Responding to Data Subject Access Requests – Legal Certainty Ahead?
Davinia Brennan discusses the DPC Guidelines on DSARs and looks at some recent findings of the CJEU.
When receiving data subject access requests ("DSARs"), companies face various legal uncertainties, which have contributed to such requests constituting the largest category of complaints made annually by data subjects to the Irish Data Protection Commission ("DPC"). The DPC warned in its last Annual Report (previously discussed here) that it will be increasing its enforcement in this area. The DPC is concerned, in particular that there is a pattern of data controllers not performing adequate searches for personal data, not informing individuals that they are withholding data and the exemption they are relying on for same, and not responding within the statutory timeframe.
The Right of Access
The right of access is a vital part of European data protection laws. The substance of the right of access is set out in Articles 12 and 15 of the GDPR. Data subjects are entitled to a copy of their personal data, as well as certain prescribed information about the processing of their personal data, such as details of the purposes of processing, the recipients or categories of recipients of their data, and retention period.
Two sets of guidelines on the right access under the GDPR were published by the European Data Protection Board ("EDPB") and DPC at EU and national level last year, to assist controllers with responding to DSARs. Whilst these Guidelines are informative, in many ways they have raised the bar in regard to what is expected of controllers.
Following our previous article discussing the draft EDPB Guidelines on DSARs (available here), this article discusses the DPC Guidelines on DSARs, and looks at some recent findings of the Court of Justice of the European Union ("CJEU"), which provide some welcome clarity in regard to the scope of the right of access.
Key Highlights in DPC Guidance
We have set out below the key highlights of the 20-page DPC Guidelines on DSARs, and flagged some minor instances where they deviate from the draft EDPB Guidelines. As with our previous article on the draft EDPB Guidelines, we consider what guidance is provided in respect of four key operational steps that arise when responding to DSARs, including:
1. Assessing the validity of the DSAR;
2. Searching for personal data relating to the requester;
3. Statutory exemptions; and
4. Responding to the DSAR.
Step 1: Assessing the validity of the DSAR
Form of request
The DPC Guidelines remind organisations that the GDPR does not require a DSAR to made be in any particular format. A data subject may validly lodge a DSAR by any method of communication, whether by post, phone, informal chat or in person, and does not need to explicitly state that it is an access request under the GDPR. A controller may redirect a data subject to the relevant contact person dealing with DSARs, or may redirect the correspondence themselves internally, but the time limit for responding starts running on the day the DSAR is received by the controller.
In line with Article 12(6) GDPR, an organisation should not require identity verification information from the requester unless it has "reasonable doubt" about their identity. In circumstances where there is reasonable doubt, the clock for responding to the request does not start running until the data subject's identity has been adequately established.
Like the draft EDPB Guidelines, the DPC warns that the method used for identity verification must be proportionate in light of the personal data being processed and the damage that could result from unauthorised disclosure.
It is also open to a controller to ask data subject security questions in order to confirm their identity. Requesting excessive identity verification could be seen as a breach of a controller's obligation to facilitate the right of access and of the data minimisation principle.
We have already seen the DPC, as lead supervisory authority, taking enforcement action against organisations for requesting excessive identity verification documentation from data subjects, by issuing reprimands on Groupon, Twitter, and Airbnb. Other EU supervisory authorities have also imposed fines on companies for excessive data subject identity verification requests, with the Spanish Supervisory Authority imposing a €240,000 fine, and the Dutch Supervisory Authority imposing a €525,000 fine.
Request by authorised third party
A data subject may authorise a third party (such as a solicitor, or non-profit organisation) to lodge a request on their behalf. There is no need for the authorisation to bear particular formalities, as long as there is evidence that authorisation came from the data subject.
Step 2: Searching for personal data relating to the requester
Asking data subjects to clarify scope of their request
A controller may request the data subject to specify the information they want when the controller "processes a large quantity of information concerning the data subject" or "whenever it is reasonable to do so." However, a controller must comply with the DSAR even if the request for clarification remains unanswered. The DPC deviates somewhat from the draft EDPB guidelines by noting that if the controller requests clarity about the scope of the request in circumstances where it does not process a large quantity of information about the data subject, the clock for the purposes of responding to the DSAR does not stop. The DPC recommends that controllers always document the reasons for the request for clarification in accordance with the principle of accountability.
In a further deviation from the draft EDPB Guidelines, the DPC states that controllers are not obliged to conduct searches which go beyond what is reasonable in terms of time and money, taking into account the circumstances of the case. This arguably indicates that the DPC (unlike the EDPB) endorses the application of the proportionality principle with regard to access requests. Indeed, Recital 4 of the GDPR acknowledges that the right to data protection is not absolute, and has to be balanced against other fundamental rights in accordance with the principle of proportionality. This should arguably include a controller's right to conduct a business under Article 16 of the EU Charter of Fundamental Rights.
