6 Lessons From the EDPB’s Draft Guidelines on Rights of Access Under the GDPR

Data protection and privacy regulations aren’t just aimed at tightening regulations around how organizations (data controllers) collect or process personal data. These varying sets of regulations also empower individuals (data subjects) to have better control and transparency over their personal data, and so they can exercise their fundamental right to privacy.

To ensure data controllers treat personal data and sensitive personal data with more due diligence and data subjects have more control and transparency on the treatment of their personal data, regulatory authorities publish guidance to help with implementation. ON 18th January 2022, The European Data Protection Board (EDPB) published draft guidelines (draft guidance) on Data Subject Access Rights that is enshrined under Article 15 of the European Union (EU) General Data Protection Regulation (GDPR), which has been in full effect across member states since 2018.

Quick Overview of the Right of Access

Article 15 of GDPR empowers data subjects to exercise their right to access and obtain information on whether or not the personal data is being processed, the purpose of processing, categories of personal data that is being processed, any third parties with whom the data controller shares or discloses the personal data, the retention period of the personal data, and security of data during cross-border transfer.

The EDPB draft guidance sheds more light on these critical components of the rights of access, along with extensive examples. The draft guidance further enables data subjects to have enhanced control and visibility of the processing of their personal data.

6 Interesting Aspects of EDPB’s Draft Guidelines on Rights of Access Under GDPR

The EDPB draft guidance is a 60-page document containing 6 sections with subsections and 195 parts. For the sake of brevity, this blog will cover only the most important aspects of the draft guidance, please read the whole guidance for full information.

Secure Transfer of Requested Information

Section 2.3.4, Part 40

Articles 5(f), 24, and 32 of GDPR require data controllers to implement “appropriate technical and organizational measures” for data security, which should be proportionate to the processing risk. The same measures are applicable to the information provided to the data subject while honoring their right to access. This section discusses different scenarios concerning a data subject’s access to the information in a secure manner.

• In the case of non-electronic means of transmission of data, the data controller is required to use a registered postal service to deliver the data to the data subject or request (optional) the data subject to collect the file from the data controller’s office.
• Should the data controller choose to send the data via electronic means, it is important to ensure that the electronic means should adhere to the data security requirements as provided under GDPR.Similarly, the data controller must also take optimal data security measures while transmitting the data to the data subject, such as data controllers may use encryption, password protection, or pseudonymization for data security.In light of this provision, it is imperative that organizations must provide a secure means of communication and data transfer to their users to streamline the DSARs. Of the best examples that can be quoted here is the User Privacy Portal that Securiti offers. Securiti’s User Privacy Portal enables data controllers to make the DSAR fulfillment seamless and secure for data subjects. The data subject can receive the information in an encrypted format along with a private key to decrypt it. Similarly, data subjects can also track the processing or status of their DSAR.
• In the event that the information is required to be transmitted via an end-to-end encrypted system, but the data controller uses a normal emailing system, the draft guidance requires that the data controller must then transfer the data via a USB stick by a registered postal letter.

Assess If The Request Concerns non-Personal Data

Section 3.1.1, Part 44-45

Under Section 3.1.1 part 44, EDPB has made it clear in its draft guidance what it deems as personal data or what type of data falls under the scope of the right of access.

The draft guidance makes it clear that the right of access covers only personal data and not other types of data that are either general in nature or not related to the data subject’s personal data. For instance, the request for accessing information related to the business model of the data controller, their processing activities that are not related to the personal data, or any anonymous data that doesn’t concern the data subject.

Under the same section but in part 45, EDPB has also stressed that pseudonymized data should be treated as personal data as long as the data can be tied or linked to the data subject, and therefore, it will fall within the scope of the right of access.

Refer to Section 4, part 4.1, where EDPB has provided a detailed set of definitions as to what it considers personal data pursuant to Articles 3 and 15(1) of GDPR.

