20# Data Subject Rights – The right to access

Welcome back to our series on GDPR requirements. Last week, you got an introduction to data subject rights in the regulations and how to respond to requests from data subjects. Today, we’re going to discuss the right to access – the obligation to confirm if and how the data subject’s personal data is processed and to provide the data subject with a copy of their data.

At the request of the data subject you, as the controller, must confirm whether you are processing personal data related to them. That means that you should be able to go through all of your records to identify whether personal data is processed to respond to the request and be transparent regarding your processing activities. In general, you should be able to provide the individual with a free copy of their data being processed upon the data subject’s request. If appropriate, the copy should be in an electronic, commonly used file type. As the EDPB clarifies in its Guidelines: even though the GDPR expressly contains an obligation to provide the individual with a copy of the personal data that is undergoing processing, it doesn’t mean that the individual always has a right to a copy of the actual documents containing the processed data, but rather an unaltered copy of the data that is being processed. A copy of the data could be provided through a compilation, as long as it’s possible for the data subject to be made aware and verify the lawfulness of the processing.

However, under some circumstances, it could be appropriate for the controller to provide access through other ways than providing a copy. Such non-permanent modalities of access to the data could be, for example, oral information, an inspection of files, and on-site or remote access without the possibility to download. These modalities may be appropriate ways of granting access, for example in cases where it is in the interest of the data subject or the data subject asks for it. Non-permanent ways of access can be sufficient if, for example, it can satisfy the data subjects’ need to verify that their personal data are correct by letting them examine the original record.

In addition to this, you should check if there are any exemptions from the right of access exist in the particular case. According to article 15(4) in both the UK and EU GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others, which includes trade secrets and intellectual property rights. The EDPB explains in their Guidelines that these are only examples, while, in principle, any right or freedom based on the EU or Member State / UK domestic legislation may limit the right of access. You, as the controller, must be able to demonstrate that the rights or freedoms of others would factually be impacted in a specific situation. A concrete example from the Guidelines is the situation where a data subject requests access to their personal data, but the files contain sensitive information about other people. However, the request cannot be automatically denied with reference to the GDPR Article 15(4). Instead, you have to properly examine whether or not other people’s rights and freedoms will be factually affected by complying with the request. You should evaluate whether you can comply with the request without breaching Article 15(4) by removing other people’s data.

As for the UK specifically, there are exemptions from the right of access in respect of personal data processed for crime and taxation-related purposes, as well as the data related to legal professional privilege, etc. There are also other exceptions and special rules as defined by the UK’s domestic law. Please look into the ICO’s website for more detailed guidance in this relation.

Furthermore, you should also provide the data subject with some additional information about the processing of their personal data. Like the purpose of the processing, the personal data types, the envisaged period for which the data will be stored, the existence of any automated decision-making, the existence of other DSRs, and any transfers to a third country or an international organisation and the related appropriate safeguards.

If you have a lot of personal data relating to the individual, you can use the so-called “layered approach”, which is to provide the information in different layers that are more comprehensible for the data subject. It should nevertheless be stressed that this approach can only be used “under certain circumstances and needs to be carried out in a way that does not limit the right of access” as the EDPB stated. You may use it if it provides added value for the data subject. In case you’d like to learn more about the right of access, please take a look at the EDPB Guidelines and ICO Guidelines on the topic.

When responding to a ‘right of access’ request, DPOrganizer’s tool makes it easy by having your processing operations mapped, which would be a time-saver in identifying what data are processed, where, and how. You can also create a case and have a case log readily available for responding to the request. Don’t hesitate to contact our Professional Service team (albin.thelin@nulldporganizer.com) or your privacy peers over at the Watercooler community if you have any questions about responding to data subject requests!