Subject Access Requests

The GDPR provides individuals the right to request access to any of their personal information that a data controller holds. This includes the right to receive information related to their personal data and the right to receive a copy of their data. A request for data access may be an individual’s first step in exercising some of the well-known personal rights available under the GDPR. Once an individual gains access to the information provided in the response, he or she may attempt to invoke, for example, the right to erasure (i.e., the right to be forgotten), the right to correction of an error in the data (i.e., “the right to rectify personal data information”), or the right to restrict how her data is used (i.e., “restriction of processing”), etc.

The extensive access this right appears to provide to individuals is inversely proportional to the potentially onerous duty it can impose on any company considered a “controller” of personal data. In addition to opening the door to the exercise of other personal data protection rights, controllers must comply with specific restrictions and requirements when responding to data access requests. Mistakes in responding to data access requests can prove costly – not just in possible fines for noncompliance, but because accidentally providing too much, too little, or incorrect data can lead to further costly requests from individuals and the possibility of breaching other individuals’ personal data rights.

This installment of The eData Guide to GDPR will assist readers in understanding the Right of Access process to ensure controllers are prepared to lawfully respond to data access requests. It also provides a Data Access Request Checklist for convenient reference.

Data Subject’s Right to Access Personal Data

Under Article 15 and Recital 63, a data subject has the right to access his or her personal data that a controller[1] holds and to exercise that right at “regular intervals” in order to verify the lawfulness of processing. The request for access can be made electronically or in writing and can be made to any member of a controller’s organization.[2] Recital 59 recommends that controllers provide a way for requests to be made electronically, “especially if personal data is processed electronically.”

The right to access includes the right to receive confirmation that the individual’s data is being processed, the right to receive a copy of the data, and the right to receive additional information about the data, including the following:

(a) The purposes of the processing

(b)The categories of personal data concerned

(c) The recipients or categories of recipient to whom the personal data have been or will be disclosed

(d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

(e) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing[3]

(f) The right to lodge a complaint with a supervisory authority[4]

(g) Where the personal data are not collected from the data subject, any available information as to their source

(h) The existence of automated decision making and meaningful information about the logic involved, and when based on profiling, the consequences of such processing for the data subject[5]

(i) If the data controller or data processor transfers the personal data to a third country or to an international organization, they must inform the data subject of the appropriate safeguards in relation to the transfer

Requirements for Responding to a Data Request

Timing of Response

Article 12 contains many of a controller’s responsibilities when responding to a data request. One of the most important is the time limitation: a controller must respond to a data request within one month of receiving the request. The UK’s Information Commissioner’s Office has developed a helpful guide to responding to data access requests under the GDPR, in which it states that the time to respond should be calculated from the day after the controller receives the request (whether that date is a working day or not) to the corresponding calendar date in the next month.[6]

Under Article 12, the time limit can be extended up to two further months “where necessary,” depending on the complexity of the request and how many requests are received. If there is an extension, the controller must notify the data subject within one month, providing the reason for the extension. While the GDPR does not provide an explanation of when a delay would be considered “necessary,” both the UK’s Information Commissioner’s Office (ICO) and the Finnish Office of the Data Protection Ombudsman have stated in guidance that they would consider it “necessary” to extend the time limit if the requests are numerous or complex.[7] It is worth noting that the ICO has also indicated that it would not consider requesting proof of the individual’s identity a “necessary” reason for delay[8].

Form of Response

Any information provided to the data subject in response to a request should be in writing or by electronic means when appropriate. (For example, when the data subject makes the request by electronic means, the controller should respond by electronic means, unless the data subject requests otherwise). The information can also be provided orally, if requested by the data subject, but the controller must prove the identity of the data subject by another means prior to providing the information in that manner[9].

