The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about various processing activities – those of visitors of the website, registrants to newsletters or even of clients using the services of the controller. This makes the information sometimes opaque. In case of contracted services, of course the contract also contains information about the processing of personal data. Nevertheless, the privacy statement is sometimes also called privacy policy, although this latter is somewhat different as it contains also rules internal to the controller. As the data subjects have to be aware of the processing of their data, it is not sufficient to passively display the privacy statement, but their attention has to be called to it. There are different ways to do it: - if the data are processed in an IT system to which the data subjects have access, the link to the privacy statement has to be displayed on the main page of the IT system – in case of on line registration for an event, on the registration page - the link to the privacy statement should be included in the first communication with the data subject (acknowledgement of receipt, registration confirmation or invitation e-mail, for example) - in case of a registration page, for example, the confirmation of having read the privacy statement can be requested by having a box clicked in by the user, this is, however o only necessary when it is crucial that the user confirms being informed o not a substitution to consent, if the processing of personal data is not based on consent, the data subject does not have to agree with the privacy statement Additional information about the possibility to unsubscribe could also be included on the bottom of newsletters or information e-mails. The principle of fairness and transparency requires that the data subjects should be proactively made aware of the processing of their data and they should not have to search for the information or go into a relationship with the controller without being informed. In case the processing of personal data is based on consent, for consent to be informed (this is required for consent to be valid), basic information about the processing should be available directly (without having to click a link, for example) but the data subject should also have access to the privacy statement before giving consent. More comprehensive and detailed information about the processing of personal data is in the so-called personal data processing record. Organisations employing fewer than 250 persons only have to keep these records if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or where the processing includes special categories of data or personal data relating to criminal convictions and offences. 2. Requests for access to personal dataGeneral rules Data subjects can also ask individually for access to their personal data. This right more precisely means that they have the right to obtain from the controller confirmation as to whether or not personal data concerning them are processed, and, where that is the case, access to the personal data and certain information about the processing. This information includes among others: the purposes of the processing, the categories of personal data concerned, the recipients of categories of recipient to whom the personal data were or will be disclosed, the source of data when they were not collected from the data subject, how long the data are kept or how this retention period of data is determined etc. A reply template of the DPO lists all the information and the information is provided using this template. The data subjects also have to receive information about the safeguards applied when their data are transferred to third countries or international organisations. A reminder to the right of rectification and erasure of personal data as well as to the restriction of processing (see separate guidance about these rights, to be noted here that these rights only concern data unlawfully processed or inaccurate) and to lodge complaint with the European Data Protection Supervisor should also be included. The data subjects also have the right to receive a copy of the personal data. All these rights are connected; the right for access to the personal data and the right to obtain a copy are not two different rights. The purpose of both is for the data subject to be aware of, and verify the lawfulness of processing (Recital 63 GDPR). Nevertheless, it is not only not necessary to state a reason for the access requested, the first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of the GDPR. Today it is almost trivial that the information and the copy should be provided by electronic means, the GDPR nevertheless expressly contains this requirement if the request was made by electronic means and the data subject did not request otherwise. This obligation exists only in respect of the information related to the personal data of which the controller must provide a copy pursuant to the first sentence of third paragraph of Article 15. There are some exceptions and derogations from the right of access to personal data, these exceptions and derogations should, however, be interpreted strictly and their application should be based on a case by case evaluation, taking into account their proportionality. The main cases of exceptions and limitations are: - observing the rights and freedoms of others - restrictions of data subject rights according to Article 25 EUDPR - Unfounded and excessive requests. 2.2. Identification of the data subject According to the GDPR, if the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. This requirement serves to avoid that someone else makes a request impersonating the data subject. The controller is only obliged to provide the personal data of the requester, not that of other persons, unless the requester has a mandate from the data subject. The requester can be the legal guardian for minors or a legal representative according to national law. Reasonable doubt can arise for example, if the name in the e-mail address is different from the name of the data subject. If, on the other hand, the e-mail is known to us as the e-mail address of the data subject, there is no reasonable doubt. To be noted that conversely, the fact that the name in an unknown e-mail address is identical to the name of the data subject, confirms the identity only if the organisation from where the e-mail originates (for example, a public institution or a newspaper or well-known company) is trusted in the sense that there are no false e-mails. Nevertheless, e-mail addresses can be spoofed, therefore if the content or subject of the request is not in line with the information about the originating institution, suspicion can still arise. As Gmail, Yahoo and similar free or publicly available e-mail services usually do not check whether the user has the right to use the name that is part of the e-mail address, therefore names in e-mail addresses from these providers do not provide sufficient assurance if there is a reasonable doubt. One trivial piece of additional information could be a copy of an identity document (passport or ID card). This contains sensitive information and thus should not be the first choice. If there are other ways – providing some information only the data subject could reasonably know and is registered by the controller or confirmation of a request via an e-mail to the e-mail address of the data subject registered in our databases but different from the one from where the request arrives etc., the less intrusive way should be preferred. If there is no less intrusive way, provision