that enables identification. Further more, if the controller has doubts about whether the data subject is who they claim to be, the controller must request additional information in order to confirm the identity of the data subject. The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.

Scope of the right of access

The scope of the right of access is determined by the scope of the concept of personal data as defined in Art. 4(1) GDPR. Aside from basic personal data like name, address, phone number etc. a broad variety of data may fall within this definition like medical findings, history of purchases, creditworthiness indicators, activity logs, search activities etc. Personal data which have undergone pseudonymisation are still personal data as opposed to anonymised data. The right of access refers to personal data concerning the person making the request. This should not be interpreted overly restrictively and may include data that could concern other persons too, for example communication history involving incoming and outgoing messages.

In addition to providing access to the personal data, the controller has to provide additional information about the processing and on data subjects’ rights. Such information can be based on what is already compiled in the controller’s record of processing activities (Art. 30) and the privacy notice (Art. 13 and 14). However, this general information may have to be updated to the time of the request or tailored to reflect the processing operations that are carried out in relation to the specific person making the request.

How to provide access

The ways to provide access may vary depending on the amount of data and the complexity of the processing that is carried out. Unless explicitly stated otherwise, the request should be understood as referring to all personal data concerning the data subject and the controller may ask the data subject to specify the request if they process a large amount of data.

The controller will have to search for personal data throughout all IT systems and non-IT filing systems based on search criteria that mirrors the way in which the information is structured, for example name and customer number. The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The more precise requirements in this regard depend on the circumstances of the data processing as well as the data subject’s ability to grasp and comprehend the communication (for example taking into account that the data subject is a child or a person with special needs). If the data consists of codes or other “raw data”, these may have to be explained in order to make sense to the data subject.

The main modality for providing access is to provide the data subject with a copy of their data but other modalities (such as oral information and on site access) can be foreseen if the data subject requests it. The data can be sent by e-mail, provided that all necessary safeguards are applied taken into consideration, for example, the nature of the data, or in other ways, for example a self-service tool.

Sometimes, when the amount of data is very vast and it would be difficult for the data subject to comprehend the information if given all in one bulk – especially in the online context – the most appropriate measure could be a layered approach. Providing information in different layers may facilitate the data subject’s understanding of the data. The controller must be able to demonstrate that the layered approach has an added value for the data subject and all layers should be provided at the same time if the data subject requests it.

The copy of the data and the additional information should be provided in a permanent form such as written text, which could be in a commonly used electronic form, so that the data subject can easily download it. The data can be given in a transcript or a compiled form as long as all the information is included and this does not alter or change the content of the information.

The request must be fulfilled as soon as possible and in any event within one month of receipt of the request. This can be extended by two further months where necessary, taking into account the complexity and number of the request. The data subject then has to be informed about the reason for the delay. The controller must implement necessary measures to deal with requests as soon as possible and adapt these measures to the circumstances of the processing. Where data is stored only for a very short period, there must be measures to guarantee that a request for access can be fulfilled without the data being erased while the request is being dealt with. Where a large amount of data is processed, the controller will have to put in place routines and mechanisms that are adapted to the complexity of the processing.

The assessment of the request should reflect the situation at the moment when the request was received by the controller. Even data that may be incorrect or unlawfully processed will have to be provided. Data that has already been deleted, for example in accordance with a retention policy, and therefore is no longer available to the controller does not have to be provided.

Limits and restrictions

The GDPR allows for certain limitations of the right of access. There are no further exemptions or derogations. The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject ́s request.

According to Art. 15(4) the right to obtain a copy shall not adversely affect the rights and freedoms of others. The EDPB is of the opinion that these rights must be taken into consideration not only when granting access by providing a copy, but also, if access to data is provided by other means (on-site access for example). Art. 15(4) is not, however, applicable to the additional information on the processing as stated in Art. 15(1) lit. a.-h. The controller must be able to demonstrate that the rights or freedoms of others would be adversely affected in the concrete situation. Applying Art. 15(4) should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others.

Art. 12(5) allows controllers to reject requests that are manifestly unfounded or excessive, or to charge a reasonable fee for such requests. These concepts have to be interpreted narrowly. Since there are very few prerequisites regarding access requests, the scope of considering a request as manifestly unfounded is rather limited. Excessive requests depend on the specifics of the sector in which the controller operates. The more often changes occur in the controller’s data base, the more often the data subject may be permitted to request access without it being excessive. Instead of refusing access, the controller may decide to charge a fee from the data subject. This would only be relevant in the case of excessive requests in order to cover the administrative costs that such requests may cause. The controller must be able to demonstrate the manifestly unfounded or excessive character of a request.

Restrictions of the right of access may also exist in Member States’ national law as per Art. 23 GDPR and the derogations therein. Controllers who intend to rely on such restrictions must carefully check the requirements of the national provisions and take note of any specific conditions that may apply. Such conditions may be that the right of access is only temporarily delayed or that the restriction only applies to certain categories of data.

The European Data Protection Board

Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20181,

Having regard to Article 12 and Article 22 of its Rules of Procedure,

Whereas the preparatory work of these guidelines involved the collection of inputs from stakeholders, both in writing and at a dedicated stakeholders event on data subject rights, in order to identify the challenges and interpretation issues faced in the application of the relevant provisions of the GDPR;

HAS ADOPTED THE FOLLOWING GUIDELINES

1 INTRODUCTION – GENERAL OBSERVATIONS

In today ́s society, personal data are processed by public and private entities, during many activities, for a wide array of purposes and in many different ways. Individuals may often be in a disadvantaged position in terms of understanding how their personal data are processed, including the technology used in the particular case, whether it is by a private or a public entity. In order to protect personal data of natural persons in these situations, the GDPR has created a coherent and robust legal framework, generally applicable with regard to different types of processing, including specific provisions relating to data subject rights.

The right of access to personal data is one of the data subject rights provided for in Chapter III of the GDPR among other rights, such as for instance the right to rectification and erasure, the right to restriction of processing, the right to portability, the right to object or the right of not being subject to automated individual decision making, including profiling2. The right of access by the data subject is enshrined both in the Charter of Fundamental Rights of the EU (the Charter)3 and in Art. 15 GDPR, where it is precisely formulated as the right of access to personal data and to other related information.

Under the GDPR, the right of access consists of three components i.e. confirmation of whether or not personal data are processed, access to it, and information about the processing itself. The data subject can also obtain a copy of the processed personal data, whereas this possibility is not an additional data subject right but the modality of providing access to the data. Thus, the right of access can be understood both as the possibility of the data subject to ask the controller if personal data about him or her are processed and as the possibility to access and to verify these data. The controller shall1 Referencesto“MemberStates”madethroughoutthisdocumentshouldbeunderstoodasreferencesto“EEA Member States”.
The exercise of the right of access is realised both in the framework of data protection law, in accordance with the objectives of data protection law, and more specifically, in the framework of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”, as put forward by Art. 1(2) GDPR. The right of access is an important element of the whole system.

The practical aim of the right of access is to enable the natural persons to have the control over their own personal data. In order to realise this goal effectively in practice, the GDPR is aiming to facilitate this exercise by number of guarantees enabling the data subject to exercise this right easily, without unnecessary constraints, at reasonable intervals and without excessive delay or expense. All this should lead to more effective enforcement of the right of access by data subject in the digital age.

With regards to the development of the right of access, as part of the data protection legal framework, it should be stressed that it has been an element of the European data protection system from its beginning. In comparison with Directive 95/46/EC, the standard of the data subject rights set out in the GDPR has been both refined and strengthened; this also applies to the right of access. As the modalities of the right of access are now specified more precisely, it is also more instructive fr om the point of legal certainty for both the data subject and the controller. Besides, the specific wording of Art. 15, and the precise deadline for the provision of data under Art. 12(3) GDPR, obliges the controller to be prepared for data subject inquiries by developing procedures for handling requests.

The right of access should not be seen in isolation as it is closely linked with other provisions of the GDPR, in particular with data protection principles including the fairness and lawfulness of processing, the controller ́s transparency obligation and with other data subject rights provided for in Chapter III of the GDPR.

In the framework of data subject rights, it is also important to stress the significance of Art.12 GDPR which lays down requirements for appropriate measures adopted by the controller in providing the information referred to in Art. 13 and 14 GDPR and the communications referred to in Art. 15-22 and 34 GDPR; these requirements generally specify the form, manner and time limit for the responses to the data subject, and in particular for any information addressed to the child.

The EDPB considers it necessary to provide more precise guidance on how the right of access has to be implemented in different situations. These guidelines aim at analysing the various aspects of the right of access. More particularly, the section hereafter is meant to give a general overview and explanation of the content of the Art. itself whereas the subsequent sections provide deeper analysis of the most frequent practical questions and issues concerning the implementation of the right of access.

2 AIM OF THE RIGHT OF ACCESS, STRUCTURE OF ARTICLE 15 GDPR AND GENERAL PRINCIPLES

2.1 Aim of the right of access

The right of access is thus designed to enable natural persons to have control over personal data relating to them in that it allows them, “to be aware of, and verify, the lawfulness of the processing”4. More specifically, the purpose of the right of access is to make it possible for the data subject to understand how their personal data is being processed as well as the consequences of such processing, and to verify the accuracy of the data processed without having to justify their intention. In other words, the purpose of the right of access is to provide the individual with sufficient, transparent and easily accessible information about data processing, regardless of the technologies used, and to enable them to verify different aspects of a particular processing activity under the GDPR (e.g. lawfulness, accuracy).

The interpretation of the GDPR provided in these guidelines is based on the CJEU case law which has been rendered so far. Taking into account the importance of the right of access, related case law can be expected to evolve significantly in future.

In accordance with CJEU decisions5, the right of access serves the purpose of guaranteeing the protection of the data subjects’ right to privacy and data protection with regard to the processing of data relating to them 6 and may facilitate the exercise of their rights flowing from, for example, Art. 16 to 19, 21 to 22 and 82 GDPR. However, the exercise of the right of access is an individual’s right and not conditional upon the exercise of those other rights and the exercise of the other rights does not depend on the exercise of the right of access.

Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller7.Example: An individual was dismissed by their employer. One week later, the individual decides to collect evidence to file an unfair dismissal lawsuit against their former employer. With that in mind, they write to the former employer requesting access to all personal data relating to them, as data subject, that the former employer, as controller, processes.The controller shall not assess the intention of the data subject, and the data subject does not need toprovide the controller with the reason for their request. Therefore, if the request fulfils all other
requirements (see section 2), the controller needs to comply with the request, unless the request proves to be manifestly unfounded or excessive in accordance with art. 12 (5) of the GDPR (see section 6.3), which the controller is required to demonstrate.

Variation 1: The data subject exercises the right of access with regard to the personal data relating to them during the course of the lawsuit. However, the national law of the Member State, which governs the employment relation between the controller and the data subject, contains certain provisions that limit the scope of information to be provided to or exchanged between parties to ongoing or prospective legal proceedings, which are applicable to the unfair dismissal lawsuit that the data subject filed. In this context and provided that, these national provisions comply with the requirements posed by Art. 23 GDPR8, the data subject is not entitled to receive more information from the controller than is prescribed by the national law provisions of the Member State governing the information exchange between parties to legal disputes.

Although the aim of the right of access is broad, the CJEU illustrated also the limits of the remit of data protection law and the right of access. For instance, the CJEU found that the objective of the right of access guaranteed by EU data protection law is to be distinguished from that of the right of access to public documents established by EU and national legislation, the latter aiming at, “the greatest possible transparency of the decision-making process of the public authorities and to promote good administrative practices”9, an objective not sought by data protection law. The CJEU concluded that the right of access to personal data applies irrespective of whether a different kind of right of access with a different aim applies, such as in the context of an examination procedure.

2.2 Structure of Article 15 GDPR

In order to reply to a request for access and to ensure that none of its aspects might be disregarded, it is necessary first to understand the structure of Art. 15 and the constituent components of the right of access stipulated in this Article.

Art. 15 can be broken down into eight different elements as listed in the table below:

Confirmation as to whether or not the controller is processing personal data concerning the requesting person – art. 15(1), first half of the sentence

Access to the personal data concerning the requesting person – art. 15(1), second half of the sentence (first part)

Access to the following information on the processing:
(a) the purposes of the processing;
(b) the categories of personal data;
(c) the recipients or categories of recipients;
(d) the envisaged duration of the processing or the criteria
for determining the duration;
(e) the existence of the rights to rectification, erasure,
restriction of processing and objection to processing;
(f) the right to lodge a complaint with a supervisory
authority;

(g) any available information on the source of the data, if not collected from the data subject;
(h) the existence of automated decision-making, including profiling and other information relating thereto

 

Information on safeguards pursuant to Art. 46 where the
personal data are transferred to a third country or to an
international organisation – art. 15 ust. 2

The obligation of the controller to provide a copy of the personal data undergoing processing – Art. 15(3), first sentence

Charging of a reasonable fee by the controller based on administrative costs for any further copies requested by the data subject – art.15(3), second sentence

Provision of information in electronic form – art. 15(3), third sentence

Taking into account the rights and freedoms of others -Art. 15(4)

While all elements of Art. 15(1) and (2) together define the content of the right of access, Art.15(3) deals with the modalities of access, in addition to the general requirements set out in Art . 12. Art. 15(4) supplements the limits and restrictions that Art. 12(5) provides for all data subjects rights with a specific focus on rights and freedoms of others in the context of access.

2.2.1 Defining the content of the right of access

Art. 15(1) and (2) contain the following three aspects: first, the confirmation whether personal data of the requesting person are being processed, if yes, second, access to those data, and, third, information on the processing. They can be regarded as three different components which together build the right of access.

2.2.1.1 Confirmation as to ‘whether’ or not personal data are being processed

When making a request for access to personal data, the first thing that the data subjects need to know is whether or not the controller processes data concerning them. Consequently, this information constitutes the first component of the right of access under Art. 15(1). Where the controller does not process personal data relating to the data subject requesting the access, the information to be provided would be limited to confirming that no personal data relating to the data subject are being processed. Where the controller does process data relating to the data subject, the controller must confirm this fact to the data subject. This confirmation may be communicated separately, or it may be encompassed as part of the information on the personal data being processed (see below).

