EU: EDPB Guidelines on subject access requests – Intentionally disproportionate?

The European Data Protection Board has issued draft guidelines on subject access requests. Most of the guidance is sensible but there are some unpleasant surprises, including the assertion there is no proportionality limit on the effort needed to respond to a request.

Subject access requests

Subject access requests (DSARs) are an important part of the wider data protection framework and are recognised in Article 8 of the EU Charter of Fundamental Rights: “Everyone has the right of access to data which has been collected concerning him or her”. The right helps data subjects to verify the accuracy of any personal data held about them and the lawfulness of the processing of that data.

The substance of the right is set out in Articles 12 and 15 of the GDPR. Data subjects do not need a reason or justification to make a request and requests are free (unless manifestly unfounded or excessive). They are entitled to specific information about the processing of their personal data, such as details of the purposes of the processing and any retention period. Most importantly, data subjects are also entitled to a copy of the personal data being processed.

Key points in the guidance

The 60-page guidance covers a broad range of issues spanning the lifecycle of a subject access request. The key points are:

Receiving DSARs

The request does not need to be in any particular form and can be sent via any communication channel normally used by the controller. In contrast, requests sent to “random” addressees are not valid – the guidance gives the example of DSAR sent to the cleaners at a gym as not being valid.
Controllers should verify the identity of the requestor but should not ask for additional personal data for this purpose unless necessary. In many cases, the existing processes to authenticate the individual can be used to verify the requestor’s identity. Copies of ID cards should only rarely be requested.
Requests can be made using third party portals but controllers should verify the portal has authority to act on behalf of the individual and might choose to disclose the relevant personal data directly to the individual.
Controllers should not ask “why” the request is being made. This not relevant to their validity. For example, employees are entitled to make DSARs if dismissed by their employer.

Search process

The guidance confirms that unstructured electronic information, such as emails, CCTV and telephone recordings fall within the scope of the DSAR.
It also suggests there is no proportionality constraint of the effort needed to search for personal data. We consider this further below.
The one month period to respond runs from the date the request is received, not the date the controller takes notice of it. That period can be extended to three months in case of complex requests, but extensions should be the exception and the mere fact the request will take “great effort” is not necessarily sufficient.

Identifying personal data

The guidance largely relies on existing guidance to identify what constitutes personal data but envisages a broad approach. For example, the request could extend to CCTV or telephone recordings.
The request extends not only to data provided by the data subject and observed about the data subject. It will also include data that is derived from that personal data and data inferred from other data. However, this does not mean one can obtain complete access to records. The guidance gives the example of a data subject requesting information about an IT incident – he/she might be entitled to the incident report to the extent it refers to that person but not the company’s wider knowledge database of IT problems.
The rights extend to personal data “concerning” the data subject. For example, where a data subject is subject to identity theft, they are entitled to details of the actions the fraudster carried out in their name.
The guidance confirms that the right is for access to personal data, not copies of documents, although in practice not providing copy documents may require careful extraction of personal data on a document-per-document basis.

Privacy notices

As part of the request, data subjects are entitled to a range of information about the processing, such as the purpose or retention period.
The guidance suggests that it may be possible to use a general privacy policy to provide this information, but in some cases more specific information might be needed – for example, naming individual recipients of the personal data. This appears akin to creating a tailored privacy notice for each DSAR and is not necessarily easy where significant quantities of personal data fall within the scope of the DSAR and have multiple different purposes, recipients, retention periods etc.