The EDPB (European Data Protection Board) issued Guidelines on Article 15 GDPR right of access of data subjects, on January 18th.
What is Article 15 GDPR?
Under Article 15 GDPR data subjects can request confirmation from the controller as to whether or not their personal data is being processed. If such is the case, they have the right to see those records.
Furthermore, they can request additional information about the processing's purposes. They can inquire about the types of personal data, and also if the controller will disclose it to other recipients. As the EDPB points out, this makes it easier for an individual to exercise other rights. For example: the right to be forgotten or corrected.
The Draft guidelines summary
Individuals can use their right of access to check and retrieve their data if the processing is improper. The goal is to make it easier for data subjects to check the 'lawfulness and accuracy of the processed data.'
The Guidelines clarifies, that when a data subject requests access to personal data, controllers shall disclose it in a transparent and straightforward manner.
In addition, if the amount of information requested is too extensive for the data subject to comprehend or handle, controllers may need to adjust the personal data information request to each request.
Individuals do not have to explain why they require access to the information held by the controller. The latter must cooperate and allow full access. There is an exemption if the individual requests the data for reasons other than those under the GDPR.
When the Controller receives the request, it must determine whether it is about personal data. Also to determine if it falls within the scope of Art.15, and provide a "user-friendly channel" for the data subject to utilize.
However, if the controller cannot identify the individual based on the information provided, access may be denied.
Another important concern raised in the Guidelines is the manner in which controllers grant access. Depending on the complexity of the processing and the volume of data, there are several options. For many controllers, this step may be difficult. If the individual has difficulties in understanding, the controller will have to look for personal data across all IT and non-IT systems. Then, offer a brief and comprehensible manner (children, people with special needs).
However, the most common method of granting access to data subjects is by a copy of the requested material.
Conclusions
Even if the controller no longer retains the personal data at the time of the request for access, the controller must inform the data subjects whether he has transferred personal data to other entities and to whom.
If the controller refuses to grant access to a data subject's request the controller will face a GDPR penalty. Read more about gdpr penalties and how to avoid them.
Source: https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf
Last updated: February 18, 2022