2.2.1.2 Access to the personal data being processed

Access to personal data is the second component of the right of access under Art. 15(1) and it constitutes the core of this right. It relates to the notion of personal data as defined by Art . 4(1) GDPR. Aside from basic personal data like name and address, an unlimited variety of data may fall within this definition, provided that they fall under the material scope of the GDPR, notably with regards to the way in which there are processed (Art. 2 GDPR). Access to personal data hereby means access to the actual personal data themselves, not only a general description of the data nor a mere reference to the categories of personal data processed by the controller. If no limits or restrictions apply10, data subjects are entitled to have access to all data processed relating to them, or to parts of the data, depending on the scope of the request (see para. 35). The obligation to provide access to the data does not depend on the type or source of those data. It applies to its full extent even in cases where the requesting person had initially provided the controller with the data, because its aim is to let the data subject know about the actual processing of those data by the controller. The scope of personal data under Art. 15 is explained in detail in sec. 4.1 and 4.2.

2.2.1.3 Information on the processing and on data subject rights

The third component of the right of access is the information on the processing and on data subject rights that the controller has to provide under Art. 15(1)(a) to (h) and 15(2). Such information could be based on text taken, for example, from the privacy notice of the controller11 or from the controller’s record of processing activities referred to in Art. 30 GDPR, but may have to be updated and tailored to the data subject making the request. The content and degree of specification of the information is further elaborated in section 4.3.

2.2.2 Provisions on Modalities

Art. 15(3) supplements the requirements for the modalities of the reply to access requests laid down in Art.12 GDPR by some specifications in context of access requests.

2.2.2.1 Providing a copy

Under the first sentence of Art. 15(3) GDPR, the controller shall provide a free copy of the personal data which the processing relates to. The copy therefore refers only to the second component of the right of access («access to the personal data processed», see above). The controller must ensure that the first copy is free of charge, even where it considers the cost of reproduction to be hig h (example: the cost of providing a copy of the recording of a telephone conversation).

The obligation to provide a copy is not to be understood as an additional right of the data subject, but as modality of providing access to the data. It strengthens the right of access to the data12 and helps to interpret this right because it makes clear, that access to the data under Art. 15(1) comprises complete information on all data and cannot be understood as granting only a summary of the data. At the same time, the obligation to provide a copy is not designed to widen the scope of the right of access: it refers (only) to a copy of the personal data undergoing processing, not necessarily to a reproduction of the original documents (see section 5, para. 150). More generally speaking, there is no additional information to be given to the data subject upon providing a copy: the scope of the information to be contained in the copy is the scope of the access to the data under 15(1) (second component of the right of access as referred to above, see para. 19).

In light of the above, if access to the data in the sense of Art. 15(1) is given by providing a copy, the obligation to provide a copy mentioned under 15(3) is complied with. The obligation to provide a copy serves the objectives of the right of access to allow the data subject to be aware of, and verify the lawfulness of the processing (Recital 63). To achieve these objectives, the data subject will in most cases need to see the information not only temporarily. Therefore, the data subject will need to get access to the information by receiving a copy of the personal data.

In view of the above, the notion of a copy has to be interpreted in a broad sense and includes the different kinds of access to personal data as long as it is complete (i.e. it includes all personal data requested) and possible for the data subject to keep. Thus, the requirement to provide a copy means, that the information on the personal data concerning the person who makes the r equest is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it.

In spite of this broad understanding of a copy, and regarding that it is the main modality by which access should be provided, under some circumstances other modalities could be appropriate. Further explanations on copies and other modalities of providing access are given in section 5, in particular 5.2.2 and 5.2.5.

2.2.2.2 Providing further copies

Art. 15(3), second sentence concerns situations where the data subject asks the controller for more than one copy, for example in case the first copy was lost or damaged or the data subject wants to pass on a copy to another person or a Supervisory Authority. On the basis that further copies must be provided by the controller upon request of the data subject, Art . 15 (3) rules, that for any further copy requested, the controller may charge a reasonable fee based on administrative costs (Art. 15 (3) sentence 2).

If the data subject asks for an additional copy after the first request was made, questions may arise on whether this should be regarded as a new request, or whether the data subject wants an additional copy of the data in the sense of Art. 15(3)(2), in which case a fee for an a dditional copy may be charged. The response to these questions depends solely on the content of the request: the request should be interpreted as asking for an additional copy, insofar as, in terms of time and scope, it concerns the same personal data set as the former request. If, however, the data subject aims to get information on the data processed at a different point in time or relating to a different range of data from the one initially requested, the right to obtain a free copy according to Art . 15(3), applies once again. This also is valid in cases where the data subject has made a first request shortly beforehand. A data subject may exercise its right of access through a subsequent request and obtain a free copy, unless the request is regarded as excessive under Art. 12(5) with the possibility of charging a reasonable fee in accordance with Art. 12(5)(a) (on excessive character of repetitive requests, see section 6).

Example: A customer submits an access request to a trading company. One year after the reply of the company, the same customer makes a request for access under Art. 15 to the same company. Irrespective of whether there have been new business transactions or other contacts between the parties since the previous request, this second request is to be regarded as a new request. Even if no change in the data processing by the company occurred– which is not necessarily apparent to the data subject – the data subject has the right to get a free copy of the data.

Variation 1: Even if the customer in the above cases places the new request for example only one week after the first request, this may, if it is not to be interpreted as a mere reminder of the first request, well be regarded as a new request under Art. 15(3), first sentence. Regarding the short interval and depending on the specific circumstances of the new request, its excessiveness according to Art. 12(5) is at issue (see section 6).

Variation 2: The request for a “new copy” of the information that had already been given in form of a copy in response to a previous request, for example in case that the customer lost the copy previously received, should, as a matter of course, be regarded as a request for an additional copy as it refers to the previous request in scope and time of the processing.

If the data subject repeats a first request for access on the grounds that the answer received was not complete or that no reasons had been given for the refusal, this request is not to be regarded as a new request, since it is merely a reminder of a first unsatisfied request.

Concerning the allocation of costs in cases of requests for an additional copy, Art. 15(3) establishes that the controller may charge a reasonable fee based on the administrative costs that are caused by the request. This means, that the administrative costs are a relevant criterion for fixing the level of the fee. At the same time, the fee should be appropriate, taking into account the importance of the right of access as a fundamental right of the data subject. The controller should not pass on overhead costs or other general expenses to the data subject, but should focus on the specific costs that where caused by providing the additional copy. When organising this process the controller should deploy its human and material resources efficiently in order to keep the costs of the copy low. In line with the accountability principle the controller should be able to demonstrate the adequacy of the fee.

In case the controller decides to charge a fee, the controller should indicate the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request.

2.2.2.3 Making the information available in a commonly used electronic form

In the event of a request by electronic form means, information shall be provided by electronic means where possible and unless otherwise requested by the data subject (see Art. 12(3)). Art. 15(3), third sentence, complements this requirement in the context of access requests by stating, that the controller is in addition obliged to provide the answer in a commonly used electronic form, unless otherwise requested by the data subject. Art. 15(3) presupposes, that for controllers who are able to receive electronic requests it will be possible to provide the reply to the request in a commonly used electronic form (e.g. in PDF). This provision refers to all the information that needs to be provided in accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by electronic means, all information must be provided in a commonly used electronic form. Questions of format are further developed in section 5. The controller should, as always, deploy appropriate security measures, in particular when dealing with special category of personal data (see below, under 2.3.4 ).

2.2.3 Possible limitation of the right of access

Finally, in context of the right of access, a specific limitation is foreseen in Art. 15 (4). It states, that possible adverse effects on the rights and freedoms of others have to be considered. Questions as to the scope and the consequences of this limitation as well as to additional limits and restrictions set forth in Art. 12(5) or under Art. 23 GDPR are explained in section 6.

2.3 General principles of the right of access

When data subjects make a request for access to their data, in principle, the information referred to in Art. 15 GDPR must always be provided in full. Accordingly, where the controller processes data relating to the data subject, the controller shall provide all the information referred to in Art. 15 (1) and, where applicable, the information referred to in Art. 15(2). The information must be complete, correct and up-to-date, corresponding as close as possible to the state of data processing at the time of receiving the request. Where two or more controllers process data jointly, the arrangement of the joint controllers regarding their respective responsibilities with regards to the exercise of data subject’s rights, especially concerning the answer to access requests, does not affect the rights of the data subjects towards the controller to whom they address their request13.

2.3.1 Completeness of the information

Data subjects have the right to obtain, with the exceptions mentioned below, full disclosure of all data relating to them (for details on the scope, see section 4, para.

Unless explicitly requested otherwise by the data subject, a request to exercise the right of access shall be understood in general terms, encompassing all personal data concerning the data subject. Limiting access to part of the information may be considered in the following cases:

a)  The data subject has explicitly limited the request to a subset. In order to avoid providing incomplete information, the controller may consider this limitation of the data subject’s request only if it can be certain that this interpretation corresponds to the wish of the data subject (for further details, see section 3.1.1, para. 51). In principle, the data subject shall not have to repeat the request for the transmission of all the data the data subject is entitled to obtain.

b)  In situations where the controller processes a large amount of data concerning the data subject, the controller may have doubts if a request of access, that is expressed in very general terms, really aims at receiving information on all kind of data being processed or on all branches of activity of the controller in detail. These may arise in situations, where there was no possibility to provide the data subject with tools to specify their request from the beginning or where the data subject did not make use of them. The controller then faces problems of how to give a full answer while simultaneously avoiding the creation of an overflow of information for the data subject that the data subject is not interested in and cannot effectively handle. There may be ways to solve this problem, depending on the circumstances and the technical possibilities, for example by providing self-service tools in online contexts (see section 5 on the layered approach). If such solutions are not applicable, a controller who processes a large quantity of information relating to the data subject may request the data subject to specify the information or processing to which the request relates before the information is delivered (see Recital 63 GDPR). This exceptional situation may exist for example in case of a company with several fields of activity or a public authority with different administrative units, if the cont roller found that numerous data relating to the data subject are processed in those branches as well as in cases where the controller has been collecting data upon frequent activities of the data subject for years.

Example 2: A big insurance company receives a general access request by letter from a person who has been a customer for many years. Even though deletion periods are fully respected, the company actually processes a vast amount of data concerning the customer, because processing is still necessary to fulfil contractual obligations arising from the contractual relationship with the customer (including for example continuing obligations, communication on controversial issues with the customer and with third parties, …) or to comply with legal obligations (archived data that have to be stored for tax purposes, etc.). The insurance company may have doubts as to whether the request, that was made in very general terms, is really intended to encompass all kinds of those data. This may be especially problematic if the insurance company only has a postal address of the data subject and therefore has to send any information on paper. However, the same doubts may be relevant also when providing the information by other means.

If, in such cases, the controller decides to ask the data subject to specify the request, in order to fulfil its obligation to facilitate the exercise of the right of access (Art . 12(2) GDPR) the controller shall at the same time give meaningful information about all the processing operations concerning the data subject, like different branches of its activities, different databases etc.

It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.

In any case, the controller should always be able to demonstrate, that the way to handle t he request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR). Subject to these principles, the controller may await the answer of the data subject before providing additional data according to the data subject’s wish, if the controller has provided the data subject with a clear overview of all processing operations that concern the data subject, including especially those that the data subject might not have expected, if the controller has also given access to all data that the data subject clearly aimed for, and if, furthermore, this information has been combined with clear indication of how to get access to the remaining parts of the processed data.

c) Exceptions or restrictions to the right of access apply (see below in section 6). In such cases, the controller must carefully check to which parts of the information the exception relates to and provide all information that is not excluded by the exception. For example, confirmation of the processing of personal data itself (component 1) will mostly not be affected by the exception. As a result, information has to be provided about all the personal data and all the information referred to in Art . 15(1) and (2) that are not concerned by the exception or the restriction.

2.3.2 Correctness of the information

The information included in the copy of the personal data given to the data subject has to comprise the actual information or personal data held about the data subject. This includes the obligation to give information about data that are inaccurate or about data processing which is not or no longer lawful. The data subject may for example use the right of access to find out about the source of inaccurate data being circulated between different controllers. If the controller corrected inaccurate data before informing the data subject about it, the data subject would be deprived of this possibility. The same applies in case of unlawful processing. The possibility to know about unlawful processing concerning the data subject is one of the main purposes of the right of access. The obligation to inform about the unchanged state of processing is without prejudice to the obligation of the controller to end unlawful processing or to correct inaccurate data. Questions about the order in which those obligations should be fulfilled, are answered in the following.

2.3.3 Time reference point of the assessment

The assessment of the data being processed shall reflect as close as possible the situation when the controller receives the request and the response should cover all data available at that point in time. This means that the controller has to try to find out about all the data processing activities relating to the data subject without undue delay. Controllers are thus not required to provide personal data, which they processed in the past but which they no longer have at their disposal15. For instance, the controller may have deleted personal data in accordance with its data retention policy and/or statutory provisions and may thus no longer be able to provide the requested personal data. In this context, it should be recalled that the length of time for which the data are stored should be fixed in accordance with Art. 5(1)(e) GDPR, as any retention of data must be objectively justifiable.

At the same time, the controller shall implement the necessary measures to facilitate the exercise of the right of access and to deal with such requests as soon as possible and before the data will have to be deleted. In the case of shorter retention periods than the timeframe to answer imposed by Art. 12(3) GDPR, the timing to answer the request should be adapted to the appropriate retention period in order to facilitate the exercise of the right of access and to avoid the permanent impossibility of providing access to the data processed at the moment of the request. In this respect, for example, the request for the right of access to personal data collected before entering a building for security purposes must be dealt with promptly before the personal data are erased.

Furthermore, the controller shall not deliberately escape the obligation to provide the requested personal data by erasing or modifying personal data in response to a request for access (see 2.3.2). If, in the course of processing the access request, the controller discovers inaccurate data or unlawful processing, the controller has to assess the state of the processing and to inform the data subject accordingly before complying with its other obligations. In its own interest, to avoid the need of further communication on this as well as to be compliant with the transparency principle, the controller should add information about the subsequent rectifications or deletions.

