The Data Subjects Right to Access
Updated: Jul 8, 2019
The General Data Protection Regulation (GDPR) aims to protect the personal data of EU citizens. To achieve its aim, the GDPR guarantees certain rights to its data subjects. The rights guaranteed under the GDPR are: the right to be informed; the right to access; the right to rectification; the right to erasure also known as the right to be forgotten; the right to restrict processing; the right to data portability; the right to object; and the rights in relation to automated decision making and profiling.
Although these rights are there to protect users and improve their control over their own data, they also pose a challenge to companies as now companies will need to invest more money and time to ensure that these rights are respected. One such right that poses a rather serious challenge to companies is the data subjects right to access, also known as DSAR which is mentioned in article 15 of the GDPR.
What is the Data Subjects Right to Access?
The right to access allows the data subject to contact their controller and ask them whether they are processing his/her personal data. In case the controller does process personal data concerning the data subject, the data subject can ask from them the following information:
1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and if that is not possible then at least offer meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The reason why this right exists is so that data subjects are aware what is happening with their data and can double check if their data is being processed lawfully, so that in case it is not they can take measures.
What data falls under this right?
All data that is considered personal data under the GDPR can be requested from the controller. This means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It also includes sensitive data, such as genetic data, biometric data etc.
What are the obligations of companies?
The GDPR also regulates how Access Rights function, such as if a fee must be paid; how the answer should be provided; how long it will take to provide an answer and whether a company can refuse to answer. Controllers cannot charge a fee to data subjects when they ask for information, however it is possible to charge for a reasonable fee if you consider that the request is unfounded. Controllers can also chose not to offer data subject’s information, on the basis that their request is unfounded or repetitive, however the controller has to offer an excuse why it is not offering the data subject the requested information. Data subjects can ask for information in both written and oral form. Controllers are obliged to reply within one month, unless the controller considers the request to complex and informs the data subject that it needs additional time, then the time period can be extended for an additional two months. Controllers must respond to the request in written form, best practice would be in an electronic form, however written physical form is also an option.All refusals must state that the data subject has the right to complain to their national supervisory authority and to seek a judicial remedy.
Issues with Data Subjects Access Rights
Although it is too early to know, there is a serious chance that once the GDPR is in place, data subjects might start asking from their controllers all sorts of information, which can flood the company with requests. This puts a heavy burden to controllers, now controllers will need to put measures in place to deal with the requests. Answering to these requests will be more complicated than most controllers think, this holds true for both large and small companies. Large companies deal with big data, it will be incredibly difficult to pin-point each users data and explain to them for what it is used and so on. For small companies it will be difficult to answer requests, as they might not have the necessary measures in place to do so. Then there is also the issue of third parties, today most companies share data with many other companies, this means that numerous companies might be processing parts of your data, this makes the entire process messy and complicated.
Perhaps the most challenging part will be right after the GDPR enters into force, controllers will most likely be hit by a tsunami of requests right away as most users will want to know where their data is. However after some time these requests might die out, and things will return to normal, with fewer requests coming in, making it possible for controllers to manage the load.
How companies should deal with DSAR
Due to the many possible complications that these requests present, it is important that controllers start preparing from now for the possible tsunami awaiting them. To begin with companies should create a data subject access requests procedure, which can serve as a template on how to deal with all the requests. Although this will not solve the problem entirely, as requests might vary a lot from one another, it will at least help companies deal with some of the general requests, thus saving them more time to deal with the more specific and complex requests.
Controllers will need to spend a lot of time and money to train their personnel, to deal with these requests. This will be a double benefit for controllers, as personnel will be trained either way in data protection, in this case some will just need to take extra lessons and learn more about DSAR’s and how to respond to them. Besides training personnel, controllers might also look into the possibility of hiring extra personnel for a short period of time for the initial tsunami of requests. It is also necessary for large companies to hired a data protection officer (DPO), this is also an obligation by GDPR, but besides being an obligation a DPO might prove very helpful as he/she will be an expert and will know how to deal with the more complex requests. Once the number of requests has died down, then controllers can continue working only with their main personnel.
Controllers could also create a data subject access request portal, where information that is not considered sensitive could be found. This would allow data subjects to automatically access this portal and find their personal data there, this way they would not need to send a requests directly to the controller, as it could be found easily online.
There is also another option that is acquiring an online tool which would greatly help controllers in dealing with these requests. There are already some such tools to be found online, which help in dealing with the challenges that GDPR presents. However, this too might require the controller to train their personnel.
Controllers might also try to persuade their national parliaments to push a new policy or law, which would demand that data subjects pay a small fee if they requests access to their information. This might stop data subjects from making numerous requests.
Luckily controllers also have the option of denying requests. Although this can only be done in specific cases, such as when it is considered unfounded or excessive, in particular because they are repetitive. This obviously cannot be used in many cases, and even then one has to explain why the request was denied.
Controllers have to be careful when fulfilling these requests, they have to make sure that the person who is asking for access is the real person and not an imposter, which could lead to personal data falling under the wrong hands and thus causing a lot of damage to the data subject, who in turn could sue the controller.
Failure to comply with DSAR’s could cost controllers a lot of money, data subjects can complain to their national supervisory authority and request remedy, in case that due to the controllers failure to comply damages have been made to the data subject, they can take the case to court. Under the GDPR controllers can expect to pay fines as high as 4% of their annual global turnover for the previous financial year or €20,000,000! With such high stakes at play controllers will surely have to take these request serious.
Controllers should start working on putting measures in place as soon as possible, as the GDPR will come into force in less than three weeks from now. There is no doubt that there will be a lot of requests from data subjects, and as we saw above controllers will have no choice but to comply.
Despite all its challenges, data subject’s access right might have a silver lining as it might create more jobs and even an entire digital market of experts who are capable of dealing with all these requests or the creation of digital toolkits which make it much easier for controllers to address all these requests within the limited time frame.