Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

6 Lessons From the EDPB’s Draft Guidelines on Rights of Access Under the GDPR

Published February 15, 2022 / Updated December 19, 2023

Data protection and privacy regulations aren’t just aimed at tightening regulations around how organizations (data controllers) collect or process personal data. These varying sets of regulations also empower individuals (data subjects) to have better control and transparency over their personal data, and so they can exercise their fundamental right to privacy.

To ensure data controllers treat personal data and sensitive personal data with more due diligence and data subjects have more control and transparency on the treatment of their personal data, regulatory authorities publish guidance to help with implementation. ON 18th January 2022, The European Data Protection Board (EDPB) published draft guidelines (draft guidance) on Data Subject Access Rights that is enshrined under Article 15 of the European Union (EU) General Data Protection Regulation (GDPR), which has been in full effect across member states since 2018.

Quick Overview of the Right of Access

Article 15 of GDPR empowers data subjects to exercise their right to access and obtain information on whether or not the personal data is being processed, the purpose of processing, categories of personal data that is being processed, any third parties with whom the data controller shares or discloses the personal data, the retention period of the personal data, and security of data during cross-border transfer.

The EDPB draft guidance sheds more light on these critical components of the rights of access, along with extensive examples. The draft guidance further enables data subjects to have enhanced control and visibility of the processing of their personal data.

The EDPB draft guidance is a 60-page document containing 6 sections with subsections and 195 parts. For the sake of brevity, this blog will cover only the most important aspects of the draft guidance, please read the whole guidance for full information.

Secure Transfer of Requested Information

Section 2.3.4, Part 40

Articles 5(f), 24, and 32 of GDPR require data controllers to implement “appropriate technical and organizational measures” for data security, which should be proportionate to the processing risk. The same measures are applicable to the information provided to the data subject while honoring their right to access. This section discusses different scenarios concerning a data subject’s access to the information in a secure manner.

In the case of non-electronic means of transmission of data, the data controller is required to use a registered postal service to deliver the data to the data subject or request (optional) the data subject to collect the file from the data controller’s office.
Should the data controller choose to send the data via electronic means, it is important to ensure that the electronic means should adhere to the data security requirements as provided under GDPR.Similarly, the data controller must also take optimal data security measures while transmitting the data to the data subject, such as data controllers may use encryption, password protection, or pseudonymization for data security.In light of this provision, it is imperative that organizations must provide a secure means of communication and data transfer to their users to streamline the DSARs. Of the best examples that can be quoted here is the User Privacy Portal that Securiti offers. Securiti’s User Privacy Portal enables data controllers to make the DSAR fulfillment seamless and secure for data subjects. The data subject can receive the information in an encrypted format along with a private key to decrypt it. Similarly, data subjects can also track the processing or status of their DSAR.
In the event that the information is required to be transmitted via an end-to-end encrypted system, but the data controller uses a normal emailing system, the draft guidance requires that the data controller must then transfer the data via a USB stick by a registered postal letter.

Assess If The Request Concerns non-Personal Data

Section 3.1.1, Part 44-45

Under Section 3.1.1 part 44, EDPB has made it clear in its draft guidance what it deems as personal data or what type of data falls under the scope of the right of access.

The draft guidance makes it clear that the right of access covers only personal data and not other types of data that are either general in nature or not related to the data subject’s personal data. For instance, the request for accessing information related to the business model of the data controller, their processing activities that are not related to the personal data, or any anonymous data that doesn’t concern the data subject.

Under the same section but in part 45, EDPB has also stressed that pseudonymized data should be treated as personal data as long as the data can be tied or linked to the data subject, and therefore, it will fall within the scope of the right of access.

Refer to Section 4, part 4.1, where EDPB has provided a detailed set of definitions as to what it considers personal data pursuant to Articles 3 and 15(1) of GDPR.

