Blog Post
Data Subject Requests and the GDPR: Steps to Prepare
Citizens in the E.U. have the right to request information about the storage of their personal data (GDPR Article 15). Many make good use of it. Similarly, in the U.K., citizens can pursue a Data Subject Access Request (DSAR) under the U.K. Data Protection Act. These requests for information by data subjects, whether individuals, customers, suppliers or authorities, can cause companies great distress — unless they are prepared to respond to them fully, on time and in a manner that builds trust with customers, employees and partners.
The General Data Protection Regulation (GDPR) came into force at the same time as the German Federal Data Protection Act (BDSG), both of which significantly strengthened consumers’ rights regarding their personal data. These regulations stipulate how companies collect, store, share, use and protect personal data. To uphold compliance with these laws, organisations must take extensive steps, including ensuring data subjects consent to the storing and processing of their data and operationalising processes for responding when information requests are made. Additional obligations are defined under these laws, and further laws add requirements for protecting certain types of data, such as health data or information relating to children.
With the right of access provided in Article 15, GDPR has given data subjects a powerful tool. They can make information requests, so-called Data Subject Access Requests (DSAR), to gain insight into the data stored by a company. It has to be mentioned that, especially in Germany, the past court proceedings and the ongoing court proceedings on the E.U. level are at least in some interpretable way “contradictory”, especially when labour law interplays with the access request under GDPR.
The law states that data subjects have the right to obtain confirmation from the controller as to whether personal data concerned are being processed and, if so, the right to obtain access to those personal data. The information that companies must provide is extensive.
Room for interpretation
However, the corresponding article of the GDPR leaves much room for interpretation, and in turn, questions for organisations. In January 2022, the European Data Protection Board (EDPB), the European supervisory authority for compliance with the GDPR, published guidelines on data subjects’ rights — the right of access. The guidelines provide additional guidance on requests for information and list numerous illustrative examples of how companies can respond to requests in a legally compliant manner.
User-friendly communication channels for the request for information are recommended
A request for information can be made by email or as a letter to an official contact point. Ideally, the person responsible for the DSAR should provide user-friendly communication channels, such as posting a request form on the company’s website.
If a requester’s personal data cannot be identified, the company must inform the requester and ask for additional information. If there is doubt as to whether a data subject is who they claim to be, the controller must request additional information to confirm the data subject’s identity. Implementing a management system to track inquiries and responses is helpful, as tight deadlines may apply.
Right to information for more than name, address and telephone number
The scope of the request for information is determined by the term “personal data” as defined in GDPR Article 4(1). In addition to primary personal data such as name, address, telephone number, etc., various data such as medical findings, purchase history, credit scores, activity logs, search activities and more may fall under this definition.
The right of access refers to the personal data of the person making the request. In addition to granting access to the personal data, the controller must provide additional information about the data processing and the data subject’s rights, as explained in Articles 30, 13 and 14 of the GDPR. However, this general information may need to be updated at the time of the request to reflect the processing operations carried out on the applicant.
Data that may be inaccurate or processed unlawfully must also be provided. This does not include deleted data which, for example, is subject to a retention policy and is no longer available to the data controller. Moreover, personal data subjected to pseudonymisation, i.e. processed in such a way that it can no longer be attributed to a specific person without additional information, is still considered personal data (in contrast to anonymised data, which is not considered personal data).
Access in an easily accessible form
A request for information relates to all personal data in all information technology (IT) and non-IT file systems. If large amounts of data are involved, the company should ask the requestor to specify the request. The communication of data and other information about the processing must be made in a precise, transparent, intelligible and easily accessible form, using clear and plain language. If the data are codes or other “raw data”, they should be explained where possible.
Rapid response to requests for information necessary
An appeal must be complied with within one month of receipt. This obligation may be extended by a further two months if necessary, considering the complexity of the request. However, the data subject must be informed of the reason for the delay.
If data are only stored for a short time, it must be ensured that the data are not deleted while a request for information is being processed. If large amounts of data are processed, the controller should set up routines and mechanisms adapted to the complexity of the processing.
Limits and restrictions of the request for information
Undoubtedly, the effort involved in processing these requests is significant and sometimes goes beyond what is feasible. The GDPR, therefore, allows certain limitations to the right of access.
According to Article 15(4), the right to obtain a copy must not restrict the rights and freedoms of others. The EDPB has defined that these rights must be considered when granting access by sending a copy and when access to data takes place by other means (on-site access, for example). The company must be able to demonstrate that the rights and freedoms of others are affected in the specific situation. If this is the case, information can be omitted or made unrecognisable during the transfer.
Article 12 of the GDPR also allows companies to refuse unfounded or excessive requests or charge a reasonable fee for such requests. It is not uncommon for former employees to try to prove deficiencies in storing their personal data with a request for information and to obtain compensation for this. The more frequently changes occur in a company’s database, the more often a data subject may request access. The staff member responsible for the request must be able to demonstrate the manifestly unfounded or excessive nature of an appeal. Instead of denying access, even for excessive requests, the company may charge the data subject a fee to cover administrative costs.
National law may decide on exceptions
Restrictions on the right of access and the exceptions therein may also lie in the national law of the member states under Article 23 of the GDPR. For Germany, the BDSG is valid in this context. It is in line with the GDPR except for some additions, especially regarding handling personal data by security authorities.
Excerpts from the checklist of the Guidelines 01/2022 on the rights of data subjects – the right of access
Step 1: How to interpret the request for information
- Does the request relate to personal data?
- Does the request relate to the requirements of the GDPR or other laws?
- Does the request relate to Article 15 of the GDPR?
- Is the request made by a data subject (verify identity)?
- What is the scope of the request?
Step 2: How to respond to a request
- Confirm whether personal data is available
- Grant access to the personal data
- Obtain additional information on the purpose of the request and the applicant
- Take appropriate action: concise, transparent, understandable, easily accessible
- Provide a copy or grant access to others
- Possibly use a layered approach (most relevant in the online context)
- Reply without delay, in all cases, within one month/extension of two further months in exceptional cases
Step 3: How can the data controller retrieve all personal data?
- Define search criteria based on the data subject’s details, other information the data controller has about the data subject, and the factors by which the data is structured (e.g. customer number, IP address, job title, family relationships)
- Identify any technical functions that may be available to retrieve data
- Search all relevant IT or non-IT file systems
- Compile all data relating to the data subject in a way that fully reflects the processing and allows the data subject to identify and verify the lawfulness of the processing
Step 4: Check boundaries and restrictions
- Will the release of the data restrict the rights of third parties?
- Is the request unfounded?
- Is the request excessive, constantly repeated and aimed at compensation?
Practical takeaways:
- Prepare and identify the required processes in advance so the organisation can handle a request when it comes in.
- Conduct data mapping and data indexing across data sources and systems.
- Design and qualify processes required to anonymise, archive, protect and produce information limitations such as export-sanctioned datasets or medical records.
Related topics:
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.