The European Data Protection Board (EDPB) a few days ago published updated (second version) guidelines on the rights of data subjects, specifically the right of access to personal data. Any person whose personal data is processed is entitled to the right of access under Art. 15 of the GDPR. The right of access to data is considered one of the key rights under the GDPR, as it allows you to maintain control over what personal data is being processed, by whom, on what legal basis, to whom it has been made available, etc. Although the guidelines are primarily addressed to data controllers, they contain valuable tips for data subjects, providing insight into the actual scope of our rights. It's good to familiarize yourself with them, because as consumers, we leave digital footprints almost everywhere, and as a result, it's good to know what rights we have.
Just not to sound groundless, here are some noteworthy points from the guidelines:
1. If you ask for access to your data the controller should give you access to all your personal data that are processed, unless you expressly limit your request (e.g. to identification data or data concerning a contract concluded on a particular day). The controller is not entitled to narrow the scope of your request arbitrarily, but may ask you to specify the request if he processes a large quantity of data.
2. Before granting access to personal data, the controller should confirm your identity in order to ensure the security of processing and minimise the risk of unauthorised disclosure of personal data. In this regard the EDPB emphasized that "as a rule, the controller cannot request more personal data than is necessary to enable this authentication, and that the use of such information should be strictly limited to fulfilling the data subjects’ request" (p. 25). The GDPR does not precise how to identify the data subject, so it is up to the controller to decide which authentication method is the most appropriate. However, the method must be proportionate to the circumstances of the processing, including the type of personal data being processed (e.g. special categories of data), the context within which the request is being made, potential damage that could result from improper disclosure of data). It happens that controllers fail to meet this requirement and choose methods that are convenient for them, but disproportionate. The EDPB states: "In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject. [...] Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller. [...] Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication" (p. 27).
3. Information requested as part of data access right should be provided to the data subject without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests that the controller receives. In such a situation the data subject must be informed about the reasons for delay. But the rule is that the controller should act "without undue delay", which means that the information should be given as soon as possible - "if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so" (p. 50).
4. Sometimes the controller may limit or refuse to give access to personal data. According to Art. 15(4) GDPR, the right to obtain a copy of data shall not adversely affect the rights and freedoms of others. Another restriction results from Art. 12(5) GDPR which enables controllers to override requests that are manifestly unfounded or excessive, in particular because of their repetitive character. These concepts must be interpreted narrowly. Data access right may be exercised more the once, but as it was indicated in recital 63 of the GDPR - "at reasonable intervals". It is not possible to determine in advance how often it is permissible to make requests for access to data, because it depends on processing circumstances. The EDPB remarks that "the more often changes occur in the database of the controller, the more often data subjects may be permitted to request access to their personal data without it being excessive". For example, "in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of land registers or central company registers" (p. 56).
These are just a few examples worth keeping in mind. For more, I recommend checking out the guidelines.