Procedure for handling DSAR
The DPC recommends that controllers put appropriate technical and organisational measures in place that will facilitate the detection of all personal data held about the data subject whose personal data are being sought.
Step 3: Statutory Exemptions
Manifestly unfounded or excessive
Article 12(5) GDPR allows controllers to refuse "manifestly unfounded" or "excessive" requests or to charge a reasonable fee for such requests. Like the draft EDPB Guidelines, the DPC interprets these concepts narrowly. The DPC notes that "manifestly unfounded" means that the request does not concern personal data at all, or it does concern personal data, but it is not data handled by the relevant controller.
In order to assess if a request is "excessive", in light of its repetitive character or otherwise, it is recommended that a controller considers each single DSAR first, and thereafter operates a contextualisation to consider "excessiveness". In the DPC's view, the fact, on its own, that the DSAR reoccurs or, that it would take a lot of time and effort to provide information does not automatically imply excessiveness.
Step 4: Responding to the DSAR
Deadline to respond
The DPC strongly recommends that controllers should respond to DSARs "within 15 working days" or as soon as possible. Whilst the DPC also acknowledges there is nothing in the GDPR regulating the instance of a shorter deadline to respond than the one calendar month timeframe, it states that the one month response timeframe "is a maximum one", and the controller should be able to justify why they cannot fulfil any request by the data subject for an earlier response, in accordance with the principle of accountability.
It is indeed clear that, in certain circumstances, a delay in taking action in respect of a DSAR may lead to a violation of Article 15 GDPR, in particular where permanent deletion of the relevant data is imminent due to the data retention policies of the controller. For example, the DPC, acting as Lead Supervisory Authority, has reprimanded Ryanair for violating the right of access under Article 15 GDPR, due to its failure to provide a complainant with a copy of a recording of a phone call following a DSAR. Due to a delay on Ryanair's part in processing the DSAR, it had deleted the recording in line with its data erasure policy.
Extension of time due to the "complexity of the request" or "number of requests"
Controllers can extend the response timeframe in respect of a DSAR by two further months where necessary, taking into account the "complexity of the request" of the "number of requests" (as per Article 12(3) GDPR). In line with the draft EDPB Guidelines, the DPC notes the following factors are relevant in considering if a request is sufficiently "complex" to warrant an extension of time for responding:
- Whether the amount of data is readily available on its systems;
- Whether extra resources will need to be employed in order to comply with the DSAR;
- Whether the response requires considerable redaction of third party data; and
- Whether exemptions will need to be applied.
Right to a "copy"
Article 15(3) GDPR requires controllers to provide data subjects with a "copy" of their personal data. In line with the draft EDPB Guidelines, the DPC states that this does not necessarily mean that the data subject is entitled to a copy of the actual document containing their personal data.
Rather the controller is obliged to furnish to the requester the personal data to which the requester has a right of access, in a durable format, meaning in a way that is capable of being retained by the requester in accordance with their own needs. This interpretation has been further endorsed in a recent decision of the CJEU (discussed further below).
Where a data subject explicitly limits the scope of their DSAR
Where the requester has not requested a copy of "all personal data" relating to him or her, the controller should limit the response to the personal data requested. On the other hand, where there is no explicit delimitation, the controller should furnish the requester with access to all the personal data relating to the requester which it processes at the time of receipt of the request.
Information on processing
In addition to providing a data subject with a copy of their personal data, a controller is obliged to provide data subjects with certain information about how their data is processed. This information is set out in Article 15(1) and (2) GDPR, and largely mirrors the information which must be included in privacy notices. As a result it is common practice for controllers to discharge this obligation by including a link to or copy of their privacy notice, when responding to an access request.
Like the EDPB, the DPC warns controllers against this practice. Instead both sets of Guidelines indicate that the controller should "adapt" the information in its privacy notice to the specific requester. This aspect of the Guidelines has been subject to much criticism, to the extent that it will materially increase the operational burden imposed by DSARs, as providing tailored responses will require a specific analysis of how, precisely, an individual's personal data has been processed, and to whom it has been disclosed. However, this approach to complying with Articles 15(1) and (2) GDPR has been endorsed, to a certain extent, recently by the CJEU (discussed further below).
Refusal of DSAR
If refusing a DSAR due to an applicable statutory exemption, the DPC warns that the controller must provide reasons for refusing (including identifying the applicable legislative provisions permitting such refusal and why they apply), and inform the data subject of the possibility of lodging a complaint with the DPC and seeking a judicial remedy (as per Article 12(4) GDPR).
The EDPB and DPC do not make law, but rather provide non-legally binding guidance. It will therefore be interesting to see if the guidance is supported in the courts. There have been an increasing number of national court cases concerning the right of access under the GDPR which are filtering up to the CJEU. These decisions will provide organisations with more legal certainty when responding to DSARs.