Example: On the occasion of replying to an access request a controller realises, that an application of the data subject for a vacancy in the company of the controller has been stored beyond the retention period. In this case the controller cannot delete first and then reply to the data subject that no data (concerning the application) is processed. It has to give access first and delete the data afterwards. In order to prevent a subsequent request for erasure it would then be recommended to add information about the fact and time of the deletion.

In order to comply with the principle of transparency, controllers should infom the data subject as of the specific point in time of the processing to which the response of the controller refers. In some cases, for example in contexts of frequent communication activities, additional processing or modifications of the data may occur between this time reference point, at which the processing was assessed, and the response of the controller. If the controller is aware of such changes, it is recommended to include information about those changes as well as information about additional processing necessary to reply to the request.

2.3.4 Compliance with data security requirements

Since communicating and making available personal data to the data subject is a processing operation, the controller is always obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing (see Art. 5 (f), 24 and 32 GDPR). This applies independently of the modality in which access is provided. In case of non-electronic transmission of the data to the data subject, depending on the risks that are presented by the processing, the controller may consider using registered mail or, alternatively, to offer, but not oblige, the data subject to collect the file against signature directly from one of the controller’s establishments. If, in line with Art. 12(1) and (3), information is provided by electronic means, the controller shall choose electronic means that comply with data security requirements. Also in case of providing a copy of the data in a commonly used electronic form (see Art 15(3)), the controller shall take into account data security requirements when choosing the means of how to transmit the electronic file to the data subject. This may include applying encryption, password protection etc.. In order to facilitate access to the encrypted data, the controller should also ensure that appropriate information is made available so that the data subject can access the requested information in clear. In cases where data security requirements would necessitate end-to-end encryption of electronic mails but the controller would only be able to send a normal e-mail, the controller will have to use other means, such as sending a USB-stick by (registered) letter post to the data subject.

3 GENERAL CONSIDERATIONS REGARDING THE ASSESSMENT OF ACCESS REQUESTS

3.1 Introduction

When receiving requests for access to personal data, the controller must assess each request individually. The controller shall take into consideration, inter alia, the following issues, further developed in the following paragraphs: whether the request concerns personal data linked to the requesting person and who the requesting person is. This section aims to clarify what elements of the request for access the controller should take into account when carrying out its assessment and to discuss possible scenarios for such an assessment as well as its consequences. The controller, when assessing a request for access to personal data, shall also take into account, pursuant to Art . 12(2), the obligation to facilitate the exercise of the data subject rights, while keeping in mind the appropriate security of the personal data.

Therefore, the controllers should be proactively ready to handle the requests for access to personal data. This means that the controller should be prepared to receive the request, assess it properly (this assessment is the subject of this section of the guidelines) and provide an appropriate reply withoutundue delay to the requesting person. The way the controllers will prepare themselves for the exercise of access requests should be adequate and proportionate and depend on the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, in accordance with Art. 24 GDPR. Depending on the particular circumstances, the controllers may for example in some cases be required to implement an appropriate procedure, the implementation of which should guarantee the security of the data without hindering the exercise of the data subject ’s rights.

3.1.1 Analysis of the content of the request

This issue can be more specifically assessed by asking the following questions.

a) Does the request concern personal data?

Under the GDPR, the scope of the request shall only cover personal data. Therefore, any request for information about other issues, including general information about the controller, its business models or its processing activities not related to personal data, is not to be considered as a request made pursuant to Art. 15 GDPR. Additionally, a request for information about anonymous data or data that does not concern the requesting person or the person on whose behalf the authorised person made the request, will not be within the scope of the right of access. This question will be analysed more in detail in section 4.

Unlike anonymous data (which are not personal data), pseudonymised data, which could be attributed to a natural person by the use of additional information, are personal data17. Thus, pseudonymised data that can be linked to a data subject – e.g. when the data subject provides the respective identifier allowing their identification, or when the controller is able to connect the data to the requesting person by its own means in accordance with Art 11(2) GDPR – are to be considered within the scope of the request18.

b) Does the request relate to the requesting person (or the person on whose behalf the authorised person makes the request)?

As a general rule, a request may only concern the data of the person making the request. Access to other people’s data can only be requested subject to appropriate authorisation.

Example: Data subject X works as a department manager for a company that provides parking spaces for its managers at a company car park. Although data subject X has a permanent parking space, when the data subject arrives at the office for their second shift, this space is often already occupied by another car. Since this situation is repetitive, in order to identify the driver who unauthorised occupies its slot, the data subject asks the controller of the video surveillance system covering the office’s parking lot area, for access to the personal data of this driver. In such a case, data subject X’s request will not be a request for access to their personal data, as the request does not concern the requesting person’sdata, but the data of another person – and therefore it should not be considered a request under Art. 15 GDPR.

c) Do provisions, other than the GDPR, regulating access to a certain category of data apply?

Data subjects are not required to specify the legal basis in their request. However, if the data subjects clarify that their request is based on sectoral legislation20 or on national legislation regulating the specific issue of access to certain categories of data21, and not on the GDPR, such a request shall be exercised by the controller in accordance with such sectoral or national rules. If the data subjects also request access to their data under Art. 15, and the controller has already provided data under the sectoral legislation, the controller should verify whether the obligations under the GDPR have been already fulfilled (i.e. all elements of Art. 15 have been already provided) or not (in that case additional elements have to be provided by the controller). Often, depending on the relevant national legislation, controllers may be required to provide separate replies, each dealing with the specific requirements set out by the different legislative acts. This is not to be confused with national or EU legislation setting out restrictions on the right of access which needs to be complied with when answering access requests.

If the controller has doubts as to which right the data subject wishes to exercise, it is recommended to ask the data subject making the request to explain the subject matter of the request. Such correspondence with the data subject shall not affect the duty of the controller to act without undue delay22. However, in case of doubts, if the controller asks the data subject for further explanation and receives no response, the controller should interpret, bearing in mind the obligation to facilitate the exercise of the person’s right of access, the information contained in the first request and act on its basis. In accordance with the accountability principle, the controller may determine an appropriate timeframe during which the data subject may provide further explanations. When fixing such timeframe, the controller should leave enough time to comply with the request after it elapsed and therefore consider how much time is objectively necessary to compile and provide the requested data once the specification was provided (or not) by the data subject.

If the request is aimed at obtaining access under the GDPR, the existence of such specific legislation does not override the general application of the right of access, as provided by the GDPR. There might be restrictions set out by EU or national law, when allowed by Art. 23 GDPR (see section 6.4).

d) Does the request fall within the scope of Article 15?

It should be noted that the GDPR does not introduce any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting persons to specify that they want to know what personal data concerning them the controller processes. Therefore, the controller cannot refuse to provide the data by referring to the lack of indication of the legal basis of the request, especially to the lack of a specific reference to the right of access or to the GDPR.

For example, in order to make a request, it would be sufficient for the requesting persons to indicate that:

• they wish to obtain access to the personal data concerning them;
• they are exercising their right of access; or
• they wish to know the information concerning them that the controller processes.

It should be borne in mind that applicants may not be familiar with the intricacies of the GDPR and that it is advisable to be lenient towards persons exercising their right of access, in particular when it is exercised by minors. As indicated above, in case of any doubts it is recommended for the controller to ask the data subject making the request to specify the subject matter of the request.

e) Do the data subjects want to access all or parts of the information processed about them?

51. Additionally, the controller needs to assess whether the requests made by the requesting persons refer to all or parts of the information processed about them. Any limitation of the scope of a request to a specific provision of Art. 15 GDPR, made by the data subjects, must be clear and unambiguous. For example, if the data subjects require verbatim “information about the data processed in relation to them”, the controller should assume that the data subjects intend to exercise their full right under Art. 15(1) – (2) GDPR. Such a request should not be interpreted as meaning that the data subjects wish to receive only the categories of personal data that are being processed and to waive their right to receive the information listed in Art. 15(1)(a) to (h). This would be different, for example, where the data subjects wish, with regard to data which they specify, to have access to the source or origin of the personal data or to the specified period of storage. In such a case the controller may limit its reply to the specific information requested.

3.1.2 Form of the request

As noted previously, the GDPR does not impose any requirements on data subjects regarding the form
of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller.

The EDPB encourages the controllers to provide the most appropriate and user -friendly communication channels, in line with Art. 12(2) and Art. 25, to enable the data subject to make an effective request. Nevertheless, if the data subject makes a request using a communication channel provided by the controller23, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request accordingly (see the examples below). The controllers should undertake all reasonable efforts to make sure that the exercise of data subject rights is facilitated (for example, in case the data subject sends the request to an employee who is on leave, an automatic message informing the data subject about an alternative communication channel for its request could be a reasonable effort).

It should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject’s rights, if the controller has provided an appropriate communication channel, that can be used by the data subject.23 This mayinclude, for example, communication data of the controller provided in its communications addressed directly to data subjects or contact data provided by the controller publicly, such as in the controller’s privacy policy or other mandatory legal notices of the controller (e.g. owner or business contact information on a website).

The controller is also not obliged to act on a request sent to the e-mail address of a controller’s employee who may not be involved in the processing of requests concerning data subjects’ rights (e.g. drivers, cleaning staff, etc.). Such requests shall not be considered effective, if the controller has clearly provided the data subject with appropriate communication channel. However, if the data subject sends a request to the controller’s employee who deals with the data subject’s affairs on a daily basis (single contact of a customer, such as e.g. personal account manager), such contact should not to be considered as a random one and the controller should make all reasonable efforts, to handle such a request so that it can be redirected to the contact point and answered within the time limits provided for by the GDPR.

Nevertheless, the EDPB recommends, as good practice, that controllers introduce, where possible, mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with such requests. In order to facilitate the exercise of data subjects’ rights.

 

Example: Controller X provides, both on its website and in the privacy notice, two e-mail addresses – the general e-mail address of the controller: CONTACT@X.COM and the e-mail address of the controller’s data protection contact point: QUERIES@X.COM. Additionally, controller X indicates on its website that in order to submit any inquiries or to make a request with regard to the processing of personal data, one shall contact the data protection contact point under the e-mail address provided. However, the data subject sends a request to the controller’s general e-mail address: CONTACT@X.COM.

In such a case, the controller should make all reasonable efforts, to make its services aware of the request, which was made through the general e-mail, so that it can be redirected to the data protection contact point and answered within the time limits provided for by the GDPR. Moreover, the controller is not entitled to extend the period for responding to a request, merely because the data subject has sent a request to the controller’s general e-mail address, not the controller’s data protection contact point e-mail address.

 

Example: Controller Y runs a network of fitness clubs. Controller Y indicates on its website and in the privacy notice for clients of the fitness club that in order to submit any inquiries or to make a request with regard to the processing of personal data, one shall contact the controller under the e-mail address: QUERIES@Y.COM. Nevertheless, the data subject sends a request to an e-mail address found in the changing room, where he found a notice that reads “If you are not satisfied with the cleanliness of the room, please contact us at: CLEANERS@Y.COM”, which is the e-mail address of the cleaning staff employed by Y. The cleaning staff are obviously not involved in handling matters concerning the exercise of the rights of data subjects – customers of the fitness club. Although the e-mail address was available on the premises of the fitness club, the data subject could not reasonably expect that this was an appropriate contact address for such requests, since the website and the privacy notice clearly informed about the communication channel to be used for the exercise of data subjects’ rights.

Date of receipt of the request by the controller triggers, as a rule, the one month period for the controller to provide information on action taken on a request, in accordance with Art . 12(3) (further guidance on timing is provided in section 5.3). The EDPB considers as good practice for the controllers to confirm receipt of requests in writing, for example by sending e-mails (or information by post, if applicable) to the requesting persons confirming that their requests have been received and that the one month period runs from day X to day Y.

3.1.3 Identification of the data subject and link between the personal data and the data subject

In order to ensure the security of processing and minimize the risk of unauthorised disclosure of personal data, the controller must be able to identify the data subject, i.e. find out which data refer to the data subject, and confirm the identity of the person in case of doubts.

The GDPR does not impose any requirements regarding the methods for determining the identity of the data subject. However, Art. 11 and 12 indicate the conditions for the exercise of all the data subject rights, including the right of access to personal data.

It should be remembered that, as a rule, the controller cannot request more personal data than is necessary to enable this identification, and that the use of such information should be strictly limited to fulfilling the data subjects’ request.

Art. 12(2) states that the controller shall not refuse to act on the request of the data subject to exercise his or herrights, unless the controller demonstrates that it is not in a position to identify the data subject. In such circumstances, the data subject may, however, provide additional information enabling this identification (Art. 11(2)). In order to allow the data subject to provide the additional information required to identify his or herdata, the controller should inform the data subject of the nature of the additional information required to allow identification.

If the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject (Art. 12(6)).

As indicated in the WP29 Guidelines on Data Portability endorsed by the EDPB, insofar as a digital communication channel already exists between the data subject and the controller and without prejudice to Art. 12(6) GDPR. The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR25.

3.2 Issues with establishing the identity of the person making the request

64. The controller should act upon the requests of data subjects for exercising their individual rights, unless it can demonstrate – through a justification in line with the principle of accountability (Art . 5(2)) – that it is not in a position to identify the data subject (Art. 11). The controller is not obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with the request. However, it should not refuse to take such additional information (Recital 57).

Example: X is the controller of the data processed in connection with the video surveillance of a building. In accordance with Art. 11(1), the controller is not obliged to identify all persons who have been registered by a security camera as a part of the monitoring (purpose not requiring identification). The controller receives a request for access to the personal data from the person who claims that to have been recorded by the controller’s video surveillance. The controller’s actions will depend on the additional information provided. If the requesting person indicates a particular day and time when the cameras may have recorded the event in question, it is likely that the controller will be able to provide such data (Art. 11(2)). However, if the request concerns e.g. a year of recordings, a controller who is unable to process such a large amount of data may refuse to take action not being in the position to identify the data subject (Art. 12(2)).

