EDPB GDPR Article 15

Written By Henrik Ottosson

The European Data Protection Board (EDPB), which consists of representatives from all national regulatory authorities within the EU, has published its proposals for guidelines on the right of access in accordance with Article 15 of the GDPR.

The right of access is a right for the data subject (the person whose personal data is processed by someone) to become aware of what processing takes place, for what purposes, and also to have access to the personal data.

In essence, register extracts (the right of access) include the following:

  • Confirmation whether personal data about the data subject is processed or not

  • Access to this personal data

  • Access to information about the processing such as the purpose of the processing, which categories of personal data are processed, how long the data is planned to be processed etc.

If anyone had hoped that the EDPB's guidelines would in any way limit the access possibilities, they have hoped in vain, the guidelines make it clear that the right of access is incredibly far-reaching.

Some particularly interesting aspects that are clarified in the guideline are the following:

  • There is no restriction on access based on the burden on the person responsible for obtaining the information. A personal data controller can thus never claim that it would consume too many resources or otherwise entail an excessive cost for him to process a request for an extract from the register.

  • There is no limit to the amount of information to be searched. It is the controller’s responsibility to have oversight over their information. When requesting a register extract, the controller must therefore also go through all the information resources available to find any personal data concerning the request. This includes both digital and analogue information, as well as information entered in active IT support, discontinued IT support, and backups. This also applies to both structured information adapted for search as well as information that is only entered in unstructured running text. With regard to the running text in particular, it may be of interest to point out that the Swedish supplement to the GDPR, the Data Protection Act, actually contains a restriction with regard to the unstructured running text of authorities.

  • The controller must not make it difficult for the data subject to exercise his right. It is therefore not OK that e.g. regularly require the data subject to send a copy of ID verification via traditional mail or similar requirements that make it difficult for the data subject to exercise his or her right (and, in most cases, involve the processing of even more personal data than necessary). In practice, those responsible should generally be careful about imposing "requirements" that in practice can be perceived (and perhaps are) ways to make it more difficult to exercise the right rather than something else.

  • It should be added, however, that there is a requirement for the personal data controller to ensure that the personal data is not disclosed to anyone other than the data subject, how this is to be achieved must, however, be assessed on a case-by-case basis.

  • The controller only needs to disclose such personal data that they can actually trace to a certain individual. This means that if the controller does not have any identifying information at his or her own disposal, he or she does not have to disclose any. On the other hand, the guideline states that the controller must not refuse to receive such information that solves this, e.g. if the data subject himself provides this information.

  • It must not cost the data subject anything to access the information. With regard to public actors, these may therefore not charge a fee for the disclosure, as is the case with e.g. request to see public documents. However, there is an exception under Article 12 (5) for repetitive or manifestly unfounded requests for the right. However, the EDPB emphasizes in the guideline that the scope for these exceptions can only be applied in extreme exceptional cases. There are really no mentioned practical examples of what is actually meant by what is to be regarded as a manifestly unfounded request. With regard to repetitive requests, it is stated that it is not possible to mention a specific time span for when a request should always be considered repetitive because it depends on the person's activities and how much change takes place in the processing of personal data during this time. It is stated, however, that a span of one year can never be regarded as a repetitive request (which is interesting in light of the fact that according to the earlier Personal Data Act it was only once a year that a registered person had the right to request an extract from the register).

The guidelines are so far not final but published by the EDPB for comment.

Link: https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf

If you want to know more about data subjects' rights or have any other issues regarding GDPR or information security, you are welcome to contact us.

Henrik Ottosson
Previous

Ragnar Locker
Next

Supply Chain Attacks