1. Right to a "copy"
On 15 December 2022, Advocate General MG Pitruzzella delivered an Opinion in case C- 487 /21 (Österreichische Datenschutzbehörde and CRIF), in regard to what constitutes a "copy" of the personal data when exercising the right of access. It remains to be seen if the CJEU will follow the Advocate General's Opinion.
In brief, the Advocate General found that the right of access does not confer on the data subject a general right of access to a partial or complete copy of the document in which the data subject's personal data are contained or to an extract of a database. Rather, the term “copy” must be understood as a faithful reproduction, in an intelligible form, of the personal data requested by the data subject, in a tangible and permanent format, which allows the data subject to exercise his or her right of access in an effective manner.
The Advocate General added that it is not excluded that, in certain cases, the data controller may be required to provide the data subject with documents or extracts from databases if necessary to ensure the data subject fully understands the personal data undergoing processing. However, the provision of such information will be determined on a case-by-case basis, depending on the nature of the personal data that is subject to the request, and the request itself.
2. No right to disclosure of identity of employees of controller
On 15 December 2022, Advocate General Campos Sánchez-Bordona also delivered an Opinion in case C-579/21 (Pankki), finding that a data subject's right of access and to information about the processing of their personal data under Article 15(1) GDPR does not give the data subject the right to know the identity of the employees who, under the authority and on the instructions of the controller, have consulted his or her personal data. However, this does not prevent Member States from adopting such an approach in their domestic legislation, with regard to one or more specific sectors.
The Advocate General opined that where an employee acts under the "direct authority" of their employer, he/she will not be a "recipient" of personal data (as per Article 15(1)(c) GDPR), and therefore his or her identity does not have to be disclosed to the data subject. However, this will not be the case for employees who act outside the instructions of the controller, who may be regarded in their own right as recipients and controllers of the personal data.
The Advocate General noted that the data subject's interest in knowing the identity of the employees conflicts with the equally undeniable interest of the controller in safeguarding the identity of its employees, and the right of those employees to the protection of their own data. The Advocate General's opinion will not be binding on the CJEU, but is often followed.
3. Right to be informed of specific recipients of the personal data
On 12 January 2023, the CJEU delivered its judgment in case C-154/21 (Österreichische Post AG), finding that every data subject has a right under Article 15(1)(c) GDPR to be informed of the specific identity of those recipients to whom his/her personal data have been disclosed. Nevertheless, the controller may indicate only the categories of recipients if it is impossible to identify the specific recipients, or if the request is manifestly unfounded or excessive.
Whilst this case provides some welcome legal clarity on the scope of a controller's obligation under Article 15(1)(c) GDPR, it will make responding to DSARs a more burdensome exercise for many organisations. In particular, organisations may find that their existing Records of Processing Activities ("ROPA") will not assist them with identifying the specific recipients, as Article 30 GDPR allows companies to include categories of recipients rather than names of actual recipients in their ROPA. Going forward it would be prudent for companies to maintain a more specific list of recipients in their ROPA, to ensure information on the specific recipients of data subjects' personal data is available when they are responding to DSARs.
4. The administrative and civil remedies provided by the GDPR may be exercised concurrently
On 12 January 2023, the CJEU delivered its judgment in case C-131/21 (Nemzeti Adatvédelmi és Információszabadság Hatóság), finding that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other. This case concerned parallel court proceedings brought by a data subject against the Hungarian Supervisory Authority for refusing to uphold his right of access to data, with a civil action brought by the data subject against the company in question for refusing him a right of access.
As regards the risk of contradictory decisions by national administrative and judicial authorities concerned, the CJEU ruled that it is for each Member State to ensure, through adopting the necessary procedural rules, that the concurrent and independent remedies provided by the GDPR do not call into question the effectiveness of the rights guaranteed by that regulation, or the right to an effective remedy before a court or a tribunal.
The right of access gives rise to the largest number of complaints to the DPC annually. A high proportion of these complaints are amenable to amicable resolution, without the DPC exercising its formal investigation and enforcement powers. However, we have seen the DPC using its corrective powers to enforce the right of access in a number of instances over the past year. In particular, the DPC has imposed a €110,000 administrative fine on Limerick County Council for failure to provide data subjects with copies of CCTV footage collected for traffic management purposes. The DPC, acting in its capacity as lead supervisory authority, has also imposed reprimands on a number of companies for violation of the right of access, and for breach of the data minimisation principle by requesting excessive identity verification documentation from data subjects.
Although the EDPB and DPC Guidelines are not legally binding on organisations subject to the GDPR, they do reflect the views of EU supervisory authorities in terms of what is expected of controllers when responding to access requests, and organisations should familiarise themselves with the regulators' expectations. The decisions also provide some welcome clarity on the scope of the right of access, but will undoubtedly require many companies to review and adjust their processes when handling DSARs.