The right of access, set out in Art. 15 of the General Data Protection Regulation (GDPR), enables data subjects to find out which data companies and authorities have stored about them. This is an important tool for data subjects to effectively exercise their right to privacy. However, Art. 15 GDPR allows for a wide margin of interpretation. To provide clarity the European Data Protection Board (EDPB) has published Guidelines on the right of access (see this PDF)
What does the right of access under Art. 15 GDPR stipulate?
Art. 15 GDPR stipulates the right of data subjects to “obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”. Moreover, the following information must be provided:
- The processing purposes;
- The categories of personal data concerned;
- The recipients or categories of recipients the personal data is disclosed to;
- If possible, the period for which the personal data will be stored, or, if not possible, the criteria used to determine the retention period;
- Relevant information on how and from which source the data was obtained;
- Relevant information on automated decision-making and profiling, including information on the involved logic; and
- Information on the right to request the rectification or erasure of personal data, the restriction of the processing of personal data or to object to such processing, as well as, the right to lodge a complaint with a supervisory authority.
What clarifications do the Guidelines provide?
The EDPB aims to clarify the controller’s obligations under Art. 15 GDPR to enable data subjects to effectively exercise their right of access. EDPB Chair, Andrea Jelinek, stated: “The right of access enables individuals to get knowledge on how and why their personal data are processed. The Guidelines provide examples to support controllers to answer access requests in a GDPR compliant manner.”
The Guidelines provide further clarification on what is covered by the right to access, specify the obligations of data controllers under Art. 15 GDPR and lay out the limits and restrictions of the right of access.
How do you provide access?
First, as a controller, you must ensure that personal data is only disclosed to the respective data subject. Therefore, you have to implement appropriate measures to identify the person making a request to ensure that no unauthorized third parties can gain access to personal data. However, it is also not permissible to impose more requirements than necessary for identification. This is important to prevent the exercise of the right of access being undermined.
Any access request sent to you should be interpreted as referring to all personal data regarding the data subject, unless explicitly stated otherwise in the request. If you process large amounts of data, you may ask the data subject to specify the request. Furthermore, as a rule, you must provide data subjects with a copy of the data, and not just a summary of the data a company possesses about them.
You must answer requests as soon as possible, but at least within one month after receiving the request. This period may, exceptionally, be extended by two months where necessary, taking into account number of the request and their complexity.
What are the limits and restrictions of the right of access?
The Guidelines specify what limits exist to the right of access and when an access request may and may not be rejected.
Limits to the rights to access may be found in Art. 12 (5) and Art. 15 (4) GDPR. According to Art. 12 (5) GDPR controllers may reject requests that are manifestly unfounded or excessive, or charge a reasonable fee for such requests. These limits should be interpreted narrowly. As a rule, the more frequently changes are made to the controller’s database, the more often the data subject may request access without it being considered excessive.
Access requests may especially be considered excessive due to their repetitiveness. In order to decide whether a reasonable period of time has passed since the last request, data controllers should consider the following, taking into account the data subject’s legitimate expectations:
- How often is the data subject’s data set changed? Is it unlikely that the data has changed between the requests? An excessive request may be indicated, if a data set is not undergoing any processing other than storage and the data subject knows this, e.g., due to a previous access request.
- What is the nature of the data? I.e. whether it is particularly sensitive data.
- What are the purposes of the processing? I.e. whether the processing is likely to cause harm to the requesting party if disclosed.
- Do subsequent requests relate the same type of information or processing activities or different ones?
To provide points of orientation, the Guidelines also give examples for this assessment:
A data subject sends access requests to a carpenter, who manufactured a table for them, every two months. The carpenter answered (and had to answer) the first request completely.
In this case, the requests may be considered excessive due to their repetitiveness. Criteria for this assessment are that the controller only occasionally processes personal data, and only provided one service to the data subject. Therefore, it is unlikely that the dataset of the data subject has changed. Moreover, the processing can be considered low risk given the nature and amount of the data, and the purpose of the processing (billing and compliance with record obligations). It is unlikely to cause harm to the data subject. Ultimately, the requests concern the same information as the first request.
A platform user issues access requests every three months to a social media platform. The main business of social media platforms is usually the collection and processing of personal data. Therefore, they usually perform complex and continuous processing activities on a large scale. Hence, frequent changes to the data sets relating to the data subject are highly likely, and the large amount of collected data often includes sensitive personal data, usually with the purpose to display relevant content and other platform users to the data subject.
In this case, access requests every three months are therefore, in principle, not excessive due to their repetitiveness.
The Guidelines set out further criteria which may or may not justify the rejection of an access request as excessive.
For example, access requests may not be rejected as excessive solely on the grounds that they would be very time-consuming or would involve a large amount of work. However, apart from the repetitiveness, the abusive use of Art. 15 GDPR may also lead to requests being excessive. A request might therefore be deemed excessive, if:
- The data subject sends a request, but offers to withdraw it in turn for a form of benefit; or
- The data subject’s request is made with malicious intent to harass a data controller or its employees, with the sole purpose of causing disruption.
By contrast, a request cannot be deemed excessive, because:
- The data subject does not provide a reason for the request or the controller deems the request meaningless;
- The data subject uses impolite or improper language in the request; or
- The data subject wants to use the requested data to make further claims against the controller.
Recommendations for companies
The EDPD’s Guidelines provide clarity on your obligations under Art. 15 GDPR. In order to act in a GDPR-compliant manner and to avoid high fines, you should ensure that your company is able to provide data subjects with all the personal data you possess about them, and all the other information outlined above.
Data subject access requests must be replied to “without undue delay”, but at least within one month after receipt of request, unless an exception applies. Read more on how to handle data subject access requests.