EU guidance on data subject access requests clarifies search obligations

Out-Law News | 14 Feb 2022 | 11:35 am | 4 min. read

The search efforts businesses must make to meet data subject access requests (SARS) made under EU data protection law cannot be limited by what they consider to be proportionate, the European Data Protection Board (EDPB) has said.

Confirmation that businesses cannot apply a proportionality test to their searches for personal data in response to SARS was outlined by the EDPB in draft new guidelines the authority is consulting on in relation to the right of access. The draft guidance is open to consultation until 11 March 2022.

The right of access is one of the several rights data subjects enjoy under the EU General Data Protection Regulation (GDPR). It provides them with rights to obtain a copy of their personal data that organisations hold about them. The GDPR stipulates that organisations must respond to SARs "without undue delay and at the latest within one month" unless extensions can be justified and sets out further requirements in relation to the information that must be provided in response.

The right of access is not absolute – organisations can refuse or limit their response to SARs in some circumstances where exemptions may apply. The EDPB’s draft guidelines address those scenarios in more detail.

The EDPB confirmed that limits in how organisations respond to SARs can apply where the rights and freedoms of others are triggered or where the request made is “manifestly unfounded or excessive”. It also cited other restrictions that might apply, such as where national labour laws place restrictions on accessing personal files of employees.

The EDPB clarified that the limitation contained in under Article 15(4) of the GDPR on the right of access, that it “shall not adversely affect the rights and freedoms of others”, extends to the rights and freedoms of controllers. In this context, the EDPB said the controller’s rights to protect trade secrets or intellectual property and in particular their copyright protecting software are factors that can be weighed, as is the right to confidentiality of correspondence, for example private emails in the employment context.

Data protection law expert Stephanie Lees of Pinsent Masons said: “A careful balancing test would need to be undertaken to assess the rights of the controller against the requestor and where appropriate, redactions needed to the documents in question. When carrying out this balancing test of the various rights at stake, the controller can here rely upon a principle of proportionality according to the EDPB.”

However, the EDPB said the GDPR “does not allow any further exemptions or derogations to the right of access” beyond the cited limits, derogations and possible restrictions. This means, it said, that “the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects request” under the GDPR – i.e. the search obligations. It added that limits or restrictions on the right of access cannot be stipulated in contracts between organisations and data subjects either.

Andre Walter of Pinsent Masons in Amsterdam said: “Proportionality is one of the fundamental principles of the GDPR. It applies in relation to other obligations that organisations must adhere to, including transparency and notifications to individuals relating to their handling of data. It should therefore equally apply to organisations’ obligations in response to SARs. With the EDPB’s guidelines in draft form, there is still time for businesses to influence the final version.”

The EDPB’s view on proportionality puts it at odds with the UK’s Information Commissioner’s Office (ICO)’s guidance on SARs which explains organisations are not required “to conduct searches that would be unreasonable or disproportionate to the importance of providing

access to the information”, according to Stephanie Lees of Pinsent Masons.

“This guidance will be concerning for organisations which need to comply with SARs where the EU GDPR rather than UK GDPR applies, as searching for data in response to SARs can be an extremely burdensome, time-consuming and costly task,” Lees said.

“In the UK, case law to date on SARs has so far been more helpful for businesses. It provides that the controllers’ search duties are not to leave ‘no stone unturned’ when searching for relevant data,” she said.

Walter added: “Given the implications for businesses if the guidelines are finalised as drafted, they are likely to want to highlight the burdens involved in searching for personal data, including through email systems, and push for a more pragmatic reading of the law.”

Other practical advice is also provided by the EDPB on SARs, including encouraging those businesses processing large volumes of personal data to take a “layered approach” to how they present the information in their response to the requestor. 

The EDPB also confirmed that organisations can ask individuals to clarify the scope of their SAR. In such cases, the controller should at that time give “meaningful information” about its processing operations to assist the requestor to find the information they are looking for, such as information about its different branches of activities or different databases, the EDPB said.

In addition, when an organisation discovers when responding to a SAR that it has unlawfully processed data or holds inaccurate data, the EDPB expects the controller to inform the requestor of that in its response. The example it used is where a controller realises it has not adhered to its own retention procedures. In that scenario, the controller should provide the data in its response and thereafter delete the information.

In the UK, the government plans to address the burdens organisations face in handling SARs. In feedback to the government in relation to the potential reforms, Pinsent Masons welcomed the plans and set out its own recommendations how the government’s aim can be achieved. Pinsent Masons said new restrictions could be placed on claims management companies submitting SARs in bulk, as well as reinstating the requirement that requests be put in writing. It also said controllers could be given greater scope to refuse to respond to SARs where there is a litigation risk and disclosure would go beyond what the organisation would need to disclose under the Civil Procedure Rules.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.