News
EU Regulators Elevate the Threshold of Compliance around Data Subject Access Requests.
The European Data Protection Board and the Irish Data Protection Commission have recently published guidelines for businesses in relation to Data Subject Access Requests ("DSARs"). Both sets of guidlines signal that high standards of compliance are expected from controllers when handling DSARs. The publications are a key indicator that DSARs are very much in the spotlight from a regulatory enforcement perspective.
Recent guidance published by the European Data Protection Board ("EDPB") and the Irish Data Protection Commission ("DPC") reflect a heightened awareness of DSARs and failures in companies' DSARs procedures among regulators. The Irish and European guidelines taken together have consistent themes and while they do not have the force of law, their guidance is instructive to businesses all over the world that are subject to the GDPR.
On 10 October 2022, the Data Protection Commission ("DPC") published guidance which provides welcome clarity for businesses when responding to data subject access requests ("DSARs"). The key takeaway from the DPC's guidance is that a high standard of compliance is expected from controllers in relation to handling DSARs, particularly when it comes to response times. It will be important for all businesses to take stock of the DPC's guidance as the right of access (the vehicle for individuals to submit DSARs) is the most complained about data protection right that the DPC deals with year-on-year.
It is also worth highlighting that the EDPB published draft guidelines on navigating DSARs for businesses in January. Together, these regulatory standards are a key indicator that DSARs are very much in the spotlight from a regulatory enforcement perspective. While the DPC and the EDPB standards do not have the force of law, businesses might consider bridging any gaps in existing DSAR response policies and procedures where they do not meet the standards of compliance set by the EDPB and other supervisory authorities.
What are the key impacts for businesses?
Key impacts and best practices set out by the DPC and EDPB that businesses need to be aware of and implement when responding to DSARs include:
Businesses to respond within "15 working days" or as soon as possible
The DPC expects controllers to implement policies that respond to DSARs "without undue delay", as mandated by the GDPR. The DPC guidance 'strongly recommends' that businesses' policies aim to respond to DSARs (by providing the information requested in an intelligible manner) within "15 working days" and, in all cases, as soon as possible. This is also the standard expected even where a response timeframe is extended (e.g. businesses should not wait until the end of a DSAR response deadline to respond). The EDPB Guidelines do not mention this 15 day timeframe, however, it would help to ensure that these deadlines are not missed."Complexity" is a factual assessment
Controllers may extend the timeframe for responding to DSARs by two months where they can objectively demonstrate that a DSAR gives rise to "complexity" under Article 12(3) of the GDPR. In its guidelines, the DPC provides some examples as to the meaning of "complexity", confirming that it is a case-by-case and fact-specific assessment. These examples include the following factual questions:- Is the amount of personal data readily available to the controller?
- Does the controller need extra resources to respond to the DSAR? The DPC's example here is not "human" resources but technological ones.
- Does the DSAR response require considerable redaction?
- Does the controller need to apply an exemption?
The draft EDPB guidelines also provide a list of relevant factors when considering if a request gives rise to "complexity" to require an extension of time for responding to DSAR. These include:
- the amount of personal data processed by the controller;
- how the personal data are stored;
- redaction requirements;
- whether personal data needs further work to be intelligible. Each of the DPC and EDPB indicates that reliance on "complexity" to extend a DSAR response timeframe should be the exception rather than the general approach adopted by businesses.
The clock starts to run on the date of receiving a DSAR
The DPC outlines that controllers must ensure their organisations have a dedicated way for individuals to submit DSARs and for businesses to record them. The DPC also provides that the clock begins to run the day on which a DSAR is received by a controller, even if it is sent to the wrong representative / mailbox of the controller's entity. This will also be the case if the person managing the designated mailbox, or DSARs more generally, is on annual leave.
There is a caveat, however, to this point. The DPC and the EDPB recognise that the 1 month response clock will stop if the controller needs to communicate with the data subject due to uncertainty regarding their identity.
The EDPB also provides that the clock begins to run the day on which a DSAR is received, provided the request has reached the controller through one of its official channels. However, if a correct email address has been provided by the controller, requests do not have to be acted upon by controllers where they are sent to:- a random or incorrect email address;
- a channel that clearly was not intended to receive it;
- an email address not provided by the controller; or
- an email address of an employee who is not involved in processing such requests. However, there is a fine line since if the request is sent to an employee who deals with the data subject's daily affairs, it must be acted on.
The DPC's "solution" to these compliance standards is that employees should receive adequate training to deal with DSAR responses. For example, employees should be aware of and note any DSARs lodged (particularly if done so orally) and re-direct such requests to the correct department / person in the organisation.
Receipt of a DSAR should be acknowledged
An acknowledgement of receipt of a DSAR is a recommended practice according to the DPC guidance. Doing so allows the controller and the individual who has submitted a DSAR to identify the date from which the clock starts, to respond to the DSAR in time.Controllers may ask for DSAR scope to be limited but should continue with the response
Individuals are not required to respond to a controller where the controller seeks to limit the scope of a DSAR. If the controller does not receive any acknowledgement or limitation from the individual, the controller must still respond within the statutory timeframe. The EDPB guidelines also reflect this standard. The DPC guidelines recommend that controllers should provide reasons for seeking to limit the scope of a DSAR, in line with the GDPR's overarching principle of accountability.Only verify identity where there is "reasonable doubt"
The DPC guidance is clear that controllers should only seek to verify an individual's identity where there is reasonable doubt as to their identity. The steps taken by a controller to verify an individual's identity should be at most what is necessary, applying a proportionality test. In cases of reasonable doubt as to identity, the clock for the time limit to respond to a DSAR stops until the controller verifies an individual's identity.
Controllers may look to implement a method of confirming the identity of such individuals in their organisation. Such measures are only justified where there is an actual security requirement (i.e. reasonable doubt exists), otherwise it could be seen as an obstacle to the data subject's right of access.
The draft EDPB guidelines echo this standard and emphasise that the method used to verify individuals' identity must be proportionate to the nature of the personal data being processed.Third party authorisation is best practice
An authorisation to act for or represent an individual should be provided to a controller where a third party (e.g. solicitor) is acting for that individual. There is no formal requirement in terms of what form an authorisation should take, however, the third party submitting the DSAR must be able to prove that the authorisation came from the data subject.Controllers should not copy and paste "supplemental information"
The DPC guidance requires that the supplemental information provided in the DSAR response should not simply be a copy and paste of a controller's privacy notice. Rather, it should reflect the processing carried out for the relevant individual and adapt the information for the particular processing at hand. The draft EDPB guidelines also reflect this position and require privacy notices to be 'updated and tailored' to reflect processing carried out on the DSAR.
What should businesses do?
The right of access to personal data in the GDPR is under the spotlight for businesses and supervisory authorities alike. Businesses will often internally manage a DSAR. This may be due to costs for seeking expert advice or a view that it will be a simple task for the controller to complete. The reality is that many DSARs are a precursor to prospective litigation or arise due to pending litigation. Irrespective of the reason for a DSAR, the EDPB and national supervisory authorities' standards evidence a high compliance threshold for businesses responding to DSARs.
Companies should monitor such developments and guidance from regulators/supervisory authorities across the EU, particularly the upcoming final version of the guidance coming from the EDPB (it is currently in draft form).
EDPB and national supervisory authority guidelines can impact companies all over the world that are subject to the GDPR. Businesses should review existing DSAR response policies and procedures to ensure consistency with required standards of law, considering the standards prescribed by the DPC and the EDPB.
Article provided by INPLP member: Leo Moore (William Fry, Ireland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010