New EU guidance on GDPR right of access

24th February 2022EU

Following our recent blog, ‘Do you need help managing a DSAR?’ the European Data Protection Board (EDPB) has published draft regulatory guidelines, which concern the rights that Data Subjects have regarding access to their personal data under the EU GDPR.

The draft guidance includes a section where the EDPB explains the aim and components of these rights. They also guide us through the practicalities of providing access, the limitations, and the restrictions that the GDPR enforces relating to the right of access.

Here is our summary for you: 

Right of access

The right of access is created to put Data Subjects in control of their personal data, meaning that they are aware and able to verify the lawfulness of the processing and identify any inaccuracies in their records or any missing or incomplete information on their file. It also aims to provide the Data Subject with clear, sufficient, and accessible information concerning the processing of their personal data.

The Data Subjects have the right to request from the Controller: –

  1. Confirmation of whether their personal data is processed.
  2. Access to their personal data, in other words, the Controller must provide a copy of the personal data undergoing processing.
  3. Specific information about the processing itself – (this includes the purpose and duration of the data processing and the different categories of personal data and recipients.

What Controllers should consider regarding the assessment of access requests

The EDPB emphasises that Controllers should be proactively ready to handle access requests and assess each request individually. A Controller should consider the following questions when dealing with an access request:

  1. Does the access request only concern personal data?

A Subject Access Request is limited in scope to that personal information which directly relates to the individual making the request. If a request concerns any other issues such as asking general information about the Controller, or asking questions about the processing, this is not considered an access request under Article 15.

  1. Who is making the request?

The Controller must identify the Data Subject who is making the request and confirm that person’s identity if in doubt. This means that any anonymous requests will not be considered a valid access request. The access request needs to either concern the personal data of the requesting person or the person who is authorising the request.

If identification is not possible due to a lack of information included in the access request, unless the data subject provides the additional identification the Controller may refuse the request, however the Controller must inform the Data Subject and give them every opportunity to provide the information.

What type of ID will be acceptable is not always cut and dry. The level of proof required will depend on your relationship to the Data Subject and the sensitivity of the information being requested. If the Data Subject is unknown to the Controller and personal data highly sensitive, significant efforts to verify the identity must take place. This may include photo ID, verified by a third party, if necessary, copies of utility bills, and even a personal interview or video call.

  1. Does the request fall within the remit of Article 15 GDPR?

The Controller should provide Data Subjects with appropriate and accessible communications channels, although, the Data Subjects are not required to use these channels to submit an access request.

The EDPB have however, said that if a Data Subject uses an informal channel to make the request, for example a junior member of staff email, or an informal WhatsApp group, the request will not be deemed to be valid.

Data Subjects are also under no obligation to give a reason for their access request, although this may be helpful in assessing if the request is excessive.

  1. Are there more specific provisions that regulate the access request?

The Data Subject does not need to specify upon which legislation they are relying on to gain access to their personal data. However, if the Data Subject is asking for their personal data under legislation other than Article 15 GDPR the Controller will need to handle the request accordingly and may require a separate response from the response concerning the right of the access request under Article 15 GDPR.

  1. Does the request refer to all or only parts of the data processed about the data subject?

The Controller will need to assess if the request refers to all or parts of the personal data processed and respond accordingly. Unless stated otherwise, the access request should include all personal data concerning the Data Subject. The Controller can ask the Data Subject to specify what they are interested in, if there is a large amount of personal data.

Practicalities and Limitations

The draft guidance contains practical recommendations on various ways that controllers can provide access to personal data. This includes how the Controller can retrieve the requested personal data, ways to ensure that the personal data is provided in a clear, summarising, and accessible form, and those different ways of providing access, e.g., may have to give the information verbally.

It is important to note that the draft guidelines are open for public consultation, and stakeholders may provide feedback until March 11th 2022. After this date, the EDPB is expected to adopt its final guidelines.

If you need any help or advice regarding data subject access requests or any other data protection issues, please take advantage of our no-obligation 30 minute Complimentary Consultation with one of the Griffin House specialists.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.