Updated EU guidance to help organisations respond to DSARs

In finalised new guidance on the right of access (63-page / 1.42MB PSD), the EDPB explained that the right of access under EU GDPR comprises “complete information on all data” and that it “cannot be understood as granting only a summary of the data”. However, it said the obligation on controllers to provide a ‘copy’ of personal data belonging to data subjects upon their request “refers (only) to a copy of the personal data undergoing processing, not necessarily to a reproduction of the original documents”. The method chosen should be decided on a case-by-case basis, it said.

“Notwithstanding the form in which the controller provides the personal data, e.g. by providing the actual documents containing the personal data or a compilation of the personal data, the information shall comply with the transparency requirements laid down in [Article 12 of the EU General Data Protection Regulation (GDPR)],” the EDPB said in its new guidance.

“Making some kind of compilation and/or extracting the data in a way that makes the information easy to comprehend could, in some cases, be a way to comply with these requirements. In other cases the information is better understood by providing a copy of the actual document containing the personal data,” it said.

The right of access is one of the several rights data subjects enjoy under the GDPR. It provides them with rights to obtain a copy of their personal data that organisations hold about them. The GDPR stipulates that organisations must respond to SARs "without undue delay and at the latest within one month" unless extensions can be justified and sets out further requirements in relation to the information that must be provided in response. The right of access is not absolute – organisations can refuse or limit their response to SARs in some circumstances where exemptions may apply.

The issue of the meaning of providing a ‘copy’ of personal data when handling SARs is being considered by the Court of Justice of the EU (CJEU) in a case referred to it by a court in Austria. The case is cited in the EDPB’s guidance and was the subject of a non-binding opinion by an Advocate General of the European Court of Justice, Giovanni Pitruzzella, late last year.

Pitruzella said: “The obligation to provide a ‘copy’ must be understood as a  faithful reproduction, in intelligible form, of the personal data requested by the data subject, in a materialised and permanent format, which enables the data subject to exercise effectively the right of access to his personal data, taking full knowledge of all his personal data which are being processed, including any additional data generated as a result of the processing, if they are also subject to processing, in order to enable that person to verify the accuracy of these data and the lawfulness of their processing, so that he can, where appropriate, exercise the other rights conferred on him by the GDPR.”

The court’s formal judgment on the matter has still to be handed down. Data protection expert Stephanie Lees of Pinsent Masons said the court’s ruling is important for businesses responding to SARs, particularly those raised in the context of a dispute or litigation, where organisations can be faced with thousands of documents to review. In such cases, the costs and resources involved in providing copies of documents are high. However, she said the EDPB’s guidance and Pitruzella’s opinion are clear that the information must always be complete. She said this can lead to considerable effort in such cases, though she added that the cost burden of compliance may be alleviated to some extent.

Lees said the EDPB’s new SARs guidance also includes a new example of how employers may benefit from clarifying what information is sought via SARs where they process a large quantity of information about workers and the request is a general “catch all” worded request. 

Lees said: “In that scenario, it may not be clear whether the employee wants certain information, like user login data, data on access to the workplace, canteen settlements, or salary payments. Clarification in such circumstances could reveal the worker is only interested on who his performance assessment was shared with. By clarifying the scope of the request, this could benefit both the employer and the individual, by reducing the search and review process for a large amount of information which the worker may have no interest in. However, employers must ensure that where they are clarifying, they provide ‘meaningful information’ about their processing operations that could concern the requestor, by informing them about, to use the EDPB’s examples, relevant branches of its activities, or databases.”

The EDPB has further recommended that, to avoid missing requests, businesses should as a matter of good practice, “introduce appropriate mechanisms to facilitate the exercise of data subjects' rights, including autoresponder systems to inform of staff absences and appropriate alternate contacts and, where possible, mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with such requests”.

The EDPB’s guidance also addresses the issue of whether organisations need to disclose the identities of specific individual recipients to whom they have disclosed, or intend to disclose, the requestor’s personal data with, or whether disclosing only the categories of recipients is sufficient. The guidance reiterates CJEU case law established earlier this year, which confirmed that the organisations must provide requestors with information as to the specific individual recipients unless it’s impossible to identity those, or the request is manifestly unfounded or excessive.

Lees said: “The grounds to refuse providing the identifies of specific individual recipients is a high legal bar to satisfy in practice. It will therefore be increasing important for EU businesses to ensure they maintain appropriate records of processing and regularly review their privacy notices, to ensure all specific individual recipients are captured. Whether the UK courts would adopt the same approach to the CJEU case and EDPB guidance is yet to be tested.” she said.

The EDPB’s guidance is relevant to all businesses that are subject to the EU GDPR. In the UK, the handling of SARs triggers the most complaints to the UK’s data protection authority, the Information Commissioner’s Office (ICO). The ICO has said, however, that it intends to “develop a subject access request tool”. This, it said, will “help people make requests in ways which will help organisations to respond effectively” and “help people identify where to send their requests and explain what they should expect”. It said organisations receiving SARs “will receive information from the ICO to help them respond quickly and simply”.

Under the proposed new Data Protection and Digital Information (No. 2) Bill currently before the UK parliament, organisations would have wider grounds in which to refuse to respond to SARs in their entirety, or charge a fee, where they have determined the requests are “vexatious or excessive”.