In cases where the controller requests the provision of additional information necessary to confirm the identity of the data subject, the controller shall each time assess what information will allow it to confirm the data subject’s identity and possibly ask additional questions to the requesting person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3). Such additional information should not be more than the information initially needed for the verification of the data subject’s identity (authentication). In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested26.

As a consequence, where information collected online is linked to pseudonyms or other unique identifiers, the controller can implement appropriate procedures enabling the requesting person to make a data access request and receive the data relating to them27.

Example: The data subject Ms. X requests access to her data while speaking to a helpline consultant of an electricity company with which she has concluded a contract. The consultant, having doubts as to the identity of the person making the request, generates in the company’s system a one-time unique code sent to the user’s mobile phone number, provided when the account was set up, as part of the double verification system, which action should be considered proportionate in this case.

In this context, it may be recalled that in situations in which the purposes for which the personal data are processed do not or no longer require the identification of a data subject the controller does not need to maintain identification data for the sole purpose of complying with data subjects’ rights, also in light of the principle of data minimisation. These situations are dealt with in Art. 11(1) GDPR.

Example: A controller C processes personal data with the purpose of addressing behavioral advertising to its web users. Personal data collected for behavioral advertising are usually collected by cookies and associated with pseudonymous random identifiers. A data subject Mr. X exercises his right of access with C via C’s website. C is able to precisely identify Mr. X to show the data subject’s behavioral advertising, by linking the terminal equipment of Mr. X to its advertising profile with the cookies dropped in the terminal. C should then also be able to precisely identify Mr. X to grant him access to his personal data, as a link between the data processed and the data subject can be found.

Therefore, and taking into account the principles of the GDPR, such as the principle of fairness, the above example would not fall within the scope of Art. 11 GDPR. More precisely, in the above example, the purposes of C require the identification of the data subjects, while Art. 11 GDPR addresses the situation of a controller who would process additional data within the meaning of Art. 11(1) GDPR for the sole purpose of being able to comply with the GDPR. Accordingly, Art . 11 should be interpreted in particular in the light of the principle of fairness. This, in some cases, may mean that no additional data should be requested in order to exercise the rights of the data subject.

However, if Mr. X tries to exercise his access right by e-mail or by regular mail, then in this context C will have no other choice to ask Mr. X to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X.

In case of demonstrated impossibility to identify the data subject, the controller needs to inform the data subject accordingly, if possible, since the controller should generally be obliged to respond to requests from the data subject without undue delay and to give reasons where it does not intend to comply with such requests (Recital 59). This information needs to be provided only “if possible”, as the controller may not be in a position to inform the data subjects if their identification is impossible.

3.3 Proportionality assessment regarding identification of the requesting person

As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject’s identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable identification of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.

The controller should implement an authentication (verification of the data subject’s identity) procedure in order to be certain of the identity of the persons requesting access to their data28,and ensure security of the processing throughout the process of handling an access requests in accordance with Art. 32, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at identifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).

In accordance with Recital 57, identification should include the digital identification of a data subject . For example through authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the controller29.

In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user to authenticate, which in such cases should be sufficient to identify a data subject30. Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making their requests are already authenticated by the controller.

It should be emphasised that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorised or unlawful processing, and as such it should be considered inappropriate, unless it is strictly necessary, suitable, and in line with national law. In such cases the controllers should have systems in place that ensure a level of security appropriate to mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to note that identification by means of an identity card does not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to the user account.

Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication. Alternatively, the controller may implement a quick and effective security measure to identify a data subject who has been previously authenticated by the controller, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes31.

In any case, information on the ID that is not necessary for confirming the identity of the data subject, such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone, may be blackened or hidden by the data subject before submitting it to the controller, except where national legislation requires a full unredacted copy of the identity card (see para. 77 below). Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online account are sufficient for the controller to verify the identity, alwa ys provided that the authenticity of the copy and the relation to the applicant are ensured. Additional information such as the birth date of the data subject may only be required in case the risk of mistaken identity persists, if the controller is able to compare it with the information it already processes.

To follow the principle of data minimisation the controller should inform the data subject about the information that is not needed and about the possibility to blacken or hide those parts of the ID document. In such a case, if the data subject does not know how or is not able to blacken such information, it is good practice for the controller to blacken it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.

Example: The user Ms. Y has created an account in the online store, providing her e-mail and username. Subsequently, the account owner asks the controller for information whether it processes their personal data, and if so, asks for access to them within the scope indicated in Art. 15. The controller requests the ID of the person making request to confirm her identity. The controller’s action in this case is disproportionate and leads to unnecessary data collection.However, the controller in order to confirm the identity of the requesting person, while preventing unnecessary data collection, could ask her (non-intrusive) security questions that were configured when the data subject registered their account, or it could employ multifactor authentication for access requests.

 

Example: A bank customer, Mr. Y,, plans to get a consumer credit. For this purpose, Mr. Y goes to a bank branch to obtain information, including his personal data, necessary for the assessment of his creditworthiness. To verify the data subject’s identity, the consultant asks for notarised certification of his identity to be able to provide him with the required information.

The controller should not require notarised confirmation of identity, unless it is strictly necessary, suitable and in line with the national law (for example, where a person is temporarily not in possession of any identity document and proof of the data subject’s identity is required by the national law for the performance of a legal act). Such practice exposes the requesting personsto additional costs and imposes an excessive burden on the data subjects, hampering the exercise of their right of access.

Without prejudice to the above general principles, under certain circumstances, verification on the basis of an ID may be a justified and proportionate measure, for example for entities processing special categories of personal data or undertaking data processing which may pose a risk for data subject (e.g. medical or health information). However, at the same time, it should be borne in mind that certain national provisions provide for restrictions on the processing of data contained in public documents, including documents confirming the identity of a person (also on the basis of Art. 87 GDPR). Restrictions on the processing of data from these documents may relate in particular to the scanning or photocopying of ID cards or processing of official personal identification numbers32.

Taking the above into account, where an ID is requested (and this is both in line with national law and justified and proportionate under the GDPR), the controller must implement safeguards to prevent unlawful processing of the ID. Notwithstanding any applicable national provisions regarding ID verification, this may include not making a copy or deletion of a copy of an ID immediately after the successful verification of the identity of the data subject. This is because further storage of a copy of an ID is likely to amount to an infringement, in light of the principles of purpose limitation and storage limitation (Art. 5(1)(b) and (e) GDPR) and any possible national legislation with regards to processing of the national identification number (Art. 87). The EDPB recommends, as good practice, that the controller, after checking the ID card, makes a note e.g. ” ID card was checked ” to avoid unnecessary copying or storage of copies of ID cards.

3.4 Requests made via third parties / proxies

Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorised to exercise the right of access as well as authorisation to act on behalf of the data subject may require verification, where it is suitable and proportionate (see section 3.3 above). It should be recalled that making personal data available to someone who is not entitled to access it can amount to a personal data breach33.

In doing so, national laws governing legal representation (e.g. powers of attorney), which may impose specific requirements for demonstrating authorization to make a request on behalf of the data subject, should be taken into account, since the GDPR does not regulate this issue. In accordance with the principle of accountability, as well as of the other data protection principles, the controllers shall be able to demonstrate the existence of the relevant authorization to make a request on behalf of the data subject, except if national law foresees differently (e.g. specific rules regarding the trustworthiness of lawyers) leaving the controller the only obligation to verify the identity of the proxy (e.g. in the case of lawyers checking enrolment at the bar). Therefore, it is recommended to collect appropriate documentation in this respect, in relation to the previously indicated general rules regarding confirmation of identity of a natural person making a request and if the controller has reasonable doubts concerning the identity of a person acting on behalf of data subject, it shall request additional information to confirm the identity of this person.

While the exercise of the right of access to personal data of deceased persons amounts to another example of access by a third party other than the data subject, Recital 27 specifies that the GDPR does not apply to the personal data of deceased persons. The matter is therefore dealt with by national law as Member States may provide for rules regarding the processing of personal data of deceased persons. However, it should be borne in mind that the data may in addition relate to living third persons, e.g. when it comes to the deceased’s correspondence. The confidentiality of such data still needs to be protected.

3.4.1 Exercise of the right of access on behalf of children

Children deserve specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerning their rights in relation to the processing of personal data34. Any information and communication to a child, where personal data of a child are processed, should be in such a clear and plain language that the child can easily understand.

Children are data subjects in their own right and, as such, the right of access belongs to the child. Depending on the maturity and capacity of the child, acting on behalf of the child by the holder of the parental responsibility could be needed.

The best interests of the child should be the leading consideration in all decisions taken with respect to the exercise of the right of access in the context of children, in particular where the right of access is exercised on behalf of the child, for example by the holder of parental authority.

Due to the special protection of children’s personal data contained in the GDPR, the controller shall take appropriate measures to avoid any disclosure of personal data of a minor to an unauthorised person (in this respect see also section 3.4 above).

Finally, the right of the holder of parental responsibility to act on behalf of the child should not be confused with instances, outside of data protection law, where the national legislation may provide the right of the holder of parental responsibility to ask and receive information on the child (e. g. performance of the child at school).

3.4.2 Exercising the right of access through portals / channels provided by a third party

There are companies that provide services which enable data subjects to make access requests through a portal. The data subject signs in and gets access to a portal through which they can submit for example an access request, request data rectification or data erasure from different controllers. Different questions arise from the use of portals provided for by a third party.

The first issue controllers need to deal with when facing these circumstances refers to ensuring that the third party is acting legitimately on behalf of the data subject, as it is necessary to make sure that no data is disclosed to unauthorised parties.

Additionally, a controller that receives a request made through such a portal needs, invariably, to handle that request in a timely manner. There is, however, no obligation for the controller to provide the data under Art. 15 directly to the portal. If the controller, for example, establishes that the security measures are insufficient, it would be deemed appropriate to use another way for the disclosure of data to the data subject. Under such circumstances, when the controller has other procedures in place to deal with access requests in an efficient way, the controller can provide the requested information through these procedures.

4 SCOPE OF THE RIGHT OF ACCESS AND THE PERSONAL DATA AND INFORMATION TO WHICH IT REFERS

The present section aims at shedding light on the definition of personal data (4.1) and clarifying the scope of the information covered by the right of access in general (4.2 and 4.3). Of note is that the scope of the notion of personal data and thus, the differentiation between personal data and other data, is an integral part of the assessment carried out by the controller to identify the scope of the data that the data subject is entitled to obtain access to36.

As a preliminary consideration it should be recalled that the right of access can only be exercised with regard to processing of personal data falling within the material and territorial scope of the GDPR. Therefore, personal data that are not processed by automated means or that are not part of or intended to become part of a filing system as per Art. 2(1) GDPR, or processed by a natural person in the course of a purely personal activity as per Art. 2 (2) GDPR, are not covered by the right of access.

4.1 Definition of personal data

Art. 15(1) and (3) GDPR refer to “personal data”, and “personal data undergoing processing”, respectively. Therefore, the scope of the right of access is first and foremost determined by the scope of the concept of personal data, defined in Art. 4(1) GDPR37. The concept of personal data has already been the subject of several Art. 29 Working Party documents and has been interpreted by the CJEU, including in the context of the right of access under Art. 12 of the Directive 95/46/CE.

The WP29 considered that the definition of personal data in the Directive 95/46/EC “reflects the intention of the European lawmaker for a wide notion of ‘personal data’”40. Under the GDPR, the definition still refers to “any information relating to an identified or identifiable natural person”. Aside from basic personal data like name and address, telephone number etc., unlimited broad variety of data may fall within this definition, including medical findings, history of purchases, creditworthiness indicators, communication contents, etc. In light of the broad scope of the definition of personal data, a restrictive assessment of that definition by the controller would lead to an erroneous classification of personal data41 and ultimately to a violation of the right of access.

In joint cases C-141/12 and C-372/1242 the CJEU ruled that the right of access covered personal data contained in minutes, namely the “name, date of birth, nationality, gender, ethnicity, religion and language of the applicant” “and, “where relevant, the data in the legal analysis contained in the minute”, but not the legal analysis itself43. The legal analysis was in this context not liable in itself to be the subject of a check of its accuracy by the data subject nor of a rectification. Furthermore, providing access to the legal analysis does not fulfil the purpose of guaranteeing privacy but access to administrative documents.

In Nowak, the CJEU made a broader analysis and found that written answers submitted by a candidate at a professional examination and any comments of an examiner with respect to those answers constitute personal data concerning the exam candidate. More precisely, such subjective information are personal data “in the form of opinions and assessments, provided that it ‘relates’ to the data subject”45 as opposed to the examination questions, which are not considered personal data46. Thus, a contextual assessment should shed light on the effect or result an information may have on an individual and thus the scope of the right of access.

 

Example: An individual has a job interview with a company. In this context, the job applicant hands over a CV and an application letter. During the interview, the HR officer takes notes on a computer to document the interview. Afterwards, the job applicant, as data subject requests access to personal data relating to them that the company, as controller, collected in the course of the recruitment procedure.

38 The Art. 29 Working Party (Art. 29 WP) is the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR), the predecessor of the EDPB.

The controller is obliged to provide the data subject with personal data actively communicated by them in their CV and letter of application. Moreover, the controller needs to provide the data subject with the summary of the interview, including the subjective comments on the behaviour of the data subject the HR officer wrote during the job interview.

Thus, subject to the specific facts of the case, when assessing a specific request for access, the following types of data are, inter alia, to be provided by controllers without prejudice to Art. 15(4) GDPR:

• Special categories of personal data as per art.9GDPR;
• Personal data relating to criminal convictions and offences as per Art. 10 GDPR;
• Data knowingly and actively provided by the data subject (e.g. account data submitted viaforms, answers to a questionnaire);
• Observed data or raw data provided by the data subject by virtue of the use of the service orthe device (data processed by connected objects, transaction history, activity logs such as access logs, history of website usage, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, particular way of walking or speaking);
• Data derived from other data, rather than directly provided by the data subject (e.g. credit ratio, classification based on common attributes of data subjects; country of residence derived from postcode);
• Data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalization or recommendation process);
• Pseudonymised data as opposed to anonymized data (see also section 3 of these guidelines).

