The Guidelines 01/2022 on data subject rights focus on the right of access, a fundamental right enshrined in the EU Charter of Fundamental Rights and GDPR. The purpose of this right is to give people access to and transparency over how their personal data is processed. It consists of three parts: confirmation of the processing of personal data, data access, and details about the processing itself.

Data controllers must respond to access requests within one month, with extensions of up to two months available. Access may be restricted to preserve the rights and freedoms of others, as stated in Article 15(4) GDPR. Data controllers may also refuse requests that are excessive or unwarranted or impose an appropriate fee. Individuals have the right to access their personal data and to check the legality of its processing. The information given must be clear, transparent, and freely accessible for data subjects to exercise their GDPR rights.

Article 15 GDPR breaks down the right of access into three components: confirmation of personal data processing, access to the data, and information about the processing. The controller must provide a free copy of the personal data upon request, and any further copies may incur a reasonable fee based on administrative costs.

Controllers must take appropriate security measures when providing personal data electronically and consider the possible adverse effects on the rights and freedoms of others. Controllers can use self-service tools in online contexts to avoid providing an overflow of information.

The information provided to a data subject must include all actual personal data held about them, including inaccurate or unlawfully processed data. Controllers must assess each request individually and provide all data available at the point of assessment. They are not required to provide personal data they no longer have due to data retention policies or statutory provisions. Controllers must implement appropriate technical and organizational measures to ensure data security.

There are no formal requirements for making a request, but controllers should provide user-friendly communication channels. The controller must be able to identify and authenticate the data subject to comply with their right of access. If the controller cannot identify the data subject, they may refuse to take action on the request. The GDPR does not impose any requirements on how to authenticate the data subject, but the controller should only request necessary personal data for authentication and limit the use of such information to fulfilling the data subject’s request. Authentication measures must be relevant, appropriate, proportionate, and not impose excessive burdens on data subjects. In an online context, authentication may include the same credentials used to log in to the online service. When requesting an ID for authentication, the controller should only collect necessary information, inform the data subject about the possibility of redacting unnecessary information, and implement safeguards to prevent unlawful processing of the ID.

Controllers must verify the identity and authorization of third parties making a request on behalf of a data subject, namely proxy or legal guardians.

The right of access covers personal data contained in minutes, written answers submitted by a candidate at a professional examination, examiner comments, special categories of personal data, personal data relating to criminal convictions and offenses, data actively provided by the data subject, observed or raw data provided by the data subject, data derived from other data, data inferred from other data, and pseudonymised data.

The right of access under GDPR includes inferred and derived data, personal data created by a service provider, and data resulting from subsequent analysis or assessment. The right of access can only be exercised regarding personal data relating to the data subject requesting access. The EDPB encourages controllers not to interpret the term “personal data concerning him or her” too restrictively.

Controllers must provide access to all data processed relating to the data subject, or parts of the data, depending on the scope of the request. They must also provide information on the processing and data subject rights according to Art. 15(1)(a) to (h) and 15(2) GDPR. The information must be specific to the data subject and cannot be narrowed down by the controller.

In terms of recipients or categories of recipients, the request must be satisfied by stating the recipient names. The information on the anticipated time for which personal data will be stored must be explicit enough for the data subject to understand how long the data will be stored. Data storage period indications must focus on the specific data relevant to the data subject. The controller’s answer to data subject rights must be tailored to the data subject’s specific situation and relate to the processing operations in question.. Finally, according to Art. 15(1)(g), “any available information” as to the source of the data has to be provided, where the personal data are not collected from the data subject.

Under Art. 12 of the GDPR, controllers must take appropriate measures to provide data subjects with requested information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The appropriate measures will vary depending on the circumstances, including the amount and complexity of data being processed and the knowledge the controller has about their data subjects. Controllers should avoid directing data subjects to different sources and document their approach to providing access. Non-permanent modalities of access, such as oral information or onsite access, may be appropriate in some cases. If the request is made electronically, the information must be provided in a commonly used electronic form.

Controllers are required to take the necessary steps to grant data subjects access to their personal information, considering all pertinent factors, such as the volume and complexity of the data being processed and any specific requirements of the data subject. Self-service tools can be a quick and effective way to grant access, but they shouldn’t restrict the amount of personal data obtained. Controllers also need to deal with access requests not made through formal communication channels. The data subject must be able to understand the information and personal data when it is presented to them.

The information must be provided in a format that is both intelligible and easily accessible, and the data subject must be able to download their data in a commonly used electronic form. The controller can decide upon the appropriate form in which the personal data will be provided and may provide a compilation containing all personal data covered by the right of access, as long as it makes it possible for the data subject to be made aware and verify the lawfulness of the processing.

In summary, when a controller receives multiple requests from the same data subject, they must prioritize and respond to these requests in a timely manner, as stipulated in Art. 12(3) GDPR. If the controller cannot provide the information within the time limit, they must inform the data subject about the reasons for the delay and provide an estimated time frame for when the information will be provided. The controller should also inform the data subject of their right to lodge a complaint with the supervisory authority and seek a judicial remedy.

Controllers should have efficient procedures in place to handle requests for access to personal data, including clear guidelines on how to respond to requests and trained staff who can handle these requests efficiently. If the controller refuses to provide the requested information, or if the data subject is not satisfied with the response provided, the data subject has the right to lodge a complaint with the supervisory authority and seek a judicial remedy.

The GDPR requires that information under Art. 15 be provided in writing or by other means, including electronic means, and in a commonly used electronic format if requested by the data subject. The format should enable the information to be presented in an intelligible and easily accessible way, and the data subject should be able to download their data in a commonly used electronic form.

The right to access under GDPR is subject to the limitations and restrictions set out in Art. 15(4) (other individual rights and freedoms), Art. 12(5) (manifestly unfounded or excessive requests), and any restrictions imposed by Union or Member State law. Trade secrets, intellectual property, and copyrighted software are examples of conflicting rights and freedoms, but they should be regarded as examples. The right to obtain a copy of personal data must not infringe on the rights and freedoms of others.

Pursuant to Article 12(5) of GDPR, where it is clearly understood that the requests of the data subject are unfounded or disproportionate, especially due to repetition of requests, he may charge a reasonable fee considering the administrative costs of performing the requested transaction or refuse to act regarding the request. In this case, data controllers are obliged to show that the request is clearly unfounded or disproportionate.