GDPR: Right of access - New guidelines from the European Data Protection Board

Under the GDPR, every data subject (job applicants, (former) employees, etc.) has the right to request access to all data held on him or her by the data controller (employer). In addition, the data subject may even request a copy of all these data. At the end of January 2022, the European Data Protection Board (EDPB) published new guidelines on the scope of this right. After the end of the public consultation period, the guidelines will be definitively adopted.

What is the “right of access”?

The right of access is foreseen by Article 15 of the GDPR. The purpose of this right is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data, to enable them to verify the lawfulness of the processing and the accuracy of the data processed.

The right of access has three components:

  • Confirmation as to whether or not personal data relating to the data subject are being processed;
  • Access to these personal data; and
  • Access to information regarding the processing, such as the purpose, the categories of data and recipients, the duration of processing, the rights of the data subject and the appropriate safeguards in the case of transfer to third countries.

What are the formalities for a request?

There are no specific formal or substantive requirements for the request, nor does the data subject have to motivate his/her request. The requester does not have to explicitly refer to the right of access or the GDPR.

The data controller must provide appropriate and user-friendly communication channels that the data subject can easily use. However, the data subject is not obliged to use these specific channels and may instead send a request to an official contact point of the company. The controller may only disregard the request if it is sent to a completely random or manifestly incorrect (e-mail) address. In other words, a request cannot be ignored if it is not addressed to the contact person and/or the e-mail address listed in the company’s privacy policy. If the controller has doubts about the authenticity of (the submitter of) the request, he or she may request additional information to confirm the identity of the person involved.

Which personal data must be provided?

The right of access has a broad scope: in addition to basic personal data, according to the EDPB it also includes, for example, subjective notes during a job application, a history of surfing behaviour, search activities, etc.

Unless explicitly stated otherwise, the request must be understood to relate to all personal data relating to the data subject, but the controller may ask the data subject to specify the request if he or she is processing a large amount of data. This applies to each request: if a data subject makes more than one request, it is therefore not sufficient to provide access only to the changes since the last request.

Even data that may have been processed incorrectly or unlawfully should be provided. Data that have already been deleted, for example in accordance with a retention policy, and are therefore no longer available to the controller, do not need to be provided.

Specifically, the controller will have to search all IT systems and other archives for personal data using search criteria that reflect the way the information is structured, for example, name and customer or employee number.

How should the request be answered?

The main way to respond to a request for access is to provide the data subject with a copy of his or her data, but other modalities (such as oral information and on-site access) may be provided if the data subject so requests. It is up to the data controller to decide what is the most appropriate form to provide the data: by post, by e-mail (provided that all necessary security safeguards such as encryption are applied), by USB, etc.

In any event, the communication of data and other information relating to the processing must be sent in a concise, transparent, intelligible and easily accessible form, using clear and simple language. As regards the information on the processing, it is not sufficient to simply copy the text of the privacy notice in the reply to the data subject, but the text from the privacy notice will have to be specified according to the processing activities relevant to the data subject (e.g., if the privacy notice mentions in general terms that employees’ personal data may be transferred to “hotels” for business trips, the reply to the data subject will have to specify to which hotels the employee’s personal data have been transferred).

What is the deadline for replying to the request?

The request must be answered as soon as possible and in any event within one month of receipt (e.g., a request received on 5 March must be answered by 5 April at the latest). If the last day of the deadline falls on a weekend or public holiday, the deadline will be extended to the next working day. If it is necessary to verify the requester’s identity (e.g., by requesting a copy of the identity card), the period will only start from the time when the controller has obtained the necessary security.

This one-month period may be extended by two months if necessary, taking into account the complexity of the request and the number of requests. The data subject must then be informed of the reason for the delay. This exception should be interpreted restrictively, as according to the EDPB, the data controller must proactively put in place systems to respond quickly and accurately to a request to exercise the right of access.

The data controller should take the necessary measures to deal with the requests as soon as possible. When processing a large amount of data, the controller will therefore have to build in mechanisms that are appropriate to the complexity of the processing. According to the EDPB, the mere fact that a company is large and receives many requests should not automatically lead to an extension of the deadline.

Can access be denied for certain reasons?

The GDPR allows certain restrictions to the right of access:

  • The right of access may not infringe the rights and freedoms of others. According to the EDPB, however, this should not lead to a complete denial of the request: it could only lead to parts that could negatively affect the rights and freedoms of others being either removed or made illegible;
  • Requests that are manifestly unfounded or excessive may be refused or may justify a reasonable charge is imposed to cover administrative costs. However, these notions are to be interpreted narrowly according to the EDPB, which means that the possibilities to consider a request as manifestly unfounded or excessive are rather limited.

Action point

Ensure that you have clear internal procedures in place within your company that enable you to respond in a timely and accurate manner to requests for access from data subjects such as employees, former employees and customers.