At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection authorities have published guidance (e.g. the CNIL in France and the UK Information Commissioner’s Office, whose updated draft right of access guidance is in public consultation until Feb. 12), it is not certain that regulators in other EU countries will take a similar position. Even within one jurisdiction, i.e., in Germany, regulators’ interpretation of what constitutes a proper response to, for example, a data subject access request may differ from one supervisory authority to another.
Therefore, the European Data Protection Board’s guidelines on data subject rights, foreseen in its Work Programme for 2019-2020, will be very much welcome. The guidelines will focus on the rights of access, rectification, erasure, objection and restriction, as well as on the limitations to these rights. The feedback gathered at the EDPB’s dedicated stakeholder workshop, held in November 2019, is expected to feed into future guidelines (see the summary of the feedback received in this EDPB post). In several months, the EDPB plans to make draft guidelines available for public consultation, giving stakeholders the opportunity to comment. Only after the analysis of the comments received, the EDPB will adopt final guidelines, likely in the second half of the year.
With respect to DSARs, controllers must implement processes to ensure they can respond to a request within one month of its receipt (unless an extension of up to two months is necessary). They need to document their handling of a DSAR carefully to prove compliance with the GDPR. In case of infringing data subject rights, controllers run the risk of fines of up to 20 million euros or 4% of their total worldwide annual turnover, whichever is greater.
The guidelines present an opportunity to clarify several major questions regarding DSARs. This article explores the following issues in more detail:
- The scope of the right to receive a copy of personal data.
- Adequate measures to verify a data subject’s identity, including where the only personal data held by the controller is technical data, such as online identifiers.
- Limits of the right of access.
Some of these issues were also raised to a certain extent at the EDPB’s stakeholder workshop, which means that, in principle, they would be addressed in the guidelines.
Should a copy of all documents be provided?
The right of access provided in Article 15 of the GDPR comprises several elements. In response to a DSAR, the controller must:
- Confirm whether an individual’s personal data is being processed.
- Grant access to the personal data.
- Provide certain information about the processing.
- Provide a copy of the personal data being processed.
The last element – providing a copy – triggers many important practical issues. A literal reading of the provision would imply that the controller should provide “a copy” of all personal data being processed, such as copies of files, logs, emails or any other (excerpts of) documents containing personal data relating to the data subject.
Alternatively, it could be interpreted as an obligation to provide “a summary” of all personal data being processed in relation to the data subject. Providing a summary, however, cannot circumvent the obligation to produce all personal data being processed, as doing so would fall short of fulfilling the obligation under Article 15(3) of the GDPR.
While a summary may not constitute a copy of personal data, this interpretation seems to be more purpose-oriented. In addition, Article 12(1) of the GDPR, describing the modalities of communication by the controller and the data subject exercising their rights, requires the controller to communicate in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Providing a summary of the personal data could potentially fulfil these conditions more adequately than providing copies of logs or files.
DPAs across the EU adopt different approaches. For instance, the U.K. ICO deems that controllers need to carry out reasonable searches for the information covered by the request. There is substantial case law in the U.K. regarding what documents should be provided to a data subject, including documents and emails.
On the other hand, in Germany, there is no uniform guidance to date. Local DPAs interpret Article 15(3) of the GDPR differently, with some viewing that a summary is sufficient, whereas others view that document production is appropriate.
At all times, the controller should carry out a careful case-by-case assessment of the DSAR. In some cases, the controller may conclude that providing a copy of personal data best addresses the DSAR; in others, a summary of the processing may suffice. Ostensibly, the upcoming guidelines will bring more clarity.
Data subject identity verification: What are ‘reasonable measures’?
To ensure that a DSAR originates from the data subject concerned, according to Recital 64 of the GDPR, the controller should “use all reasonable measures to verify the identity of a data subject” before responding to it. This is particularly relevant in the online environment, where the controller and the data subject do not meet in person.
Examples of identity verification include asking the data subject:
- To log in to the account associated with the data subject (if the individual holds an account with the controller).
- To answer several questions that only the data subject should know the answer to (e.g., the date the account was created, if the individual holds an account with the controller).
- To prove access to the email address with which the data subject registered with the controller (e.g., by presenting a unique identification code that the controller will generate and send to such address upon request).
- To submit a copy of an ID document (with certain data obfuscated).
- For a combination of some of the above options.
In some cases, controllers consider that an email containing a DSAR received from the email account related to the data subject, corresponding to the one registered with the controller, suffices for identity verification. The identity verification procedure can vary depending on the nature of the record of personal data, as well as its importance, sensitivity and volume. For significantly important personal data (e.g., health or financial data), asking for a copy of an ID document may be appropriate. However, this is not the case for regular personal data.