Example: Elements that have been used to reach a decision about e.g. employee’s promotion, pay rise or new job assignment (e.g. annual performance reviews, training requests, disciplinary records, ranking, career potential) are personal data relating to that employee. Thus such elements can be accessed by the data subject on request and respecting Art.15 (4) GDPR in case personal data for example, also relate to another individual (e.g. the identity or elements revealing the identity of another employee whose testimony about the professional performance is included in an annual performance review may be subject to limitations under Art. 15(4) GDPR and hence it is possible that they cannot be communicated to the data subject in order to protect the rights and freedoms of said employee). Nevertheless, national labour law provisions may apply for instance regarding the access to personnel files by employees or other national provisions such as those concerning professional secrecy. Under all circumstances, such restrictions to the exercise of the right of access of the data subject (or other rights) provided in a national law must respect the conditions of Art . 23 GDPR (see section 6.4).

Several considerations may be drawn from the above non-exhaustive list of personal data which may be provided to the data subject in case of an access request. It becomes for instance notably apparent from the above, that the controller may not operate a distinction when providing access between personal data contained in paper files and those stored electronically as long as they fall within the scope of the GDPR. In other words, personal data which are contained in paper files a s part of a filing system, or which are intended to form part of a filing system, are covered by the right of access in the same way as personal data stored in a computer memory by means of binary code, or on a videotape.

Moreover, like most data subject rights, the right of access includes both inferred and derived data, including personal data created by a service provider, whereas the right to data portability only includes data provided by the data subject51. Therefore, in case of an access request and unlike a data portability request, the data subject should be provided not only with personal data provided to the controller in order to make a subsequent analysis or assessment about these data but also with the result of any such subsequent analysis or assessment.

It also is important to recall that there is information, such as anonymous data52, which is data that do not relate directly or indirectly to an identifiable person, and that are hence excluded from the scope of the GDPR. For example, the location of the server on which the personal data of the data subject processed is not personal data. The distinction can be challenging and controllers may wonder how to draw a clear line between personal and non-personal data in particular in the case of mixed datasets. In such case it may be useful to differentiate between mixed datasets in which personal and non- personal data are inextricably linked and those in which this is not the case. Personal and non-personal data may be inextricably linked in mixed datasets and fall altogether under the scope of the right of access of the data subject to which the personal data relates53. In other cases personal and non- personal data in mixed datasets may not be inextricably linked rendering only the personal data in the set accessible to the data subject. For example, a company might need to provide a data subject with the individual IT incident reports it triggered, but not with the company’s knowledge database of IT problems. However, which security measures the controller has put in place is generally not to be understood as being personal data, provided that these are not inextricably linked with personal data, and therefore not covered by the right of access.

Before concluding the section, the EDPB recalls in this context that the protection of natural persons with regard to the processing of personal data encompasses all the types of personal data listed above and that a restrictive interpretation of the definition contravenes the provisions of the GDPR and ultimately violates Art. 8 of the Charter of Fundamental Rights. The application of a differing regime for the exercise of a right in relation to some types of personal data, which has not been foreseen by the GDPR can be introduced exclusively by law, in accordance with Art . 23 GDPR (as further explained in section 6.4). Thus, controllers cannot limit the exercise of the right of access by unduly restricting the scope of personal data.

4.2 The personal data the right of access refers to

According to Art. 15(1) GDPR, “the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information”(emphasis added).

Several elements emerge from paragraph (1) of Art. 15 GDPR. The paragraph refers expressis verbis to “personal data concerning him or her”(4.2.1) , which “are being processed”(4.2.2) by the controller:

4.2.1 “personal data concerning him or her”

The right of access can be exercised exclusively with regard to personal data relating to the data subject requesting access or, where applicable, by an authorised person or proxy (see section 3.4). There are also situations in which data do not have a link to the person exercising the right of access but to another individual. The data subject is however, only entitled to personal data relating to themselves excluding data which exclusively concern someone else.

The classification of data as personal data concerning the data subject does however not depend upon the fact that those personal data also relate to someone else55. It is thus possible that personal data relate to more than one individual at the same time. This does not automatically mean that access to personal data also relating to someone else should be granted, as the controller needs to comply with Art. 15(4) GDPR.

The words “personal data concerning him or her” should not be interpreted in an “overly restrictive” way by controllers, as the Art. 29 Working Party already stated with regard to the right to data portability56. Transposed to the right of access, the EDPB considers for example that recordings of telephone conversations (and their transcription) between the data subject that requests access and the controller, may fall under the right of access provided that the latter are personal data. Provided that the GDPR applies and that the processing is not covered by the household exemption as per Art. 2(2)(c) GDPR, if the data subject uses the obtained record which includes personal data of the interlocutor for other purposes by, for instance, publishing the record, the data subject will become a controller for this processing of personal data relating to the other person whose voice was recorded. Although this will not exempt the controller from its data protection obligations when duly analysing whether access to the full record may be given, the controller should inform the data subject about the fact that they may become controller in such case. This is without prejudice to any further assessment under Art. 15(4) GDPR detailed in section 6. In the same vein, messages that data subjects have sent to others in the form of interpersonal messages and deleted themselves from their device, that are still avaible to the service provider, may fall under the right of access.

Then again, there are situations in which the link between the data and several individuals may seem blurred to the controller, such as in the case of identity theft. In case of identity theft, a person fraudulently acts in the name of another person. In this context it is important to recall that the victim should be provided with information on all personal data the controller stored in connection with their identity, including those that have been collected on the basis of the fraudster’s actions. In other words, even after the controller learned about the identity theft, personal data is associated with or related to the identity of the victim and therefore constitutes personal data of the data subject.

Example: An individual fraudulently uses the identity of someone else in order to play poker online. The perpetrator pays the online casino using the credit card they stole from the victim. When the victim finds out about the identity theft, the victim asks the provider of the online casino to provide him or her with access to personal data relating to him or her and more specifically to the online games played and information about the credit card used by the perpetrator.There is a link between the collected data and B as the latter’s identity has been used. After the detection of the fraud, the personal data mentioned above still has a link by reason of their content (the victim’s credit card is clearly aboutthe victim), purpose and effect (the information about the online games played by the perpetrator may for instance be used to issue invoices to the victim). Therefore, the online casino shall grant the victim access to the aforementioned personal data.

The putting in place and the supervision and revision of connection logs58 fall within the controller’s responsibility and are liable to be checked by the supervisory authorities. The controller should thus make sure that the persons acting under its authority who have access to personal data do not process personal data except on instructions from the controller, as per Art. 29 GDPR. If the person nevertheless processes the personal data for other purposes than fulfilling the controller’s instructions, it may become controller for that processing and subject to disciplinary or criminal proceedings or administrative sanctions issued by Supervisory Authorities. The EDPB notes that it is part of the employer’s responsibility under Art. 24 GDPR to make use of appropriate measures, extending from education to disciplinary procedures, to ensure that processing is in compliance with the GDPR and that no data breach occurs.

4.2.2 Personal data which “are being processed”

Paragraph (1) of Art. 15 GDPR moreover refers to personal data, which “are being processed”. The time reference point for determining the range of personal data falling within the access request has already been elaborated in section 2.3.3. The wording however also suggests that the right of access does not distinguish between the purposes of the processing operations.

 

Example: A company processed personal data relating to a data subject in order to process their purchase order and arrange shipping to data subject’s home address. After these initial purposes for which the personal data were collected do no longer exist, the controller keeps some of the personal data solely to comply with its legal obligations relating to the keeping of records.

The data subject requests access to personal data relating to them. To comply with its obligation under article 15 (1) GDPR, the controller needs to provide the data subject with the requested personal data which are stored to comply with its legal obligations.

 

Archived personal data needs to be distinguished from back-up data that is personal data stored solely for the purpose of restoring the data in the case of a data loss event. It should be pointed out, that in respect of the principles of data protection by design and data minimisation, the back-up data is in principle similar to the data in the live system. Where there are slight differences between personal data in the back-up and the live production system, these are generally linked to the collection of additional data since the last back-up. A decrease in data in the live system (e.g. erasure after the retention period of some data came to an end or following an erasure request) will in some cases only be overwritten in the back-up data at the time of the subsequent back-up. In case there is an access request at the moment where there are more personal data relating to the data subject in the back- up than in the live system or different personal data (noticeable for example via log of deletions in the live production system implemented in full compliance with the principle of data minimisation), the controller needs to be transparent about this situation and where technically feasible provide access as requested by the data subject, including to personal data stored in the back-up. For instance, with the aim of being transparent to the data subject that exercises their right, a log of deletions in the live production system may enable the controller to see that there are data in the back-up which are no more in the live system as they have been deleted shortly, which has not yet been overwritten in the back-up.

4.2.3 The scope of a new request to access

What remains to say is that the data subject is entitled to have access to all data processed relating to them, or to parts of the data, depending on the scope of the request (see also 2.3.1 on the completeness of the information and 3.1.1 for the analysis of the content of the request). As a consequence, where a controller already complied with a request for access in the past and provided that the request is not excessive, the controller cannot narrow the scope of this new request. This means that in relation to any further access request of the same data subject, the controller should not inform the data subject only on the mere changes in the personal data processed or the processing itself since the last request, unless the data subject expressly agrees to doing so. In addition, the data subject would be otherwise obliged to compile their personal data provided in order to a complete set of personal data concerning their information on the processing and on data subject rights.

4.3 Information on the processing and on data subject rights

In addition to the access to the personal data themselves, the controller has to provide information on the processing and on data subject rights according to Art. 15(1) (a) to (h) and 15(2) GDPR. Most of the information on those specific points is already compiled, at least in general form, in the controller’s record of processing activities referred to in Art. 30 GDPR and/or in its privacy notice elaborated in accordance with Art.s 12 to 14 GDPR. Therefore, it might be helpful as a first step to consult the “Guidelines on transparency under Regulation 2016/679” 59 of the Art. 29 Working Party, on the content of the information to be given under Art.s 13 and 14 GDPR.

111. In order to comply with Art. 15(1)(a) to (h) and 15(2), controllers may carefully use text modules of their privacy notice as long as they make sure that they are of adequate actuality and precisene ss with regards to the request of the data subject. Before or at the beginning of the data processing, some information, such as the identification of specific recipients or the specific duration of the data processing, will often only be possible in general terms. Furthermore, privacy notices as well as records of processing activities generally relate to processing concerning all data subjects and are often not tailored to the situation of a specific data subject. Some information, like for example the right to complain to a supervisory authority (see Art. 15(1)(f)), does not change depending on the person making the access request.Therefore, it may be communicated in general terms as it is also done in the privacy notice. Other types of information, such as the information on recipients, on categories and on the source of the data may vary depending on who makes the request and what the scope of the request is. In the context of an access request under Art. 15, any information on the processing available to the controller may therefore have to be updated and tailored for the processing operations actually carried out with regard to the data subject making the request. Thus, referring to the wording of its privacy policy would not be a sufficient way for the controller to give information required by Art. 15(1)(a) to (h) and (2) unless the « tailored » information is the same as the « general » information. In the following, the degree of specification required is explained in relation to the individual types of information.

Information on the purposes according to Art. 15(1)(a) needs to be specific as to the precise purpose(s) in the actual case of the requesting data subject. It would not be enough to list the genera l purposes of the controller without clarifying which purpose(s) the controller pursues in the current case of the requesting data subject. If the processing is carried out for several purposes, the controller has to clarify which categories of data are processed for which purpose(s). Unlike Art. 13(1)(c) and Art. 14(1)(c), the information on the processing referred to in Art. 15(1)(a) does not contain information on the legal basis for the processing. However, as some data subjects’ rights depend on the applicable legal basis, this information is important for the data subjects to verify the lawfulness of the data processing and to determine which data subject’s rights are applicable in the specific situation. Therefore, in order to facilitate the exercise of data subjects’ rights in line with Art. 12(2), the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation. In any event, the principle of transparent processing requires that the informat ion on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).

Information on categories of data (Art. 15(1)(b)), in spite of the general nature of those categories and depending on the circumstances of the specific case, may also have to be tailored to the data subject’s situation.

Example: In the context of the information referred to in Art. 14, an insurer states that they process a number of categories of customer data (name, address, date of birth, telephone number, email address, bank account, pp.). If a request of access is made on the basis of Art. 15 GDPR, the data subject who makes the request must, in addition to the access to the actual data being processed (component 2), in line with Art. 15(1)(b) also be informed as to the specific categories of data which are being processed in the specific case (e.g. only e-mail address, but not the telephone number).

Information on “recipients or categories of recipients” (Article15(1)(c))has firstly to take into account the definition of recipients given in Art.e 4(9) GDPR. The definition of recipients is based on the disclosure of personal data to a natural or legal person, public authority, agency or other body60. From Art. 4 (9) GDPR follows, that public authorities acting in the framework of a particular enquiry subject to specific national provisions are not to be considered as recipients.

Concerning the question, if the controller is free to choose between information on recipients or on categories of recipients, it has to be recalled, that, as stated in the above-mentioned guidelines on transparency61, already under Art. 13 and 14 GDPR information on the recipients or categories of recipients should be as concrete as possible in respect of the principles of transparency and fairness. The controller should therefore generally name the actual recipients unless it would only be possible to indicate the category of recipients. Nevertheless, sometimes naming the actual recipients is not yet possible at the time of the information under Art. 13 and 14 GDPR but only in a later stage, for example when an access request is made. The EDPB recalls in this regard, that storing information relating to the actual recipients is necessary inter alia to be able to comply with the controller’s obligations under Art.s 5(2) and 19 GDPR.

 

Example: In its privacy notice an employer gives information about which categories of data are passed on to “travel agencies” or “hotels” in case of business trips, in accordance with Art. 13(1)(e) and 14(1)(e) GDPR. If an employee makes a request for access to the personal data after business trips have taken place, the employer should then, concerning the recipients of the personal data pursuant to Art. 15(1)(c), indicate in its reply the travel agency(ies) and hotel(s) that received the data. While the employer legitimately referred to categories of recipients in its privacy notice pursuant to Art. 13 and 14, because at this stage, it was not yet possible to name the recipients, it should, in line with the principles of transpareny and fairness, provide information as to the specific recipients (name of travel agencies, hotels etc.) when the employee is making an access request.