of a scanned copy of the ID card, passport or other identity document can be requested. The attention of the data subject has to be called in all cases when asking for a copy of a personal document, that the photo, national registration number and all other, potentially sensitive information which is not necessary for identification, should be hidden. Abuse by homonyms, on the other hand, should be prevented, thus information beyond the name which is already registered in the controller, could be requested to be shown (such as date of birth or maiden name of mother). One remark concerning the photo: if the data subject is not present personally and the photo is neither kept by the controller, the photo can always be hidden as it serves identification only when we can compare the photo on the ID card with that on our records or with the face of the person present. Some search for the name of the data subject on the internet can be useful in identification and also helps to explore where to look for personal data of the data subject, as the profession can be indicative in this respect. Public information, of course, can also be false, thus care is advisable. 2.3. Modalities of providing access and information on request The obligation to provide information about processing of personal data and access to the personal data on request of the data subject is intended to provide more concrete information than in the privacy statement, thereby enabling the data subjects to ascertain that their data are processed in compliance with the rules. According to a recent judgment of the Court of Justice (Österreichische Post, C-154/21), in order to ensure that, the possible most concrete information about the identity of the recipients has to be provided. There is a limitation relevant for the controller: the identity of employees of the controller others who have access on behalf of the controller (in this case staff of the controller and of its contractor) only has to be disclosed if this information is necessary to demonstrate that the processing was lawful (C-579/21, Pankki S). Access logs can enable to find information about recipients of the data. The controller has to respond to the requests within one month. The EDPB considers a good practice to send and acknowledgement of receipt indicating this deadline, this, however, is not obligatory based on the data protection legislation. 2.4. Modalities of providing a copy of the personal data The right to obtain a copy shall not adversely affect the rights and freedoms of others. In this case, other than in the exception based on privacy in the case of requests for access to documents, the rights of not only natural persons, but also of organisations have to be taken into account. If the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic form. Exception is when the data subject requests otherwise. The commonly used electronic format concerns the copy of the personal data. The concept of ‘information’ to which this obligation refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of Article 15 (3) GDPR (C-487/21, Österreichische Datenschutzbehörde). The right of access is limited to the personal information of the data subject. Nevertheless, further parts of documents or databases should be disclosed, if the information is essential in order to enable the data subject to exercise effectively the rights conferred on the data subject, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others (C-487/21, Österreichische Datenschutzbehörde). This means that for example opinions of others may not be disclosed. Information necessary for the understanding or interpretation of the personal information or of the way the data are processed should, however, be disclosed even when it is not strictly personal information of the data subject (but also here taking into account the protection of personal data of others). Beyond protection the rights and freedoms of others (i.e. providing the information in a way to bearing in mind that account must be taken, in that regard, of the rights and freedoms of others), the provision of information can only be denied in cases of manifestly unfounded or excessive requests. In this case the requestor has to be informed including the reasons of rejecting to act on the request and about the right to lodge a complaint with the Data Protection Supervisory authority (whose identity should be disclosed also in the privacy statement) and to seek judicial remedy. The controller has to demonstrate in this case that the request is manifestly unfounded (for example because it is clear that no personal data of the requestor are processed) or excessive. The excessive character can be caused by the repetitive character of the request but it has to be taken into account that the processing or the data processed can change over time and the data subject has the right to be informed about the actual situation, therefore the time span between the repeated requests also has to be taken into account even when the same data are requested. 2.5. Requests for all data processed about a data subject In many cases, data subjects are not aware of which of their data are processed. Therefore, they often ask for all of their personal data which are processed by the EEAS. According to the guidance 01/2022 of the EDPB on right of access by data subjects, these requests have to be fulfilled. The guidance even requires, that unless explicitly requested otherwise by the data subject, a request to exercise the right of access shall be understood in general terms, encompassing all personal data concerning the data subject. To do this, the organisation (data controller) has to be aware of all personal data it processes. Nevertheless fulfilling these general requests may not be simple and some data protection supervisory authorities consider these requests excessive. Nevertheless, Recital 37 EUDPR enables the controller to request that the data subject specify the information or processing activities to which the request relates, ut only if it processes a large quantity of information about the data subject. For this, however, the controller has to be aware of the data processed. What counts as a large quantity is also not self-evident. One way of fulfilling such general requests is to enquire from all entities of the controller about whether they process data of the requesting individual. Another option is to apply a so-called “layered” approach. In this case we first provide more general information and an overall view of the data, leaving the small details for a subsequent phase (ensuring that the whole process is completed within the one month deadline or, if the request is complex, making use of the extension. We can also provide the copy of a large number of personal data in a downloadable format on line, enabling the data subject to download only what he/she needs. Certain ICT tools are available to assist in responding to these requests. Other ways are to search for the names in e-mail boxes, databases etc. Article 12 (5) GDPR contains the reference to the unfounded or excessive nature of a request. First, the controller has to demonstrate that a request is manifestly unfounded or excessive. Secondly, there is a phrase stating: … in particular because of their repetitive character. This does not mean that all repeated requests can be rejected – Recital 63 GDPR says that the data subject should be able to exercise the right of access easily and in reasonable intervals. The data processed and the way of their processing can change over time. So only unreasonably frequent requests can be rejected.