New EDPB Guidance on Data Subject Right of Access: Proportionality in Short Supply

The European Data Protection Board (“EDPB”) has recently published draft Guidelines on subject access requests, (“Guidelines”) which are open for public consultation.  The Guidelines, which extend to over 60 pages, cover a broad range of issues in relation to data subject access requests and controllers may find them informative in responding to subject access requests.  We set out some of the more interesting or notable points below.

Overall, controllers hoping to find within the Guidelines a pragmatic and/or business-friendly approach to dealing constructively with access requests will likely be disappointed by the Guidelines (most particularly in their rejection of the application of any consideration of proportionality to access request responses).

The Right of Access

Informed by the EU Charter of Fundamental Rights and Freedoms, the right of access in Article 15 of the GDPR entitles individuals to seek: (i) confirmation as to whether or not personal data relating to them are processed; (ii) access to the personal data being processed; and (iii) information on the processing and on the data subject’s rights.  The Guidelines note that the practical aim of the right of access is to enable individuals to have control over their own personal data, so that they can be aware of, and verify the lawfulness of, the processing and also facilitate the exercise of other data protection rights.

As has been the direction of travel at CJEU level, the Guidelines take a broad view of what constitutes personal data in this context.  For example, they state that personal data relevant to access requests can extend not only to data provided by the subject but also to personal data observed about the data subject and to data inferred from other data.

According to Article 15, in addition to obtaining a copy of relevant personal data, data subjects are entitled to specific information about the processing of their data, including the purposes of the processing and retention periods.  Many controllers had commonly discharged this obligation by referring to, or providing a copy of, their generally applicable privacy notice (which has similar content).  However, the Guidelines take the view that ‘tailoring’ of this information to the individual subject access request situation is specifically necessary.  As such, providing a copy of a general privacy notice in response to an access request is, in the EDPB’s view, not sufficient ‘…unless the tailored information is the same as the general information’.   Many organisations are likely to find the EDPB’s interpretation to be very difficult and time consuming, and bordering on unworkable, to apply.

How to provide access

The Guidelines state that controllers should provide appropriate and user-friendly communication channels that can be easily used by the data subject.  However, the data subject is not required to use these specific channels and may instead send a DSAR to any ‘official contact point of the controller’. The EDPB concedes that a controller is however not obliged to act on requests sent to completely random, or apparently incorrect, addresses such as the email inboxes of employees not involved in the processing of personal data.

Controllers must respond to DSARs without undue delay and in any event within one month of receipt of the request.  This is interpreted by the Guidelines to mean that the response should be provided ‘as soon as possible’.  Such period can be extended by a further two months if the request is complex.  The Guidelines provide a non-exhaustive list of factors that may be relevant in determining whether a request is sufficiently complex to warrant a delay, these include: (i) the amount of data processed by the controller; (ii) how the information is stored, especially when it is difficult to retrieve the information, for example when data is processed by different units of the organisation; and (iii) the need to redact information when an exemption applies, for example information regarding other data subjects.

The Guidelines note that the mere fact that complying with a request would require ‘great effort’ does not make it complex, nor does the fact that a large company receives a large number of requests. However, when a controller temporarily receives an influx of requests, for example due to ‘extraordinary publicity’ regarding their activities, the Guidelines recognise that the controller may have a legitimate reason for prolonging the time of the response.   This could be helpful to certain controllers in the public eye (e.g. who perhaps have been subject to a very public data breach).

Communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.   If the data consists of codes or other ‘raw data’, these may, in the view of the EDPB, also have to be explained in order to make sense to the data subject.

The Guidelines state that the main way the right of access is given effect is through provision of a copy of the relevant personal data.  However, the Guidelines also go on, in a way which may cause surprise to organisations, to state that other ‘…modalities of access to the data could, for example: [be] oral information, inspection of files, onsite or remote access’. 

Limits and Restrictions of the Right of Access

The Guidelines discuss a limited number of instances in which the right of access may be curtailed but frames all of these quite narrowly.  The Guidelines also take a maximalist approach to a controller’s obligations regarding searching for and providing relevant personal data.

  • Proportionality and large data sets:  The Guidelines take the view that the GDPR has generally set out the limits and restrictions on the right of access (e.g. in Articles 15(4), regarding the rights and freedoms of others) and Article 12(5) (on manifestly unfounded or excessive requests).   Notably, the Guidelines state that the GDPR does not allow any further exemptions or derogations to the right of access and further that ‘…the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects request under Art. 15 GDPR’.  As proportionality is a key principle of EU law, this interpretation is likely to be contested.  

    In concrete terms, the Guidelines accept that, while a controller may ask the data subject to specify/narrow the extent of the data sought (e.g. if they process a large amount of data), if the data subject responds to request all personal data, the controller must meet this request in ‘full’.  In addition, the Guidelines make no provision for any kind of proportionality assessment as to searching for relevant personal data.  Some controllers had previously, on the basis of English case law, adopted the view that reasonable and proportionate searches (only) could be carried out.  It will be interesting to see whether the Irish courts agree with the EDPB approach.  As to provision to individuals of a large amount of personal data, the EDPB fully recognises that the results of searches may be ‘very vast’.  In these circumstances, the Guidelines suggest that controllers provide data subjects with the resulting personal data in a layered format (e.g. solutions allowing data subjects the choice to view one or more layers of information).
  • Excessive data subject access requests: Article 15(4) allows controllers to refuse ‘excessive’ requests.  The Guidelines take the view that the fact that a request requires ‘a vast amount of time and effort’ to satisfy does not make it excessive.  However, the EDPB does accept that a data subject ‘…using the right of access with the only intent of causing damage or harm to the controller’ would constitute an excessive request.  In addition, according to the EDPB, making an access request once a week with the intent of causing disruption would also be excessive.  Evidence that the data subject has offered to withdraw his or her request in return for a benefit, or where there was a ‘malicious intent’ to harass, would also justify refusal in the view of the EDPB.
  • Rights and freedoms of others: The GDPR provides that a data subject’s right to access personal data may be limited where disclosure of that data would adversely affect the rights of others, including trade secrets or intellectual property rights.  This requires, according to the Guidelines, a defined balancing exercise of such rights, with the ultimate aim of providing access to personal data but redacting data to protect such other person’s rights.  The Guidelines also opine that ‘economical interests’ are not a valid consideration in such circumstances (so long as no intellectual property rights are involved).
  • No contracting to limit/restrict the right of access: The Guidelines note that the right of access cannot be limited or restricted as part of a contract entered into with the data subject. 

What Next?

The public consultation period for the Guidelines will run until 11 March 2022 and submissions may be made here.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.