Securiti’s Data Subject Access Request Privacy Portal uses AI/machine learning to highlight identified personal data and extracts that from the original documents or files, typically, therefore, sending only the data required. By using this extract method, a large amount of time is saved and accuracy achieved compared to a method that starts with the full document and then requires redaction of data NOT required. Before sending the data to the data subject, the management interface allows admins to check for accuracy and choose to add or remove data from the DSAR if appropriate to ensure that all relevant personal data is shared and non-personal data is not shared.

Ensure Communication Channels Should Be Clear & Easy to Use

Section 3.1.2, Part 53-57

This section discusses the form of the request. EDPB’s draft guidance proposes that the data controller must provide data subjects with a clear and easy-to-understand channel of communication, just like the Securiti’s User Privacy Portal discussed above. However, it is to be noted that the data subject isn’t obliged to follow any communication channel that they observed while making the initial contract.

The draft guidance further clarifies the types of processing via forms that the data subject is obliged to observe. For instance, the data controllers shall not consider a request valid if the data subject uses a format or a communication channel that is not specifically designed to address or handle personal data processing.

Example
The draft guidance adds more clarity to the section by giving an example of a fitness club, where the club mentions on their website or privacy notice an email address dedicated to handling a data subject’s rights of access. However, the data subject readers to a different email address that is dedicated to handling customers’ complaints or feedback and use that email address to file a DSAR. In such an event, the data controller may deem the request invalid.

Provide Personal Data Involving Fraudulently Used Data

Section 4.2.1, Part 105

This is perhaps the most interesting section of the EDPB draft guidance. The draft guidance stresses that the data generated as a result of fraudulent activity is still considered as personal data belonging to the original data subject. In a case where a data subject is a victim to data theft or misuse by another, the data subject has access to the data used fraudulently and so this falls within the scope of rights of access.

Example
The EDPB clarifies this section of the draft guidance with a quick example. A fraudster plays a game on an online casino website, using the identity of someone else and making payments via a stolen credit card. As the victim learns about identity theft and asks the provider of the online casino to share the personal data related to the general information and the credit card information, the data controller must oblige. This is because the personal data or credit card data used to play online games may be used to send invoices to the victim data subject. Therefore, the data controller must honor the right of access.

Communicate Data Retention Period to Data Subject

Section 4.3, Part 116

Section 4.3, part 116 of the EDPB’s draft guidance, sheds further light on Article 15(1)(d) of GDPR where the regulation discusses storage limitation. The draft guidance clarifies that the data subject must be informed of the envisaged data retention period, and if not, then the criteria used to determine the retention of personal data. The retention or deletion time mentioned by the data controller must be specific, and if it isn’t, then the data controller must provide the duration of the storage period and the triggering event, such as expiration or termination of the contract.

A recommended practice is to create a catalog of the personal data using metadata, classifying the personal data in terms of the purpose of processing, legal basis, or storage limitation. It enables organizations to get seamless visibility into processing activities of personal data and meet data subject rights better.

Exercise Layered Approach to Honoring Access Requests

Section 5.2.4, Part 141-145

Section 5.2.4 builds upon Article 12(1) of GDPR where the data controller is required to ensure that the information is to be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

However, sometimes the requested information is often part of a massive volume of data that the data subject may not be able to understand immediately or is difficult to provide completely. Therefore, to ensure that the data controller complies with Article 12(1) of GDPR and Article 15, EDPB proposes that the information shall be provided in a “layered approach.” However, the layered approach must only be observed in very specific circumstances.

The layered approach raises the question of what sort of information should be presented in the first layer. In response to this question, EDPB recommends in the draft guidance that the information that is most relevant to the data subject should be provided in the first layer, followed by more personal data in later layers.

EDPB further clarifies in the draft guidance that a data controller shall inform the data subject of the layered approach, its mechanism, and how the data subject can access different layers of information from the onset.

It is also to be noted that these are only draft guidelines and are subject to public consultation until full enactment.