Securiti’s Data Subject Access Request Privacy Portal uses AI/machine learning to highlight identified personal data and extracts that from the original documents or files, typically, therefore, sending only the data required. By using this extract method, a large amount of time is saved and accuracy achieved compared to a method that starts with the full document and then requires redaction of data NOT required. Before sending the data to the data subject, the management interface allows admins to check for accuracy and choose to add or remove data from the DSAR if appropriate to ensure that all relevant personal data is shared and non-personal data is not shared.

Ensure Communication Channels Should Be Clear & Easy to Use

Section 3.1.2, Part 53-57

This section discusses the form of the request. EDPB’s draft guidance proposes that the data controller must provide data subjects with a clear and easy-to-understand channel of communication, just like the Securiti’s User Privacy Portal discussed above. However, it is to be noted that the data subject isn’t obliged to follow any communication channel that they observed while making the initial contract.

The draft guidance further clarifies the types of processing via forms that the data subject is obliged to observe. For instance, the data controllers shall not consider a request valid if the data subject uses a format or a communication channel that is not specifically designed to address or handle personal data processing.

Example
The draft guidance adds more clarity to the section by giving an example of a fitness club, where the club mentions on their website or privacy notice an email address dedicated to handling a data subject’s rights of access. However, the data subject readers to a different email address that is dedicated to handling customers’ complaints or feedback and use that email address to file a DSAR. In such an event, the data controller may deem the request invalid.

Provide Personal Data Involving Fraudulently Used Data

Section 4.2.1, Part 105

This is perhaps the most interesting section of the EDPB draft guidance. The draft guidance stresses that the data generated as a result of fraudulent activity is still considered as personal data belonging to the original data subject. In a case where a data subject is a victim to data theft or misuse by another, the data subject has access to the data used fraudulently and so this falls within the scope of rights of access.

Example
The EDPB clarifies this section of the draft guidance with a quick example. A fraudster plays a game on an online casino website, using the identity of someone else and making payments via a stolen credit card. As the victim learns about identity theft and asks the provider of the online casino to share the personal data related to the general information and the credit card information, the data controller must oblige. This is because the personal data or credit card data used to play online games may be used to send invoices to the victim data subject. Therefore, the data controller must honor the right of access.

Communicate Data Retention Period to Data Subject

Section 4.3, Part 116

Section 4.3, part 116 of the EDPB’s draft guidance, sheds further light on Article 15(1)(d) of GDPR where the regulation discusses storage limitation. The draft guidance clarifies that the data subject must be informed of the envisaged data retention period, and if not, then the criteria used to determine the retention of personal data. The data retention or deletion time mentioned by the data controller must be specific, and if it isn’t, then the data controller must provide the duration of the storage period and the triggering event, such as expiration or termination of the contract.

A recommended practice is to create a catalog of the personal data using metadata, classifying the personal data in terms of the purpose of processing, legal basis, or storage limitation. It enables organizations to get seamless visibility into processing activities of personal data and meet data subject rights better.

Exercise Layered Approach to Honoring Access Requests

Section 5.2.4, Part 141-145

Section 5.2.4 builds upon Article 12(1) of GDPR where the data controller is required to ensure that the information is to be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

However, sometimes the requested information is often part of a massive volume of data that the data subject may not be able to understand immediately or is difficult to provide completely. Therefore, to ensure that the data controller complies with Article 12(1) of GDPR and Article 15, EDPB proposes that the information shall be provided in a “layered approach.” However, the layered approach must only be observed in very specific circumstances.

The layered approach raises the question of what sort of information should be presented in the first layer. In response to this question, EDPB recommends in the draft guidance that the information that is most relevant to the data subject should be provided in the first layer, followed by more personal data in later layers.

EDPB further clarifies in the draft guidance that a data controller shall inform the data subject of the layered approach, its mechanism, and how the data subject can access different layers of information from the onset.

It is also to be noted that these are only draft guidelines and are subject to public consultation until full enactment.