 

Where a controller only provides the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

According to Art. 15(1)(d), information has to be given on the envisaged period for which the personal data will be stored, where possible. Otherwise, the criteria used to determine that period have to be provided. The information given by the controller has to be precise enough for the data subject to know how long the data relating to the data subject will continue to be stored. If it is not possible to specify the time of deletion, the duration of storage periods and the beginning of this period or the triggering event (e.g. termination of a contract, expiration of a warranty period, etc.) shall be specified. The mere reference, for example to “deletion after expiry of the statutory storage periods” is not sufficient. If the triggering event has already occurred, the specific storage period shall be indicated. Indications concerning data storage periods will have to focus on the specific data relating to the data subject. If the personal data of the data subject is subject to different deletion periods (e.g. because not all data is subject to legal storage obligations), the deletion periods shall be stated in relation to the respective processing operations and categories of data.

Whereas information on the right to lodge a complaint with a supervisory authority (Art. 15 (1) (f)) is not dependant on the specific circumstances, the data subjects rights mentioned in Art. 15 (1) (e) vary depending on the legal basis underlying the processing. With regard to its obligation to facilitate the exercise of data subject rights pursuant to Art. 12(2), the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided.

According to Art. 15(1)(g), “any available information” as to the source of the data has to be provided, where the personal data are not collected from the data subject. The degree of available information may change over time.

 

Example: The privacy policy of a large company states:“Credit checks help us to prevent problems in payment transactions. They guarantee the protection of our company against financial risks, which can also affect sales prices in the medium to long term. A credit check is necessarily carried out when we are going to ship goods without receiving the respective purchase price at the same time, e.g. in the case of a purchase on account. Without carrying out the credit check, only a prepayment payment option (immediate bank transfer, online payment provider, credit card) is possible.For the purpose of credit checking, we will send your name, address and date of birth to the following service providers, for example: (1) Financial information agency X (2) Business Information Provider Y, (3) Commercial Credit Reference Agency Z.The data are passed on to the above-mentioned credit institutions only within the scope of what is legally permissible and only for the purposes of the analysis of your past pa yment behaviour as well as for the assessment of the risk of default on the basis of mathematical-statistical procedures using address data as well as for verification of your address (examination of delivery). Depending on the result of the credit check, we may no longer be able to offer you individual payment methods, such as the purchase of invoices.”The privacy notice thus contains general information on the possibility of obtaining information from the listed Economic Information Offices in accordance with Art. 13 and 14. If it is not clear ex ante, which of the companies will get involved in the processing, it is sufficient to mention the names of the eligible companies in the privacy policy. In the context of a request based on Art. 15, in addition t o the information that a creditworthiness information has been obtained, it would then (ex post) be necessary to disclose, which of the companies mentioned has been involved exactly. It is clearly expressed by Art. 15(1)(g), that information on the processing of the data comprise “any available information as to their source” where the personal data are not collected from the data subject .

Art. 15(1 )(h) provides that every data subject should have the right to be informed, in a meaningful way, inter alia, about the existence and underlying logic of automated decision-making including profiling concerning the data subject and about the significance and the envisaged consequences that such processing could have63. If possible, information under Art. 15(1)(h) has to be more specific in relation to the reasoning that lead to specific decisions concerning the data subject who asked for access.

Information about intended transfers of data to a third country or an international organisation, including the existence of a Commission adequacy decision or suitable safeguards, has to be given under Art. 13(1)(f) and 14(1)(f). In the context of a request for access under Art. 15, Art. 15(2) requires information on the appropriate safeguards pursuant to Art. 46 only in ca ses where transfer to a third country or an international organisation is actually taking place.

5 HOW CAN A CONTROLLER PROVIDE ACCESS?

The GDPR is not very prescriptive as to how the controller has to provide access. The right of access may be easy and straight forward to apply in some situations, for example when a small organisation holds limited information about the data subject. In other situations, the right of access is more complicated because the data processing is more complex; with regard to the number of data subjects, the categories of processed data as well as the flow of data within and between different organisations. Considering the differences in personal data processing, the appropriate way to provide access may vary accordingly.

This section aims at giving some guidance and practical examples on different ways for controllers to comply with an access request as well as to the meaning of Art. 12(1) in relation to the right of access. This section will also give some guidance about what is considered to be a commonly used electronic form, as well as the timing for the provision of access under Art. 12(3).

5.1 How can the controller retrieve the requested data?

The data subjects should have access to all the information that the controller processes regarding them. This means, for example, that the controller is obliged to search for personal data throughout its IT systems and non-IT filing systems. When carrying out such search, the controller should use available information in the organisation regarding the data subject that likely will result in matches in the systems depending on how the information is structured64. For example, if the information is sorted in files depending on name or a reference number, the search could be limited to these factors. But if the structure of the data depends on other factors, such as family relations or professional titles or any kind of direct or indirect identifiers (e.g. customer number, user name or IP-addresses), the search needs to be extended to include these, provided that the controller also holds this information related to the data subject, or is provided with that information by the data subject. The same applies when records regarding third persons are likely to contain personal data regarding the data subject. The controller may, however, not require the data subject to provide more information than necessary to identify the data subject.

In line with Art. 25 GDPR on data protection by design and by default, the controller should also already have implemented functions enabling the compliance with data subject rights. This means, in this context, that there should be appropriate ways to find and retrieve information regarding a data subject when handling a request. However, it should be noted that an excessive interpretation in this regard could lead to functions for finding and retrieving information that in itself pose a risk for the privacy of data subjects. It is therefore important to keep in mind that the process to retrieve data should also be designed in a data protection friendly way, so that it doesn’t compromise the privacy of others, for example the employees of the controller.

5.2 Appropriate measures for providing access

5.2.1 Taking “appropriate measures”

Art. 12 GDPR lays down the requirements for providing access, i.e. for providing the confirmation, the personal data and the supplementary information under Art. 15, and specifies also the form, manner and time limit in relation to the right of access. Art. 29 Working Party’s “Guidelines on transparency under Regulation 2016/679”65 provides further guidance as regards Art. 12, mostly in relation to Art. 13 and 14 but also in relation to Art. 15 and on transparency in general. Thus, what is defined in those guidelines can often equally apply with regards to providing access under Article 15.

Art. 12(1) of the GDPR states that the controller shall take appropriate measures to provide any communication under Art. 15 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Art. 12(2) provides that the controller shall facilitate the data subject’s exercise of access right. The more precise requirements in this regard will have to be assessed case by case. When deciding which measures are appropriate, the controllers have to take into account all the relevant circumstances, including, but not limited to, the amount of data being processed, the complexity of their data processing and the knowledge they have about their data subjects, for example if the majority of the data subjects are children, elderly people or people with disabilites. In addition, in situations where the controller is made aware of any special needs for the data subject making the request, for example through additional information in the request made, the controller needs to take these circumstances into consideration. As a result the appropriate measures will vary.

It is important to keep in mind when making the assessment that the term ”appropriate” should never be understood as a way of limiting the scope of the data covered by the right of access. The term “appropriate” does not mean that the efforts to provide the information can be balanced against, for example, any interest the data subject may have in obtaining the personal data. Instead the assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a vast amount of data on a large scale must accept to undertake great efforts to ensure the right of access to the data subjects in a consice, transparent, intelligible and easily accessible form, by using plain and clear language.

It needs to be avoided to direct the data subject to different sources in response to a data access request. As previously stated in the WP29 Guidelines on Transparency (with regard to the notion of “provide” in Art. 13 and 14), the notion of “provide” entails that “the data subject must not have to actively search for information covered by these articles amongst other information, such as terms and conditions of use of a website or app”66. Therefore, and in respect of the transparency principle, data subjects must obtain from the controller the information and personal data required by Art. 15(1), 15(2) and 15(3) in a way that enables a complete access to the requested information. The method chosen by the controller must, in line with that, be one that actually provides the data subject with the requested data and information, hence it would not be considered appropriate to solely refer the data subject to check the requested data stored on their own device, for example to check clickstream history and IP addresses on their mobile phone.

In accordance with the accountability principle, a controller must document their approach to be able to demonstrate how the means chosen to provide the necessary information under Art. 15 are appropriate in the circumstances at hand.

5.2.2 Different means to provide access

As already explained in section 2.2.2 above, when making an access request the data subjects are entitled to receive a copy of their data undergoing processing pursuant to Art. 15(3) together with the supplementary information, which is considered as the main modality for providing access to the personal data.

However, under some circumstances it could be appropriate for the controller to provide access through other ways than providing a copy. Such non-permanent modalities of access to the data could be, for example: oral information, inspection of files, onsite or remote access without possibility to download. These modalities may be appropriate ways of granting access for example in cases where it is in the interest of the data subject or the data subject asks for it. Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data in the record are correct by giving them a chance to have a glance at the original record. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Nor does giving access through other ways than providing a copy preclude the data subjects from the right to also have a copy, unless they recognisably waived this right.

The controller may choose, depending on the situation at hand, to provide the copy of the data undergoingprocessing, togetherwiththesupplementaryinformation,indifferent ways,e.g.bye-mail, physical mail or by the use of a self-service tool. In any case, the controller has to consider appropriate technical and organizational measures, including adequate encryption when providing information via e-mail or online-self-service tools.

In the situation, where the controller is processing personal data regarding the person making the request only in a small scale, the copy of the personal data and the supplementary information can and should be provided through a rather simple procedure.

 

Example 1: A local bookstore keeps a record of name and addresses of their customers that have ordered home delivery. A customer visits the bookstore and makes a request for access. In this situation it would be sufficient to print out the personal data concerning the customer directly from the business system, while also supplying the supplementary information in Art. 15(1) and (2).

 

Example 2: A monthly donor to a charity organisation makes an access request through e-mail. The charity organisation holds information about donations made in the past twelve months, as well as names and e-mail addresses of the donors. The controller could provide the copy of the personal data and the supplementary information by responding to the e-mail, provided that all necessary safeguards are applied, taking into consideration for example the nature of the data.

Even controllers that process a vast amount of data can choose to rely on manual routines for handling access requests. If the controller processes data in several different departments, the controller needs to collect the personal data from each department to be able to respond to the data subject request.

Example: An administrator is appointed by the controller to handle the practical issues regarding access requests. When receiving a request the administrator sends an enquiry through e-mail to the different departments of the organisation asking them to collect personal data regarding the data subject. Representatives of each department give the administrator the personal data processed by their department. The administrator then sends all the personal data to the data subject together with the necessary supplementary information, for example and when appropriate, by e-mail.

Although manual processes for handling access requests could be regarded as appropriate, some controllers may benefit from using automated processes to handle data subject requests. This could for example be the case for controllers that receive a large number of requests. One way to provide the information under Art. 15 is by providing the data subject with self-service tools. This could facilitate an efficient and timely handling of data subjects’ requests of access and will also enable the controller to include the verification mechanism in the self-service tool.

Example: A social media service has an automated process for handling access requests in place that enables the data subject to access their personal data from their user account. To retr ieve the personal data the social media users can choose the option to “Download your personal data” when logged into their user account. This self-service option allows the users to download a file containing their personal data directly from the user account to their own computer.

The use of self-service tools should never limit the scope of personal data received. If not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs to be provided in a different manner. The controller may indeed encourage the data subject to use a self-service tool that the controller has set in place for handling access requests. However, it should be reminded that the controller must also handle access requests that are not sent through the established channel of communication67.

5.2.3 Providing access in a ”concise, transparent, intelligible and easily accessible form using clear and plain language”

According to Art. 12(1) the controller shall take appropriate measures to provide access under Art. 15 in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

The requirement that providing access to the data subject has to be done in a concise and transparent form means, that controllers should present the information efficiently and succinctly in order to be easily understood and captured by the data subject, especially if it is a child. The controller needs to take into account the quantity and complexity of the data when choosing means for providing access under Art. 15.Example: A social media provider processes a vast amount of information about a data subject. A large part of this personal data is information contained in hundreds of pages of log files where the data subject’s activities on the website are registered. If data subjects request access to their personal data, these log files are indeed covered by the right of access. The right of access may therefore be formally fulfilled if these hundreds of pages of log files were to be provided to the data subject. However, without measures taken to facilitate the understanding of the log files, the data subject’s right of access might not be met in practice, because no knowledge can easily be drawn from the log files, therefore not fulfilling the requirement of Art. 12(1). The controller must therefore be careful and thorough when choosing the way the information and personal data is presented to the data subject.

Under the circumstances in the example above, the use of a layered approach, similar to the layered approach advocated in the Guidelines on transparency with regard to privacy notices68, could be an appropriate measure to fulfil both the requirements in Art. 15 and 12(1). This will be further developed under section 5.2.4. below. The requirement that the information is “intelligible” means that it should be understood by the intended audience69, whilst keeping in mind any special needs that the data subject might have that is known to the controller70. Since the right of access often enables the exercise of other data subject rights, it is crucial that the information provided is made understandable and clear. This is because data subjects will only be able to consider whether to invoke their right to, for example, rectification under Art. 16 once they know what personal data are being processed, for what purposes etc. As a result, the controller might need to supply the data subject with additional information that explains the data provided. It should be emphasised that the complexity of data processing puts an obligation on the controller to provide the means to make the data understandable and could not be used as an argument to limit the access to all data. Similarly, the obligation on the controller to provide data in a concise manner cannot be used as an argument to limit access to all data.

Example: An ecommerce website collects data about items viewed or purchased on its website for marketing purposes. A part of this data will consist of data in a raw format71, which has not been analysed and may not be directly meaningful to the reader (codes, activity history etc.). Such data related to the data subjects activities is also covered by the right of access and should as a consequence be provided to the data subject upon access request. When providing data in a raw format it is important that the controller takes the necessary measures to ensure that the data subject understands the data, for example by providing an explanatory document that translates the raw format into a user friendly form. Also, it could in such a document be explained that abbreviations and other acronyms for example “A” means that the purchase has been interrupted and “B” means that the purchase has gone through.