Communications related to data access requests must be given in “concise, transparent, intelligible and easily accessible form, using clear and plain language”[10]. The Article 29 Data Protection Working Party (now the European Data Protection Board) developed guidelines on transparency, which provide a helpful explanation of how to meet this standard.[11]

According to the guidelines, the terms “concise and transparent” mean that data controllers should present information “efficiently and succinctly in order to avoid information fatigue,” while the term “intelligible” means that it “should be understood by an average member of the intended audience.”

“An accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand. For example, a controller collecting the personal data of working professionals can assume its audience has a higher level of understanding than a controller that obtains the personal data of children.” [12]

Access to Responsive Data

The requirement that the response be “easily accessible” means that it should be immediately apparent to the data subject where and how the data can be accessed (for example, by providing it directly to them or linking them to it).[13] And the term “clear and plain language” means that information should be provided in as simple a manner as possible while “avoiding complex sentence and language structures.”[14]

As for providing a copy of the data, Recital 63 recommends providing “remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

In addition to these requirements, Article 12 states that routine responses to data request must be free of charge. This also means that a response to a data access request cannot be conditioned upon financial transactions. (For example, a company could not refuse to respond to a data request because the requestor was not a customer or paying subscriber.) [15]

The controller may charge a “reasonable fee” or refuse to respond to requests that are “manifestly unfounded or excessive.” However, the controller bears the burden of demonstrating that the request was unfounded or excessive. (This standard is discussed in more detail below.)

Controller’s Ability to Restrict, Refuse, and Request Further Information

While one month (or at the latest, three months) may seem to the drafters like enough time to reply to data requests, complying within this time period may prove to be a challenge if the data request is large or undefined or if the data requested is difficult to locate. Fortunately, in many cases, data controllers may communicate with the individual to help limit or define a broad data request.[16] In limited circumstances, a data controller may also be permitted to refuse the data access request.

The first clarifying request a controller may make is one of the most vital to ensure that a response to a data request is done lawfully. Under Article 12, a controller may request additional information necessary to confirm the identity of the individual if the controller has “reasonable doubts” regarding the subject’s identity. Recital 64 is more forceful on this point, stating that a controller “should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” Recital 57 explains that this includes the digital identification of a data subject (for example through authentication credentials used by the data subject to log in to the online service offered by the data controller).

Logistically, a controller must always be certain of the identity of the data subject before sending personal data in response to a request. Sending the wrong person’s personal data to an individual would not only infringe on the rights and freedoms of another (which is prohibited by Recital 63), but may also amount to a data breach by the controller (which has its own notification requirements and ramifications under the GDPR). When requesting identity verification, the controller should be sure to limit the request to information that is necessary to confirm the requestor’s identity[17] and should not retain identity information for the sole purpose of being able to respond to subsequent data access requests.[18]

If the controller is not in the position to identify the individual making the request at all, it must notify the requestor accordingly and in such cases, does not have to complete the data access request. However, this rule does not apply when the data subject provides additional information enabling his or her identification.[19] Thus, if the controller is unable to identify a natural person attached to the data request, it must notify the requestor within one month of the request of that fact. If the requestor responds with information that enables his or her identification, the controller will then be obligated to continue with the data access request process.

Under Recital 63, a controller may also ask a data subject to specify what information or processing activities the data request relates to if the controller processes a large quantity of information concerning the data subject. For instance, an individual may have sent a general data access request to a company asking for information regarding all personal data within the controller’s possession that relates to her. But she may really only be interested in personal data that the controller is using for advertising purposes. In this case, communicating with the requestor after receiving the request would save the controller the time and expense of searching for all personal data related to the individual, when the individual was really seeking data related to a specific processing activity.

Recital 63 also contains an important restriction on data access requests, stating that the access must not “adversely affect the rights or freedoms of others.” This means, in part, that the controller must not produce personal data that does not belong to the requestor. Doing so would infringe on the personal rights of the person who owns the transmitted personal data. As shown above, this can become an issue if the identity of the requestor is not verified. It may also be an issue when providing a requestor with access to data where other individuals’ personal data can also be viewed (i.e., email). The controller must ensure that the requestor only has access to his or her own personal data.

