On January 28, 2022, the European Data Protection Board (“EDPB”) initiated a public consultation on its draft Guidelines 01/2022 on data subject rights – Right of access (“draft Guidelines”). Running to 60 pages, the draft Guidelines cover a range of topics relating to the right of access, including analyzing a request; establishing the identity of the requesting data subject; assessing the scope of the right of access; guidance on how controllers can comply with a request; and limitations on the right of access. The draft Guidelines provide important clarifications as to how EU supervisory authorities interpret the GDPR’s access right, which we set out below.

Complying with a Request

  • Form of the request: Controllers can receive access requests through any number of communication channels. The EDPB confirms that a controller is not obliged to act on requests sent to “a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests concerning data subject’s right, if the controller has provided an appropriate communication channel, that can be used by the data subject.” The EDPB clarifies that this point applies only to requests sent to communication channels where the data subject cannot reasonably expect that it is the appropriate contact address for such requests. This would not include situations where a data subject sends a request to the controller’s employee who deals with the data subject’s affairs on a daily basis (e.g., a personal account manager). In practice, therefore, it is unlikely that controllers will routinely be able to rely on this guidance to not comply with a request.
  • Wording of the request: The EDPB states that an access request should be understood in broad terms. The draft Guidelines recognize, however, that it is possible to limit access to information in various situations, including:
    • When the data subject’s own request is for a subset of data.
    • Where a controller processes a large amount of personal data about a data subject and “may have doubts” as to whether the data subject does want to receive “all” data processed about them; in such cases, the controller may ask a data subject to specify the scope of their request (the controller is expected to play a role in helping the data subject to understand the processing activities that may affect them as part of clarifying the scope of their request).
    • Where an exception or restriction of the access right applies (on which, see more detail, below).
  • Providing a copy: Many data subjects understand their right of access to relate to access to documents, rather than the personal data contained in those documents. The EDPB confirms the position, as set out in CJEU case law, that data subjects have a right to access their personal data, and not necessarily to the documents in which that personal data is contained. This guidance supports the approach, taken by some controllers, of extracting personal data from original documents and putting it into a new document that is then furnished to the data subject.
  • Deadline for responding: Many controllers take the full 3 months, as permitted by the GDPR, in order to comply with access requests. The EDPB, however, emphasizes that extending the default timeframe of 1 month, by a further 2 months as is permitted, to respond to a request “is an exemption from the general rule and should not be overused.” In the EDPB’s view, the mere fact that complying with the request would require a great effort does not make a request complex, and that “[i]f controllers often find themselves forced to extend the time limit, it could be an indication of a need to further develop their general procedures to handle requests.”
  • Information rights: Currently, many controllers provide data subjects with a copy of an applicable privacy notice under Article 13 and/or 14 of the GDPR to comply with requests under Article 15(1) and (2) of the GDPR. The EDPB considers that to some extent, this is appropriate, and that there will be certain information about processing activities that will not change across different access requests (e.g., information about data subject rights); this information may be “communicated in general terms” such as via a privacy notice. In other cases, however, it is necessary for controllers to tailor the information provided to data subjects in order to reflect processing operations actually carried out with regard to the requesting data subject.

Limiting Access based on the Rights and Freedoms of Others

The EDPB also discusses some of the GDPR exemptions to the access right in the draft Guidelines, including where personal data might interfere with the rights of third parties. In accordance with Article 15(4) of the GDPR, the right to obtain a copy of personal data “shall not adversely affect the rights and freedoms of others.” Recital 63 of the GDPR further explains that the right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular, the copyright protecting software.

The EDPB explains that “[t]hese explicitly mentioned rights and freedoms should be regarded as examples, as in principle any right or freedom based on Union or Member State law may be considered” to invoke the limitation of Article 15(4) of the GDPR. In particular, the EDPB gives an example of the right to confidentiality of email correspondence in an employment context as a right that should be taken into account. This will be particularly relevant for controllers dealing with access requests from employees, where they are asked to search other employees’ email inboxes.

The EDPB confirms, however, that “the result of those considerations should not be a refusal to provide all information to the data subject.” Where a controller considers that complying with an access request would adversely affect the rights and freedoms of others, the controller should try to reconcile the conflicting rights (e.g., by removing or redacting third-party information). If it is not possible to reconcile the competing rights in this way, the controller will have to decide which party’s rights will prevail.

The public consultation ends on March 11, 2022. Please contact us if you would like to respond to the public consultation, or if you would like advice on the draft Guidelines.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Shona O'Donovan Shona O'Donovan

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying…

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying with data protection laws in the EU. In particular, she represents organizations in regulatory investigations and inquiries, advises on children’s privacy issues and provides strategic advice on incident response. Shóna also advises clients on policy developments in online content and online safety.

In her current role, Shóna has gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.