The “easily accessible” element means that the information under Art. 15 should be presented in a way that is easy for the data subject to access. This applies for example, to the layout, appropriate headings and paragraphing. The information should always be given in a plain and clear language. A controller that offers a service in a country should also offer answers in the language that is understood by the data subjects in that country. The use of standardised icons is also encouraged when it facilitates the intelligibility and accessibility of the information. When the request for information relates to visually impaired data subjects or other data subjects who may have difficulty in accessing or understanding information, the controller is expected to take measures facilitating the understanding of the information provided, including oral information when adequate72. The controller should take special care to ensure that people with special needs, such as elderly people, children, visually impaired persons or persons with cognitive disabilities can exercise their rights, for instance by proactively providing easily accessible elements to facilitate exercise of these rights.

5.2.4 A vast amount of information necessitates specific requirements on how the information is provided

Regardless of the means used to provide access there may be a tension between the amount of information the controller needs to provide data subjects with and the requirement that it must be concise. One way of achieving both, and an example of an appropriate measure for certain controllers, when a vast amount of data is to be provided, is to use a layered approach. This approach can facilitate the data subjects’ understanding of the data. It should nevertheless be stressed that this approach can only be used under certain circumstances and needs to be carried out in a way that does not limit the right of access, as explained below. Furthermore, the use of a layered approach should not create an extra burden for the data subject. Hence, it would be best suited when access is provided in an online context. A layered approach is merely a way to present the information under Art. 15 in a manner which is also compliant with the requirements in Art. 12(1) and should not be confused with the possibility for the controllers to request that the data subject specifies the information or processing activities to which the request relates, as prescribed in Recital 63.

A layered approach in relation to the right of access means that a controller, under certain circumstances, can provide the personal data and the supplementary information required under Art. 15 in different layers. The first layer should include information about the processing and data subject’s rights according to Art. 15(1)(a)-(h) and 15(2) as well as a first part of the processed personal data. In a second layer, more personal data should be provided.

When deciding what information should be given in the different layers the controller should consider what information the data subject in general would consider as most relevant. In line with the fairness principle, the first layer should also contain information on the processing which has the most impact on the data subject and processing which could surprise them. The controllers need to be able to demonstrate accountability as to their reasoning of the above.

 

Example: A controller analyses big data sets to place customers in different segments depending on their online behaviour. In this situation, it can be assumed that the information that is the most important for the data subjects to obtain is information about what segment they have been put in. As a result, this information should be included in the first layer. The data in a raw format75 that has not yet been analysed or further processed, such as user activity on a website, is also personal data covered by the right of access, however, it could in some cases be sufficient to provide this information in another layer.

For the use of layered approach to be considered as an appropriate measure it is necessary that the data subject is informed at the outset that the information under Art. 15 is structured into different layers and provided with a description of what personal data and informat ion that will be contained in the different layers. In this way it will be easier for the data subject to decide what layers they want to access. The description should objectively reflect all the categories of personal data that are actually processed by the controller. It also needs to be clear how the data subject can get access to the different layers. Access to the different layers shall not entail any disproportionate effort for the data subject and shall not be made conditional to the formulation of a new data subject request. This means that the data subjects must have the possibility to choose whether to access all layers at once or if they would be satisfied with only accessing one or two of the layers.

Example: A data subject makes an access request to a video streaming service. The request is made through an option that is available when data subjects have logged into their account. The data subject is presented with two options, appearing as buttons on the webpage. Option one is to download part 1 of the personal data and the supplementary information. This contains, for example a recent streaming history, account information and payment information. Option two is to download part 2 of the personal data that contains technical log files about the data subjects activities and historical information on the account. In this case, the controller, has made it possible for data subjects to exercise their right in a way that does not create an extra burden for the data subject.

Situation 1: In cases where the data subject only chooses the button to download part 1 of the personal data, the controller is obliged only to provide part 1 of the data.

Situation 2: In cases where the data subject chooses the buttons for both part 1 and part 2 of the data, the controller cannot communicate only part 1 of the data and ask for a new confirmation before communication of part 2 of the data. Instead both parts of the data must be provided to the data subject as it follows from the request made.

The use of a layered approach will not be considered appropriate for all controllers or in all situations. It should only be used when it would be difficult for the data subject to comprehend the information if given in its entirety. In other words, the controller needs to be able to demonstrate that the use of layered approach adds value for the data subject in helping them understand the information provided. A layered approach would therefore only be considered appropriate when a controller processes a vast amount of personal data about the data subject making a request and where there would be apparent difficulties for the data subject to grasp or comprehend the information if it were to be provided all at once. The fact that it would require great effort and resources from t he controller to provide the information under Art. 15 is not in itself an argument for using a layered approach.

5.2.5 Format

According to Art. 12(1), information under Art.15 shall be provided in writing, or by other means, including, where appropriate, by electronic means. As regards access to the personal data undergoing processing, Art. 15(3) states that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The GDPR does not specify what a commonly used electronic form is. Thus there are several conceivable formats that can be used. What is considered to be a commonly used electronic form will also vary over time.

What could be considered as a commonly used electronic form should be based upon the reasonable expectations of the data subjects and not upon what format the controller uses in its daily operations. The data subject should not be obliged to buy specific software in order to get access to the information.

When deciding upon the format in which the copy of the personal data and the information under Art. 15 should be provided, the controller needs to keep in mind that the format must enable the information to be presented in a way that is both intelligible and easily accessible. It is important that the data subject is provided with information in an embodied, permanent form (text, electronic). Since the information should persist over time, information in writing, including by electronic means, is in principle preferable over other forms. The copy of the personal data could, when appropriate, be stored on an electronic storage device, such as CD or USB.

It should be noted that for a controller to be able to consider that data subjects have been provided with a copy of personal data it is not enough to have provided them with access to their personal data. For the requirement to provide a copy of personal data to be fulfilled and in case the data are provided electronically/digitally, the data subjects need to be able to download their data in a commonly used electronic form.

It is the responsibility of the controller to decide upon the appropriate form in which the personal data will be provided. The controller can, although is not necessarily obliged to, provide the documents which contain personal data about the data subjects making the request, as such and in their original form. The controller can for example, on a case-by-case basis, provide access to a copy of medium given the need for transparency (for example, to verify the accuracy of the data held by the controller in the event of a request for access to the medical file or an audio recording whose transcript is disputed). However, the CJEU, in its interpretation of the right of access under the Directive 95/46/EC, stated that “for [the right of access] to be complied with, it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him”76. Unlike the directive, the GDPR expressly contains an obligation to provide the data subject with a copy of the personal data undergoing processing. This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents. Such copy of the personal data could be provided through a compilation containing all personal data covered by the right of access as long as the compilation makes it possible for the data subject to be made aware and verify the lawfulness of the processing. Hence, there is no contradiction between the wording of the GDPR and the ruling by the CJEU regarding this matter. The word summary in the ruling should not be misinterpreted as meaning that the compilation would not encompass all data covered by the right of access, but is merely a way to present all that data without giving systematically access to the actual documents. Since the compilation needs to contain a copy of the personal data, it should be stressed that it cannot be made in a way that somehow alters or changes the content of the information.

 

Example: A data subject has been insured with an insurance company for many years. Several insured incidents have occurred. In each case there has been some written correspondence through e-mail between the data subject and the insurance company. As the data subject had to provide information on the specific circumstances of each incident the correspondence entails a lot of personal information about the data subject (hobbies, flatmates, daily habits etc.). In some cases disagreement arose about the insurance company’s obligation to compensate the data subject which caused a vast amount of communication back and forth. All this correspondence is stored by the insurance company. The data subject makes an access request. In this situation the controller does not necessarily have to provide the e-mails in their original form by forwarding them to the data subject. Instead the controller could choose to compile the e-mail correspondence containing the data subject’s personal data in a file that is provided to the data subject.

Making some kind of compilation and extraction of the data that makes the information easy to comprehend is also a way of complying with the requirements to provide the information in a way that is both intelligible and easily accessible.

In this context, it is important to remember that there is a distinction between the right to obtain access under Art. 15 GDPR and the right to receive a copy of administrative documents regulated in national law, the latter being a right to always receive a copy of the actual document. This does not mean that the right of access under Art. 15 GDPR excludes the possibility to receive a copy of the document/media on which the personal data appear.

In some cases, the personal data itself sets the requirements in what format the personal data should be provided. When the personal data for example constitutes handwritten information by the data subject, the data subject needs in some cases to be provided with a photocopy of that handwritten information since the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g. scripture analysis. The same applies in general for audio recordings since the voice of the data subject itself is personal data. In some cases, however, access can be given by providing a transcription of the conversation, e.g. if agreed upon between the data subject and the controller.

It should be noted that the provisions on format requirements are different regarding the right of access and the right of data portability. Whilst the right of data portability under Art. 20 GDPR requires that the information is provided in a machine readable format, the right to information under Art. 15 does not. Hence, formats that are considered not to be appropriate when complying with a data portability request, for example pdf-files, could still be suitable when complying with a request of access.

5.3 Timing for the provision of access

Art. 12(3) requires that the controller provides information on action taken on a request under Art. 15 to the data subject without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests, provided that the data subject has been informed about the reasons for such delay within one month of the receipt of the request. This obligation to inform the data subject on the extension and its reasons should not be confused with the information that has to be given without delay and at the latest within one month when the controller does not take action on the request, as follows by Art. 12(4).

The controller shall react and, as a general rule, provide the information under Art. 15 without undue delay, which in other words means that the information should be given as soon as possible. This means that, if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so. The EDPB also considers that the timing to answer the request in some situations must be adapted to the storage period in order to be able to provide access.

The time limit starts when the controller has received an Art. 15 request, meaning when the request reaches the controller through one of its official channels. It is not necessar y that the controller in fact has taken notice of it. However, when the controller needs to communicate with the data subject due to the uncertainty regarding the identity of the person making the request there may be a suspension in time until the controller has obtained the information needed from the data subject, provided the controller has asked for additional information without undue delay. The same applies for when a controller has asked, in accordance with Recital 63, a data subject to specify the processing operations to which the request relates.

Example: Following the reception of the request, a controller reacts immediately and asks the information it needs to confirm the identity of the person making the request. The latter replies only several days later and the information that the data subject sends to verify the identity does not seem sufficient which requires the controller to ask for clarifications. In this situation there will be a suspension in time until the controller has obtained enough information to verify the identity of the data subject.

The time period needs to be calculated in accordance with Regulation No 1182/71.

 

Example 1: An organisation receives a request on 5 March. The time limit starts from the same day. This gives the organisation until and including 5 April to comply with the request, at the latest.

 

Example 2: If the organisation receives a request on 31 August, and as the following month is shorter there is no corresponding date, the date for response, at the latest, is the last day of the following month, hence 30 September.

If the last day of this time period falls on a weekend or a public holiday, the controller has until the next working day to respond.

Under certain circumstances the controller can extend the time to respond on a request of access by two further months if necessary, taking into account the complexity and number of the requests. It should be emphasised that this possibility is an exemption from the general rule and should not be overused. If controllers often find themselves forced to extend the time limit, it could be an indication of a need to further develop their general procedures to handle requests.

What constitutes a complex request varies depending upon the specific circumstances of each case. Some of the factors that could be considered relevant are for example:

• the amount of data processed by the controller,
• how the information is stored, especially when it is difficult to retrieve the information,for example when data are processed by different units of the organisation,
• the need to redact information when an exemption applies, for example informationregarding other data subjects, and
• when the information requires further work in order to be intelligible.

The mere fact that complying with the request would require a great effort does not make a request complex. Neither does the fact that a big company receives a large number of requests automatically trigger an extension of the time limit. However, when a controller temporarily receives a large amount of requests, for example due to an extraordinary publicity regarding their activities, this could be regarded as a legitimate reason for prolonging the time of the response. Nevertheless, a controller, especially one who handles a large amount of data, should have routines and mechanisms in place in order to be able to handle requests within the time limit under normal circumstances.

6 LIMITS AND RESTRICTIONS OF THE RIGHT OF ACCESS 6.1 General remarks

The right of access is subject to the limits that result from Art. 15(4) GDPR (rights and freedoms of others) and Art. 12 (5) GDPR (manifestly unfounded or excessive requests). Furthermore, Union or Member State law may restrict the right of access in accordance with Art. 23 GDPR. Derogations regarding the processing of personal data for scientific, historical research or statistical purposes or archiving purposes in the public interest can be based on Art. 89(2) and Art. 89(3) GDPR accordingly and for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression on Art. 85(2) GDPR.

It is important to note that, apart from the above mentioned limits, derogations and possible restrictions, the GDPR does not allow any further exemptions or derogations to the right of access. That means inter alia that the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects reque st under Art. 15 GDPR79. Furthermore, it is not permitted to limit or restrict the right of access in a contract between the controller and the data subject.

According to Recital 63, the right of access is granted to data subjects in order to be aware of, and verify, the lawfulness of the processing. The right of access enables, inter alia, the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of personal data80. However, data subjects are not obliged to give reasons or to justify their request. As long as the requirements of Art. 15 GDPR are met the purposes behind the request should be regarded as irrelevant81.

6.2 Article 15 (4) GDPR

According to Art. 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Explanations to this limitation are given in the fifth and sixth sentences of Recital 63. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. When interpreting Art. 15(4) GDPR special caution has to be taken not to unjustifiably widen the restrictions laid down in Art. 23 GDPR, which are permissible only under strict conditions.

Art. 15(4) GDPR applies to the right to obtain a copy of the data, which is the main modality of giving access to the data processed (second provision of Art. 15(1) GDPR). It is also applicable, and rights and freedoms of others shall be taken into account, if access to the personal data is exceptionally granted by other means than a copy. For example, there is no difference justified whether trade secrets are affected by providing a copy or by granting on sight site access to the data subject. Art. 15(4) GDPR is not applicable to the additional information on the processing as stated in Article 15(1) lit. a.-h. GDPR.

