On 28 January 2022, the European Data Protection Board (EDPB) published guidelines on the right of access (Guidelines 01/2022). They serve first and foremost as a guide to ensure that the General Data Protection Regulation (GDPR) is applied consistently in all Member States of the European Union. While not legally binding, they are used by data protection authorities, data protection consultants and, under certain circumstances, even courts, which is why companies should definitely be familiar with them. The EDPB addresses some questions that the courts have in some cases answered inconsistently in recent years, such as how wide-ranging the right of access really is. In addition, companies can derive important recommendations from the guidelines. In this article, we present the guidelines and provide companies with valuable practical tips on how to proceed when faced with an access request.
When do companies have to provide access under Art. 15 GDPR?
First of all, it is important to understand when companies are required to provide access in the first place. The law itself states that a data subject has the right to obtain from the controller confirmation as to whether or not the controller processes their personal data. The controller is the party which, alone or jointly with others, determines the purposes and means of the processing of personal data. So if a company determines whether, for what purposes, and how personal data is processed, it is considered a controller under the GDPR. It should be noted that the data subject’s right of access is unconditional. This means that the controller need not check why a request has been made and whether it meets certain requirements. In principle, natural persons are always entitled to request access, in which case the company must respond.
Applying a kind of three-step test, companies should then determine to what extent they have to provide access. It is important to consider here whether the company even processes any personal data of the person requesting access.
- If this is not the case, then the company needs to inform the person of this.
- If the company does process the person’s data, then the data subject has a right of access to their personal data and to the information referred to in Art. 15(1)(a)–(h), (2) GDPR.
If a company processes personal data, then under Art. 15(3) GDPR it also has to provide a copy of the personal data that is the subject of the processing. The first copy is always free of charge – no matter how much it costs the company to issue it. The copy must comprehensively list all the data mentioned in Art. 15(1) GDPR. Simply providing a brief summary is not sufficient.
Companies may charge a reasonable fee for any additional copies. In this context, it is often not clear whether the data subject has submitted a new request, which would then again entitle them to a free copy, or whether it is a question of merely providing an additional copy. The EDPB explains that this depends on the specific request and how it relates to the first request in terms of time and scope. If the data subject requests a different amount of personal data at a later date, then the company should assume that the request is for a new copy and not for a further copy.
What data and information does the company have to provide access to?
So far, understanding of the scope of the right of access has been characterised by inconsistent case law. The EDPB states that a very broad understanding should be taken as a basis. It argues that an access request covers all of the data subject’s personal data. Besides basic personal data like name or address, a variety of other data must also be included, such as medical findings, creditworthiness indicators, activity logs and search activities. Pseudonymised data is also listed as personal data which controllers have to provide. Communication history – something often requested when the parties have communicated by email – is also considered data which is subject to disclosure. This even applies if the emails have already been deleted but the server provider still has access to them. The Hanover Regional Labour Court (LAG) ruled differently (judgment of 9 June 2020, ref. 9 Sa 608/19) in June 2020, when it ruled that Art. 15 GDPR did not apply to the email correspondence that an employee had conducted or received themselves. The EDPB, on the other hand, bases its view on the very broad understanding of Art. 4 No. 1 GDPR, which provides for a comprehensive definition of personal data. It argues that the right of access under the GDPR must be as broad as the definition allows for the categorisation of personal data. That means a very broad definition – and not one that is overly restrictive. This was also the understanding of the Cologne Higher Regional Court (OLG) when it considered the case (judgment of 23 October 2020, ref. 20 U 57/19) of an insurance policyholder who had contacted their insurance company requesting access. The court took the view that this also applied to information about the history of the premium account, the establishment of the insurance contract, and to the correspondence stored about the data subject.
Only if the amount of data had been too extensive would the controller have been allowed to demand that the data subject specify their request in more detail. A restricted scope may also be considered if the data subject has explicitly requested only certain data.
By way of example, the EDPB lists the following data which has to be disclosed, taking into account the rights and freedoms of others:
- Special categories of personal data: sensitive data such as health data
- Personal data relating to criminal convictions and offences
- Data knowingly and actively provided by the data subject, such as account data or data collected via forms, etc.
- Observed data provided by virtue of using a service or device, such as access logs, history of website usage, search activities, location data, clicking activity, keystrokes, etc.
- Data derived from other data, such as credit ratio, country of residence derived from postcode
- Data inferred from other data but not directly provided by the data subject, such as algorithmic results, results of a health assessment or a personalisation or recommendation process
- Pseudonymised data.
In line with this, in a key ruling the Federal Court of Justice (BGH) already ruled (judgment of 15 June 2021, ref. VI ZR 579/19) in favour of a broad understanding of the right of access. Among other things, information should be provided on what is already known or on internal notes.
As regards requests from employees, companies should be aware of the EDPB’s view that elements that have been used to decide whether to promote someone, give them a raise, or assign them a new job must be classified as personal data to which the employee would have a right of access. This might be their annual performance review, training requests or other career potential. This is something the Hamm Regional Labour Court (LAG) decided in its judgment of 11 May 2021 (ref. 2 AZR 363/21), in that it regarded data about an employee’s performance and conduct as personal data within the meaning of Art. 4 No. 1 GDPR.
In response to a request, companies are also required to disclose inaccurate or unlawfully processed data. This helps data subjects to gain a true understanding of all processing operations. Unlike the right to data portability under Art. 20 GDPR, where data can be taken from one controller to another, the right of access also includes derived rights. With data portability, only data generated by the respective company itself can be transferred. Conversely, companies are required to provide access with regard to derived personal data from other providers.