In addition, when an individual submits a DSAR on behalf of someone else (e.g., a child), merely verifying their identity no longer suffices. In such a situation, the controller needs to verify the legal authority of the individual acting on the data subject’s behalf (e.g., through a power of attorney).
The interpretation of “all reasonable measures” for identity verification differs from one EU country to another. For example, the U.K. ICO recommends asking for additional information only if there are doubts about the identity of the person making the request. If this is the case, the controller should promptly respond to the data subject, requesting only additional information that is necessary to confirm the identity of the data subject. The ICO clarifies that the timeline for responding to the DSAR begins when the controller receives the additional information about the requestor’s identity.
In France, if the controller has reasonable doubts as to the identity of that person, it may request additional information, including a copy of an ID document bearing the signature of the holder. The French implementing decree of the data protection rules provides a possibility for both identity and postal address verification on the delivery of the DSAR response by registered mail – if the data subject requested a response in writing.
In Germany, the provision of an ID card copy is not permitted unless consent has been obtained from the ID cardholder.
What about online identifiers?
Certain businesses (e.g., website providers) process only online identifiers, such as cookie identifiers or IP addresses. Without other personal data regarding the data subject, the controller may struggle to verify with certainty the identity of the person where, for example, the DSAR is submitted through an email requesting access to all personal data related to an IP address or cookie identifiers, given that they may belong to a shared device, for example, in a household with several housemates.
Article 11(1) of the GDPR is relevant here insofar as it states that where the controller processes online identifiers for a purpose that does not require it to identify the data subject, it is not obliged to process additional information to identify the data subject but it must be able to demonstrate that it is not in a position to identify them. Of course, the data subject may decide to provide additional information to the controller. If such information enables the controller to verify the identification of the data subject, the controller needs to accommodate the DSAR.
The notion of “all reasonable measures” for identity verification remains unclear in certain scenarios, including in relation to online data processing. It remains to be seen if the guidelines assist controllers in striking a balance between ensuring adequate identity verification to avoid sending a response to a DSAR to a false recipient and not collecting more personal data than is necessary.
Limits of the right of access: When can the controller refuse to act upon a DSAR?
The controller may refuse to act on the DSAR if:
- It is able to demonstrate that it cannot verify the identification of the person submitting the DSAR, and the data subject does not provide additional information enabling their identification.
- The DSAR is “manifestly unfounded or excessive”.
- EU or national law provides for a restriction of this right.
If the controller can demonstrate that it is not able to identify the data subject, it must inform the data subject, if possible. If the data subject does not provide additional information enabling their identification, the controller does not need to act upon the DSAR further.
The controller may refuse to act on DSARs if they are “manifestly unfounded or excessive, in particular because of their repetitive character”. Alternatively, the controller may charge “a reasonable fee” that covers its administrative costs. Regarding requests for further copies of personal data, the controller may also charge a reasonable fee.
However, the burden of demonstrating what constitutes “manifestly unfounded or excessive character” lies with the controller. Given the potential liability for breach of their obligations that may lead to significant fines, it is understandable that controllers seek regulatory guidance.
It is important to be aware of any EU or national law – to which the controller is subject – that may restrict the scope of the right of access and the related obligations of the controller. Such laws may safeguard, for example, the enforcement of civil law claims or the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
Finally, yet importantly, the controller needs to ensure that providing a copy of the personal data processed does not “adversely affect the rights and freedoms of others”. This includes personal data of individuals other than the requestor, trade secrets, intellectual property and, in particular, copyright protecting the software. The consideration of others’ rights and freedoms should not be a reason to refuse to provide all information to the data subject. In practice, drawing the right balance may become a challenging task.
To ensure that the rights and freedoms of others are not adversely affected, depending on the format in which the personal data is contained, the controller can irretrievably remove such information manually or automatically. Using emails as an example, a controller’s employee can carry out a keyword search of an inbox, identify a number of emails falling into the DSAR scope, and redact the parts of the emails that are out of scope, such as the personal data of other data subjects or confidential business information. The data subject who has submitted the DSAR would receive emails with his or her personal data; however, irrelevant information would be redacted.
While the GDPR sets uniform rules, their interpretation by DPAs still differs. The upcoming guidelines are, therefore, much awaited, bringing more clarity and consistency across the EU, in particular regarding DSARs. We will continue to monitor developments in this area and post updates when the Guidelines are published.
A portion of this article was originally published in the IAPP’s Privacy Advisor on January 28, 2020.