According to Recital 63, conflicting rights and freedoms include trade secrets or intellectual property and in particular the copyright protecting the software. These explicitly mentioned rights and freedoms should be regarded as examples, as in principle any right or freedom based on Union or Member State law may be considered to invoke the limitation of Art. 15(4) GDPR82. Thus, the right to the protection of personal data (Art. 8 European Charter of Fundamental Rights) can also be considered as an affected right in terms of Art. 15(4) GDPR). Especially regarding the right to obtain a copy this (the right to data protection of others) is a typical case where the limitation needs to be assessed. Furthermore, the right to confidentiality of correspondence has to be taken into account, for example with regard to private e-Mail-correspondence in the employment context83. It is important to note that not every interest amounts to “rights and freedoms” pursuant to Art. 15(4) GDPR. For example, economical interests of a company not to disclose personal data are not to be taken into account when applying Art. 15(4) as long as they are no trade secrets, intellectual property or other protected rights.

“Others” means any other person or entity apart from the data subject who is exercising their right of access. Hence, the rights and freedoms of the controller or processor (trade secrets and intellectual property for example) might come into consideration. If the EU legislator had wanted to exclude controllers or processors rights and freedoms, it would have used the term “third party”, which is defined in Art. 4(10) GDPR.

The general concern that rights and freedoms of others might be affected by complying with the request for access, is not enough to rely on Art. 15 (4) GDPR. In fact the controller must be able to demonstrate that in the concrete situation rights or freedoms of others would factually be impacted.

 

Example: A person who is now an adult was cared for by the youth welfare office over a number of years in the past. The corresponding files may possibly contain sensitive information about other persons (parents, social workers, other minors). However, a request for information from the data subject cannot generally be rejected for this reason with reference to Art. 15(4) GDPR. Rather, the rights and freedoms of others must be examined in detail and demonstrated by the youth welfare office as the controller. Depending on the interests in question and their relative weight, providing such specific information may be rejected (e.g. by redacting names).

With regard to Recital 4 GDPR and the rational behind Art. 52(1) of the European Charter of Fundamental Rights, the right to protection of personal data is not an absolute right84. Hence also the exercise of the right of access has to be balanced against other fundamental rights in accordance wit the principle of proportionality. When the Art. 15(4) GDPR assessment proves that complying with the request has adverse (negative) effects on other participants’ rights and freedoms (step 1), the interests of all participants need to be weighed taking into account the specific circumstances of the case and in particular the likelihood and severity of the risks present in the communication of the data. The controller should try to reconcile the conflicting rights (step 2), for example through the implementation of appropriate measures mitigating the risk to the rights and freedoms of others. As emphasised in Recital 63, protecting the rights and freedoms of others by virtue of Art. 15(4) GDPR should not result in a refusal to provide all information to the data subject. This means, for example, where the limitation applies, that information concerning others has to be rendered illegible as far as possible instead of rejecting to provide a copy of the personal data. However, if it is impossible to find a solution of reconciliation, the controller has to decide in a next step which of the conflicting rights and freedoms prevails (step 3).

The controller would still have to provide any possible information about the measuring results that would not reveal its trade secret, even if that would imply the effort to revise and edit the results.

If controllers do not provide full access to a data subject under Art. 15(4) GDPR, they have to inform the data subject of the reasons without delay and at the latest within one month (Art. 12 (4) GDPR). The explanatory statement has to refer to the concrete circumstances and allow the data subjects to assess whether they want to take action against the refusal. It must include information about the possibility of lodging a complaint with a supervisory authority (Art. 77 GDPR) and seeking judicial remedy (Art. 79 GDPR).

Art. 12(5)GDPR enables controllers to override requests for the right of access that are manifestly unfounded or excessive. These concepts have to be interpreted narrowly, as the principles of transparency and cost free data subjects rights must not be undermined.

Controllers must be able to demonstrate to the individual why they consider that the request is manifestly unfounded or excessive and, if asked, explain the reasons to the competent supervisory authority. Each request should be considered on a case by case basis in the context in which it is made in order to decide if it is manifestly unfounded or excessive.

6.3.1 What does manifestly unfounded mean?

A request for the right of access is manifestly unfounded, if the requirements of Art. 15 GDPR are clearly and obviously not met when applying an objective approach. However, as explained especially in section 3 above, there are only very few prerequisites for requests for the right of access. Therefore, the EDPB emphasises that there is only very limited scope for relying on the « manifestly unfounded » alternative of Art. 12(5) in terms of requests for the right of access.

Furthermore, it is important to recall that prior to invoking the restriction, controllers must ca refully analyse the content and scope of the request. For example, a request should not be regarded as manifestly unfounded if the request is related to the processing of personal data not subject to the GDPR (in this case, the request should not be dealt with as an Art. 15-request at all).

Other cases in which the applicability of Art. 12(5) is questionable are requests related to information or processing activities that are clearly and obviously not subject to the processing activities of the controller.

 

Example: A data subject addresses a request to a municipal authority concerning data that are processed by a state authority. Instead of arguing that the request is manifestly unfounded it would be more suitable as well as easier for the authority addressed to confirm that these data are not being processed by the authority (first component of Art. 15, the ‘whether’ personal data are being processed)8 6 .

A controller should not presume that a request is manifestly unfounded because the data subject has previously submitted requests which have been manifestly unfounded or excessive or if it includes unobjective or improper language.

6.3.2 What does excessive mean?

There is no definition of the term “excessive” in the GDPR. On the one hand, the wording “in particular because of their repetitive character” in Art. 12(5) GDPR allows for the conclusion that the main scenario for application of this limb with regard to Art. 15 GDPR is linked to the quantity of requests of a data subject for the right of access. On the other hand, the aforementioned phrasing shows that other reasons that might cause excessiveness are not excluded a priori.

Certainly, according to Art. 15(3) GDPR regarding the right to obtain a copy, a data subject may submit more than one request to a controller87. In the event of requests that could potentially be regarded as excessive, the assessment of “excessiveness” depends on the analysis carried out by the controller and the specifics of the sector in which it operates.

In case of subsequent requests, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded or not. Controllers must take into account the particular circumstances of the single case carefully.

For example, in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of registers. In the case of business associates, the frequency of contacts among them will be important. Accordingly the ”reasonable intervals” within which data subjects may again exercise their right of access are also different. The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive. On the other hand, even a second request by the same data subject might be repetitive under certain circumstances.

When deciding whether a reasonable interval has elapsed, controllers should consider, in the light of the reasonable expectations of the data subject:

• how often the data is altered – is information unlikely to have changed between requests? If a data pool is obviously not subject to a processing other than storage and the data subject is aware of this, e.g. because of a previous request for the right of access, this might be an indication for an excessive request;
• the nature of the data – this could include whether it is particularly sensitive;
• the purposes of the processing – these could include whether the processing is likely tocause detriment (harm) to the requester if disclosed;
• whether the subsequentrequests concern the same type of information or processing activities or different ones.

 

Example 1 (carpenter): A data subject lodges access requests every two months with the carpenter that manufactured him or her a table. The carpenter answered the first request completely. When deciding whether a reasonable interval has elapsed, one should consider that the carpenter only occasionally (first bullet point above) and not as part of its core activity processes and collects personal data and it is even less likely that the carpenter often provides services to the same data subject. Indeed, the carpenter did not provide more than one service to the data subject, rendering it unlikely that changes occurred in the dataset concerning the data subject. Notably given the nature and amount of the personal data processed, the risks related to the processing can be considered as low (second bullet point above), such as the purpose of the processing (billing purposes and compliance with obligation to keep records) is not likely to cause detriment to the data subject (third bullet point above). The request furthermore concerns the same information as the last request (forth bullet point above). Such requests may as a consequence be regarded as excessive due t o their repetitiveness.87 According to Article 15 (3) second sentence, the controller may charge a reasonable fee for further copies requested.

 

Example 2 (social media platform): A social media platform whose core business is the collection and/or processing of personal data of the data subject carries out large -scale complex and continuous processing activities. A data subject that uses the services of the platform lodges access requests every threemonths.Inthiscase,frequentchangestothepersonaldatarelatingtothedatasubjectarehighly likely (first bullet point above), the broad range of collected data includes inferred sensitive personal (second bullet point above) processed for the purpose of showing relevant content and network members to the data subject (third bullet point). Access requests every three months may –under these circumstances- in principle not be regarded as excessive due to repetitiveness.

 

Example 3 (credit agencies): Regarding repetitive data subjects’ access requests addressed to credit inquiry agencies. The following considerations must be taken into account:

Similarly to social networks it cannot be ruled out that modifications of the relevant data will occur in the data controller’s data stock at much shorter intervals than in other areas (first bulletpoint above). This results from numerous factors of which the data subject, as a person from outside, is usually not aware due to the complexity of the business model as a whole. The answer to the question as to which types of data were collected for a score value calculation by the controller and which are curre ntly included in the calculation can therefore only be provided by the credit inquiry agency itself. In addition, of special significance is the fact that data processing through credit inquiry agencies and the resulting score value can have far-reaching consequences for the data subject with regard to intended legal transactions, such as the conclusion of purchasing, rent or leasing contracts (third bullet point above).

It is not possible to generally determine any specific interval in which the submission of a further access request could be deemed excessive under Art. 12 (5) second sentence GDPR. An overall view of the circumstances of the individual case is rather required. However, given the importance of data processing for the data subjects’ reality of everyday life, it can be assumed that a one-year interval between information provided free of charge will in any case be too large for the request to be considered excessive. In the case of credit inquiry agencies, there is only a reason to assume that requests have been submitted excessively if any modification of the data processed by a credit inquiry agency is almost excluded from the requestor’s point of view. As a rule, this only applies when several access requests have been groundlessly submitted in a short time. On the other hand, if modifications of the data are possible by the data subject’s participation in economic life, a new request is not excessive.

When it is possible to provide the information easily by electronic means or by remote access to a secure system, which means that complying with such requests actually doesn’t strain the controller, it is unlikely that subsequent requests can be regarded as excessive.

If a request overlaps with a previous request, the overlapping request can generally be regarded as excessive, if and insofar as it covers exactly the same information or processing activities and the previous request is not yet complied with by the controller without reaching the state of “undue delay” (see Art. 12(3) GDPR). In practice, as a consequence both requests could be combined.

The fact that it would take the controller a vast amount of time and effort to provide the information or the copy to the data subject cannot on its own render a request excessive89. A large number of processing activities typically implicates bigger efforts when complying with access requests. However, as stated above, under certain circumstances requests can be regarded as excessive due to other reasons than their repetitive character. In the view of the EDPB this encompasses particularly cases of abusively relying on Art. 15 GDPR, which means cases in which data subjects make an excessive use of the right of access with the only intent of causing damage or harm to the controller.

Against this background, a request should not be regarded as excessive on the ground that:

• no reasons are given by the data subject for the request or the controller regards the request as meaningless;
• improper or impolite language is used by the data subject;
• the data subject intends to use the data to file further claims against the controller.

On the other hand, a request may be found excessive, for example, if:

• an individual makes a request, but at the same time offers to withdraw it in return for some form of benefit from the controller or
• the request is malicious in intent and is being used to harass a controller or its employees with no other purposes than to cause disruption, for example based on the fact that:

-the individual has explicitly stated, in the request itself or in other communications, that it intends to cause disruption and nothing else; or

– the individual systematically sends different requests to a controller as part of a campaign, e.g. once a week, with the intention and the effect of causing disruption.

6.3.3 Consequences

In case of a manifestly unfounded or excessive request for the right of access controllers may, according to Art. 12(5) GDPR, either charge a reasonable fee (taking into account the administrative costs of providing information or communication or taking the action requested) or refuse to comply with the request.

The EDPB points out that controllers are – on the one hand – not generally obliged to charge a reasonable fee primary before refusing to act on a request. On the other hand, they aren ́t completely free to choose between the two alternatives either. In fact, controllers have to make an adequate decision depending on the specific circumstances of the case. Whereas it is hardly imaginable that charging a reasonable fee is a suitable measure in case of manifestly unfounded requests, for excessive requests it is – in line with the principle of transparency – often more appropriate to charge a fee as a compensation for the administrative costs the repetitive requests are causing.

Controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Art. 12(5) third sentence GDPR). Hence, it is recommended to ensure a proper documentation of the underlying facts. In line with Art. 12(4), if controllers refuse to act on a request for the right of access in whole or partly, they must inform the data subject without delay and at the latest within one month of receipt of the request of

• the reason why,
• the right to lodge a complaint with a supervisory authority,
• the possibility to seek a judicial remedy.

Before charging a reasonable fee based on Art. 12(5) GDPR, controllers should provide an indication of their plan to do so to the data subjects. The latter have to be enabled to decide whether they will withdraw the request to avoid being charged.

Unjustified rejections of requests of the right of access can be regarded as infringements of data subject ́s rights pursuant to Art. 12 to 22 GDPR and can therefore be subject to the exercise of corrective powers by competent supervisory authorities, including administrative fines based on Art. 83 (5) (b) GDPR. If data subjects consider there is an infringement of their data subject rights, they have the right to lodge a complaint based on Art. 77 GDPR.

6.4 Possible restrictions in Union or Member States law based on Article 23 GDPR and derogations

The scope of the obligations and rights provided for in Art. 15 GDPR may be restricted by way of legislative measures in Union or Member States law. Several Member States have made use of this option91.

Controllers, who plan to rely on a restriction based on national law must carefully check the requirements of the provision of the respective national legislation. Furthermore, it is important to note, that restrictions of the right of access in Member States (or Union) law which are based on Art. 23 must strictly fulfil the conditions laid down in this Article. The EDPB has issued the Guidelines 10/2020 on restrictions under Art. 23 GDPR with further explanations on this. In terms of the right of access, the EDPB recalls that controllers should lift the restrictions as soon as the circumstances that justify them no longer apply.

Legislative measures laying down the provisions for the application of restrictions under Art. 23 GDPR may also foresee that the exercise of a right is delayed in time, that a right is exercised partially or circumscribed to certain categories of data or that a right can be exercised indirectly through an independent supervisory authority.