EU Regulators Elevate the Threshold of Compliance around Data Subject Access Requests.
Recent guidance published by the European Data Protection Board ("EDPB") and the Irish Data Protection Commission ("DPC") reflect a heightened awareness of DSARs and failures in companies' DSARs procedures among regulators. The Irish and European guidelines taken together have consistent themes and while they do not have the force of law, their guidance is instructive to businesses all over the world that are subject to the GDPR.
On 10 October 2022, the Data Protection Commission ("DPC") published guidance which provides welcome clarity for businesses when responding to data subject access requests ("DSARs"). The key takeaway from the DPC's guidance is that a high standard of compliance is expected from controllers in relation to handling DSARs, particularly when it comes to response times. It will be important for all businesses to take stock of the DPC's guidance as the right of access (the vehicle for individuals to submit DSARs) is the most complained about data protection right that the DPC deals with year-on-year.
It is also worth highlighting that the EDPB published draft guidelines on navigating DSARs for businesses in January. Together, these regulatory standards are a key indicator that DSARs are very much in the spotlight from a regulatory enforcement perspective. While the DPC and the EDPB standards do not have the force of law, businesses might consider bridging any gaps in existing DSAR response policies and procedures where they do not meet the standards of compliance set by the EDPB and other supervisory authorities.
What are the key impacts for businesses?
Key impacts and best practices set out by the DPC and EDPB that businesses need to be aware of and implement when responding to DSARs include:
Businesses to respond within "15 working days" or as soon as possibleThe DPC expects controllers to implement policies that respond to DSARs "without undue delay", as mandated by the GDPR. The DPC guidance 'strongly recommends' that businesses' policies aim to respond to DSARs (by providing the information requested in an intelligible manner) within "15 working days" and, in all cases, as soon as possible. This is also the standard expected even where a response timeframe is extended (e.g. businesses should not wait until the end of a DSAR response deadline to respond). The EDPB Guidelines do not mention this 15 day timeframe, however, it would help to ensure that these deadlines are not missed.
"Complexity" is a factual assessmentControllers may extend the timeframe for responding to DSARs by two months where they can objectively demonstrate that a DSAR gives rise to "complexity" under Article 12(3) of the GDPR. In its guidelines, the DPC provides some examples as to the meaning of "complexity", confirming that it is a case-by-case and fact-specific assessment. These examples include the following factual questions:
- Is the amount of personal data readily available to the controller?
- Does the controller need extra resources to respond to the DSAR? The DPC's example here is not "human" resources but technological ones.
- Does the DSAR response require considerable redaction?
- Does the controller need to apply an exemption?
The draft EDPB guidelines also provide a list of relevant factors when considering if a request gives rise to "complexity" to require an extension of time for responding to DSAR. These include:
- the amount of personal data processed by the controller;
- how the personal data are stored;
- redaction requirements;
- whether personal data needs further work to be intelligible. Each of the DPC and EDPB indicates that reliance on "complexity" to extend a DSAR response timeframe should be the exception rather than the general approach adopted by businesses.
The clock starts to run on the date of receiving a DSARThe DPC outlines that controllers must ensure their organisations have a dedicated way for individuals to submit DSARs and for businesses to record them. The DPC also provides that the clock begins to run the day on which a DSAR is received by a controller, even if it is sent to the wrong representative / mailbox of the controller's entity. This will also be the case if the person managing the designated mailbox, or DSARs more generally, is on annual leave.
There is a caveat, however, to this point. The DPC and the EDPB recognise that the 1 month response clock will stop if the controller needs to communicate with the data subject due to uncertainty regarding their identity.
The EDPB also provides that the clock begins to run the day on which a DSAR is received, provided the request has reached the controller through one of its official channels. However, if a correct email address has been provided by the controller, requests do not have to be acted upon by controllers where they are sent to:
- a random or incorrect email address;
- a channel that clearly was not intended to receive it;
- an email address not provided by the controller; or
- an email address of an employee who is not involved in processing such requests. However, there is a fine line since if the request is sent to an employee who deals with the data subject's daily affairs, it must be acted on.
The DPC's "solution" to these compliance standards is that employees should receive adequate training to deal with DSAR responses. For example, employees should be aware of and note any DSARs lodged (particularly if done so orally) and re-direct such requests to the correct department / person in the organisation.
Receipt of a DSAR should be acknowledgedAn acknowledgement of receipt of a DSAR is a recommended practice according to the DPC guidance. Doing so allows the controller and the individual who has submitted a DSAR to identify the date from which the clock starts, to respond to the DSAR in time.
Controllers may ask for DSAR scope to be limited but should continue with the responseIndividuals are not required to respond to a controller where the controller seeks to limit the scope of a DSAR. If the controller does not receive any acknowledgement or limitation from the individual, the controller must still respond within the statutory timeframe. The EDPB guidelines also reflect this standard. The DPC guidelines recommend that controllers should provide reasons for seeking to limit the scope of a DSAR, in line with the GDPR's overarching principle of accountability.
Only verify identity where there is "reasonable doubt"The DPC guidance is clear that controllers should only seek to verify an individual's identity where there is reasonable doubt as to their identity. The steps taken by a controller to verify an individual's identity should be at most what is necessary, applying a proportionality test. In cases of reasonable doubt as to identity, the clock for the time limit to respond to a DSAR stops until the controller verifies an individual's identity.
Controllers may look to implement a method of confirming the identity of such individuals in their organisation. Such measures are only justified where there is an actual security requirement (i.e. reasonable doubt exists), otherwise it could be seen as an obstacle to the data subject's right of access.
The draft EDPB guidelines echo this standard and emphasise that the method used to verify individuals' identity must be proportionate to the nature of the personal data being processed.
Third party authorisation is best practiceAn authorisation to act for or represent an individual should be provided to a controller where a third party (e.g. solicitor) is acting for that individual. There is no formal requirement in terms of what form an authorisation should take, however, the third party submitting the DSAR must be able to prove that the authorisation came from the data subject.
Controllers should not copy and paste "supplemental information"The DPC guidance requires that the supplemental information provided in the DSAR response should not simply be a copy and paste of a controller's privacy notice. Rather, it should reflect the processing carried out for the relevant individual and adapt the information for the particular processing at hand. The draft EDPB guidelines also reflect this position and require privacy notices to be 'updated and tailored' to reflect processing carried out on the DSAR.
What should businesses do?
The right of access to personal data in the GDPR is under the spotlight for businesses and supervisory authorities alike. Businesses will often internally manage a DSAR. This may be due to costs for seeking expert advice or a view that it will be a simple task for the controller to complete. The reality is that many DSARs are a precursor to prospective litigation or arise due to pending litigation. Irrespective of the reason for a DSAR, the EDPB and national supervisory authorities' standards evidence a high compliance threshold for businesses responding to DSARs.
Companies should monitor such developments and guidance from regulators/supervisory authorities across the EU, particularly the upcoming final version of the guidance coming from the EDPB (it is currently in draft form).
EDPB and national supervisory authority guidelines can impact companies all over the world that are subject to the GDPR. Businesses should review existing DSAR response policies and procedures to ensure consistency with required standards of law, considering the standards prescribed by the DPC and the EDPB.
Article provided by INPLP member: Leo Moore (William Fry, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)