European data protection board updates data subject access guidance

On 17 April 2023, the European Data Protection Board (EDPB), the body tasked with ensuring the consistent application of data protection law across the EU, announced that it had adopted a finalised version of its data subject access request (DSAR) guidance. The updated guidance includes clarifications on a data controller's DSAR responsibilities; when data controllers may refuse a DSAR; and the interplay between DSARs and data retention periods.

Clarifications and updates

The EDPB clarifies and updates several aspects of compliance in its updated DSAR guidance for data controllers, including the following:

• Appropriate organisational measures to handle DSARs
  • Provide onsite access when handling a large quantity of non-digitalised data to allow the data subject to be made aware of what personal data is undergoing processing and to be able to make an informed decision about the personal data to be requested.
  • Respond to a DSAR in separate replies, particularly where there is sensitive information involved (i.e. in the context of whistleblowing) as it would be inappropriate and potentially unlawful for the controller to share the data subject’s information across departments or to otherwise consolidate it into a single response.
  • Use appropriate mechanisms to facilitate the exercise of DSARs, such as (i) autoresponder systems to inform of staff absences and appropriate alternate contract points; and (ii) mechanisms to improve internal communication between employees to deal with DSARs.
  • If the DSAR is submitted by electronic means, the GDPR requires data controllers to provide the relevant data in a “commonly used electronic form”. The EDPB clarifies that this form should be based on an objective assessment, which will depend on the formats generally used in the controller’s areas of operation or in the context of the present DSAR. Where there are no such formats, open formats set by international standards (i.e. ISO) will generally be acceptable. Other formats may also be considered, depending on how easily data subjects can access the information. To that end, a data controller may specify or provide programs to access the information, although data subjects should not be obliged to purchase software to obtain access.
  • If data controllers intend to charge a fee to provide further copies of data, they should indicate this in advance and provide, as accurately as possible, a cost estimate of the fee they are planning to charge to the data subject, in order to give the data subject the possibility to determine whether to maintain or to withdraw the request.
• Specification and authentication
  • If data controllers request data subjects to specify what data they wish to access, data controllers should, at the same time of their request for specification, give meaningful information regarding processing operations that could concern the data subject. Such information could include which branches of its activities are relevant to the data subject, and other information that would allow the data subject to specify its request sensibly.
    • For example, in the context of an employee who submits a generally formulated request for access, it is not “per se clear” what what data is requested, and giving effect to the DSAR may result in the employee receiving a large quantity of information, most of which the employee would not have an interest in. The data controller should thus request that the employee specifies what data they wish to access, and provide information on its processing activities that could concern the employee, in order for the employee to specify the request sensibly. 
  • When authenticating the identity of data subjects who submit DSARs, the EDPB states that personal data used to register the individual can also be used as evidence to authenticate the data subject, as data subjects are frequently initially authenticated by data controllers prior to entering a contract or providing their consent to processing.
• DSAR refusals on the basis that data subjects cannot be identified from the requested data
  • Data controllers may refuse to give effect to a DSAR if they (i) process personal data for a purpose that does not require identification of the data subject; and (ii) demonstrate that they are not in a position to identify the data subject. Data controllers are not obliged to acquire additional information to identify the data subject as this would be contrary to the principle of data minimisation, although data controllers should not refuse information provided by the data subject to support the exercise of their DSAR.
    • For example, in the context of a DSAR regarding a data subject who claims to have been recorded by a data controller’s video surveillance device, additional information provided by the data subject concerning a specific day and time may allow the controller to identify the data subject and thereby give effect to their DSAR. However, if the controller still cannot identify the data subject (i.e. it is still impossible to identify the data subject from the recording, or if the request concerns a long recording period and the controller is unable to process a large quantity of data to identify the data subject) the data controller may lawfully refuse the DSAR.
• Interplay with data retention periods 
  • Data controllers who receive DSARs for data that is scheduled for imminent deletion may continue to process that data beyond its scheduled retention period for the purposes of responding to the DSAR. The lawful basis of such processing is the controller’s compliance with its legal obligation, in line with Article 6(1)(c) of the GDPR. However, the duration of such processing should not be indefinitely extended, and the controller may only continue to process such data up to a maximum of three additional months from the date of receipt of the DSAR. This additional processing should also not be used as a justification for the general extension of retention periods.

Commentary

The EDPB’s DSAR guidance update is the latest in a series of DSAR developments in the EU and UK. In the last few months, several Court of Justice of the European Union (CJEU) cases and Attorney General Opinions (which although not binding, are influential and are frequently followed by the CJEU in subsequent decisions) relating to the scope of DSAR obligations have been published. Among others, they indicate that the data subject’s right of access may extend to the identity of specific recipients to whom personal data was disclosed to, but not to the identity of employees who accessed the data subject’s personal data.

In the UK, the UK Data Protection and Digital Information Bill (aka the Data Reform Bill), which is currently making its way through UK Parliament, proposes several additional options for data controllers to refuse DSARs, particularly when such DSARs are deemed to be “vexatious or excessive”. The UK data protection regulator has been actively reprimanding organisations who were non-compliant with their DSAR obligations last year, and has announced that it intends to develop a subject access request tool this year to help individuals (i) submit DSARs; (ii) identify where their personal data is or is likely to be held; and (iii) request access in ways which will assist organisations in responding effectively.