Recital 63’s prohibition against infringing on the rights and freedoms of others also specifically includes “trade secrets or intellectual property and in particular the copyright protecting the software.” Thus, a controller may also be permitted to restrict this type of information from being accessed by an individual in a data access response. However, the controller cannot refuse all access to personal data based on this – it may only restrict access to data that specifically falls into those categories.

Finally, under Article 12, a controller can outright refuse to provide data access to an individual who requests it, if the request is “manifestly unfounded or excessive.” As stated above, the controller bears the burden of proving that the data request is unfounded or excessive and must inform the individual of the refusal (along with the reasons for the refusal, and the individual’s right to file a complaint against the company) within one month of the request. The GDPR provides no further explanation of what types of requests could be considered “manifestly unfounded or excessive” and it remains to be seen how this will be interpreted among data protection authorities. Thus far, both the Irish Data Protection Commission[20] and the Finnish Office of the Data Protection Ombudsman[21] have indicated that they would consider an individual making repeated unnecessary access requests as unfounded and excessive.

Recommendations for Data Controllers

Because data controllers have a responsibility under the GDPR to quickly and accurately respond to data access requests, it is wise to develop in advance a standard procedure for handling such requests. Below is a quick guide to assist data controllers creating a data access request response procedure.

• Any employee may receive a data access request from an individual. All employees should be trained to recognize a data access request and to immediately forward any such requests to the proper personnel. It may be wise to provide more extensive training to employees who regularly interact with customers or employees regarding personal data (and thus may be more likely to receive data requests) to ensure that data requests are accurately recorded and contain the pertinent information. Companies should also identify the employees who will ultimately respond to data access requests and provide the proper training regarding data request responses.
• If a company typically processes personal data electronically, it should consider designing a subject access request form that individuals can complete and submit electronically (with the caveat that an individual is not required to use the standard form in order for the request to be valid)[22].
• A response to a data access request must be provided within one month of receipt. Personnel should have a standard place to log the date of the receipt of personal data requests and keep track of all timeline requirements.
• The controller must be sure of the requestor’s identity before responding to a data access request. The company should have a protocol in place to confirm requestor identity, and personnel should ensure, as soon as possible after receiving a request, that the requestor has provided enough information to enable identity confirmation. If there is any doubt or suspicion regarding the individual’s identity, the company should request identity verification immediately before sending any personal data.
• If the controller processes a large quantity of information concerning the data subject, it has the right to communicate with the individual to specify the personal data information he or she is seeking. Company personnel should evaluate the data request and immediately reach out to the requestor for more information if it is needed or warranted to expedite the response.
• When necessary, the controller may extend the timeline for response, from one month to an additional two calendar months, depending on the complexity of the request and how many requests are received. If, after communicating with the individual, the company determines that it will be unable to provide a data access request response within the one-month timeframe, the company should immediately (within one month of receipt of the request) notify the individual of the delay and the reasons for the extension.
• In limited circumstances, the controller may be able to refuse a data access request or charge a fee for the response if the request is “manifestly unfounded or excessive.” If, after communicating with the individual regarding the data request, company personnel believe the request is manifestly unfounded and excessive, the company should immediately (within one month of receipt of the request) notify the individual of the refusal or the fee charged, the reasons the company believes the request is unfounded or excessive, and that the individual has the right to file a complaint with the company’s DPO or the relevant data protection authority.
• The company should respond to the data request in whatever format the individual has requested. If the request was made electronically, the company should provide the response electronically. If the individual requested a verbal response, the company may do so, but should seek an alternative form of identification prior to transmitting personal data verbally. The GDPR also recommends providing an individual with remote access to his or her personal data, where feasible.
• Companies that commonly deal with data requests should consider designing template responses or language regarding the supplementary information that must be included in every data access request response (for example, template language that inform data subjects about their right to lodge a complaint with a supervisory authority, etc.).