The information to be provided
The data subject may request the following information regarding the processing of the personal data which is the subject of their access request:
- The purposes for which the data is processed
- The categories of data, such as health data, biometric or genetic data
- Information about recipients to whom the data has been disclosed
- To the extent possible, the envisaged storage period or the criteria used to determine that period
- The existence of the right to request that data be rectified or erased, that its processing be restricted, or the right to object to processing
- The existence of a right to lodge a complaint
- All available information as to the source of the data
- The existence of automated decision-making, for example by means of artificial intelligence
- Information about data transfers to third countries, insofar as the data was transferred to a third country.
According to the EDPB, one way for companies to communicate this information is to use existing text from their privacy notice or from their records of processing activities (cf. Art. 30 GDPR). Here, however, it should first be checked very carefully whether the information that uses boilerplate can actually answer the request specifically enough. This would make sense especially in the case of general information that is often identical, such as a notification about the right to rectification, in which case companies could employ automated processes here.
You might also be interested in this:
- Transmission of health data: pitfalls in health apps & fitness trackers
- The biggest GDPR myths: the consent – what is right and what is wrong?
- Designing and structuring an efficient DPMS
How should companies grant access?
How can companies retrieve the necessary data?
According to the EDPB, it is important to take into account not just data found in IT systems, but also all non-IT file systems. So companies are also required to research and disclose data from paper files. Personal data collected in a computer memory by means of binary code or stored on a videotape is also considered a potential source of data for such data subject requests. Against the background of the data protection principles of “privacy by design” and “privacy by default”, companies should already have implemented appropriate ways in their IT systems to be able to quickly find requested data. This involves data protection-friendly default settings on the technical side for data processing procedures.
Companies are required to communicate the data as well as the information in written or other form, possibly also electronically. A permanent copy of the information should be provided. For example, if the data subject wishes to receive information orally, companies should comply. However, companies should still be able to provide copies of data if requested by the data subject. As a rule, requests for access are made electronically. According to the EDPB, if the request was sent electronically, then the data copy should also be sent by electronic means of communication. For example, a company might choose to send a PDF file by email. Another option might be an online self-service tool that processes requests automatically. This would only be different if the data subject expressly requested that information be provided in a certain form, for example as a written document sent by post. Then companies should also comply with this wish.
Presenting the information
All notifications must be conveyed in a precise, transparent, comprehensible and easily accessible form, in clear and simple language. A particular challenge for companies is often the sheer volume of data to be disclosed, which can conflict with the requirement to keep things concise. One solution the EDPB mentions here is a layered approach, in which the information is communicated in different layers. In the first layer, companies could communicate information about the processing and the rights of the data subject as well as providing initial information about which personal data is processed. The second layer would then provide more detailed personal data.
Granting access: The clock is ticking
If a company receives a request for access, it is imperative to take action immediately. Companies need to respond to the request as soon as possible, and in any case within one month. In exceptional cases, for example if a company receives a high number of highly complex requests, it may be possible to have the deadline extended by two months.
A data subject’s right to obtain a copy of their processed data may not adversely affect the rights and freedoms of others. With regard to the limitations, the EDPB states that trade secrets and intellectual property of the company itself also fall under the rights and freedoms of others, and as such these must not be infringed. In any case, the company would be required to prove any impact on its own rights and freedoms.
Should there be a conflict of interest between the person requesting access and the interests of others, the EDPB certainly sees the possibility of redacting relevant passages or otherwise making them unrecognisable. This would make it possible to grant access to the information while protecting the interests of another person or the company itself. Cologne Regional Court (LG) already came to a similar conclusion (judgment of 24 June 2020, ref. 20 O 241/19) with regard to data disclosure by sending a claims file. It was argued that, in principle, an insurance company was not permitted to transmit an entire claims file due to the interests of third parties. However, personal data of third parties can be redacted in such a case in order to still grant access.
Companies have a right of refusal if requests are manifestly unfounded. The EDPB emphasises that this can only be assumed in very few cases. Companies may also refuse to grant access if requests are frequently repeated and thus excessive in character.
Companies can find further restrictions on the right to access in Sect. 34 of the German Federal Data Protection Act (BDSG). Among other things, under this regulation data subjects do not have a right of access if the data has been stored only because it may not be erased due to legal or statutory provisions on retention. Especially in the case of personal data found in commercial books, annual financial statements or business letters, companies may refuse to provide access. The same applies if data is used exclusively for the purposes of data backup or privacy monitoring. This means, for example, backup copies or log files. However, there must also be disproportionate effort involved, whereby it is primarily a matter of weighing up the interests of the data subject or the controller.
Checklist for requests for access
Companies should take requests for access seriously and process them carefully. Otherwise, they may risk fines or claims for damages under the GDPR. The following checklist will help add structure to the process:
- Check whether a request is a request for access to personal data under Art. 15 GDPR.
- Check whether the sender is entitled to obtain access – by checking their identity to determine whether they are a data subject or whether they are entitled to make a request.
- Find out about the scope of the request – to which data is the person requesting access? If necessary, you can ask the data subject to specify their request.
- The right of access extends to processed personal data and further information pursuant to Art. 15(1)(a)–(h) GDPR. The EDPB generally considers it to be possible to use existing text taken from the controller’s privacy notice to convey the information from Art. 15(1)(a)–(h) GDPR.
- The EDPB takes the view that an automated process should be set up for granting access. Especially in the case of large numbers of requests, this serves to relieve the workload of company staff. It is advisable to create a list documenting the date of the request, the requesting person, the contact details of the requesting person, the date and nature of processing and the member of staff responsible within the company. Otherwise, the EDPB recommends setting up a self-service tool that processes requests automatically on its own.
- Consider the interests of other persons and weigh up whether it is still possible to provide information. For example, redacting certain information could be sufficient.
- Check whether the request is manifestly unfounded or excessive. Then you can demand a reasonable fee for granting access or simply refuse.