24 Oct The right of access under the GDPR: Practical considerations for Data Controllers

Authors: Isabella Oldani, Francesca Tugnoli, Giada Iovane

In two recent decisions (in particular, Decision No. 236 against Federazione Italiana Nuoto and Decision No. 225 against Unicredit S.p.A., both dated 16 June 2022), the Italian Data Protection Authority (hereinafter the “Authority”) emphasized the importance for Data Controllers to implement procedures that ensure that data subjects can effectively (and easily) exercise their right of access under Article 15 of the Regulation (EU) 679/2016 (“GDPR”).

The Authority’s decisions on the failure to respond to data subject’s right of access

In Decision No. 236, the Authority fined Federazione Italiana Nuoto (hereinafter “Federazione”) for the untimely response to a data subject’s access request. In particular, the data subject complained that she did not receive a response from Federazione to her request to obtain access to and a copy of the documents containing her personal data. Federazione responded to the complaint by arguing (among others) that the request submitted by the data subject fell outside the scope of the GDPR, as it qualified as a request for access to administrative documents[1]. The Authority, after its investigation, rejected the statements made by Federazione and concluded that the request made could clearly be qualified as an access request under the GDPR, as it was expressly labeled as “Request for Access to Personal Data Pursuant to Articles 15 -22 of Regulation 679/2016”[2] [3].

In Decision No. 236, Unicredit S.p.A. (hereinafter “Unicredit”) was found to be in breach of the GDPR for having failed to respond to an access request to personal data processed in the context of the employment relationship with Unicredit. In particular, Unicredit argued that it had not responded to the data subject’s request because no further action had been taken by the complainant following an initial response by them. In this initial response, they had requested the complainant to submit a form to be used for presenting data subjects’ requests based on their internal procedures. Since the data subject did not respond to this request, Unicredit assumed that the data subject was no longer interested in exercising their right of access. In this respect, the Authority noted that, in general terms, the provision of a predefined form to be completed to file access requests may represent an organizational measure that may facilitate the submission of similar requests. However, the Authority also noted that the action taken by Unicredit is not compliant with the applicable data protection rules which do not provide that the exercise of data subjects’ rights be conditional on a prior submission of a duly completed form by the data subject, but rather a consideration of the substance of the application[4]. Imposing the completion of predefined forms, regardless of the content of the request, may indeed hamper – rather than facilitate the exercise of data subject’s rights pursuant to the GDPR)[5].

The principles expressed above are in line with some recent decisions issued by the Data Protection Authorities of other EU Member States. The decisions highlighted the importance of establishing procedures for the management of access requests, starting from the identification of the data subject submitting the request, to the assessment of the substance of the request, as well as the preparation of the response. As to the steps to be taken in order to identify the data subject submitting the access request, it is worth noting that, for example, the request for a copy of the ID card would generally be contrary to the principles of the GDPR. This applies where a similar request is not based on reasonable doubts as to the identity of the data subject in question. Indeed, as noted by the Spanish Data Protection Authority (among other Authorities)[6], the request for an identity card as a “standard” means of identification is in breach of the Data Controller’s obligation to facilitate the exercise of data subjects’ rights, as well as in breach of the principle of data minimization[7].

Conclusion and recommendations

The aforementioned decisions recall the importance of Data Controllers having adequate procedures in place to deal with data subjects’ requests. The principles established in the said decisions were also reflected in the Guidelines 01/2022 issued by the European Data Protection Board (hereinafter, “EDPB”)[8], in which the EDPB provided the following important recommendations on how to handle access requests:

• • • Data Controllers should be ready to handle access requests in a timely manner, in compliance with their obligation to facilitate data subjects in exercising their rights;
    • The GDPR does not introduce any formal requirements for persons requesting access to their personal data;
    • Data subjects have, in principle, the right to obtain access to all personal data concerning them[9]. The information provided must be complete, correct, and up-to-date, corresponding as closely as possible to the state of processing activities at the time the request is received;
    • The information on the processing activities carried out by the Data Controller must be provided in a way that reflects the specific processing operations carried out in relation to the data subject making the request. Generic wording with respect to, for example, the purposes of the processing activities and the categories of personal data processed should therefore be avoided (as this type of information may vary depending on the data subject making the request);
    • Where the Data Controller has reasonable doubts as to the identity of the data subject, a “proportionality” assessment must be carried out when identifying what (additional) information should be requested for the purpose of identifying the data subject in question. It should be taken into consideration that requesting an ID card would generally not be considered a proportionate and, therefore, is not an appropriate way of authentication (without prejudice to the possibility of assessing, on a case-by-case basis, the specific circumstances of the request)[10].

[1] According to Federazione, the request was made pursuant to Law No. 241/90, which regulates the right of access to administrative documents.

[2] It is worth recalling that, in establishing the unlawfulness of the conduct undertaken by the Data Controller, the Authority took into account, as a mitigating factor for the purpose of quantifying the administrative fine, the fact that the untimely response by the Data Controller was caused by the erroneous interpretation of the request submitted by the data subject as a request for access to documents. According to the Authority, this misinterpretation partly arose from the wording used by the data subject in the request, where she asked for “access to and copy of the documents containing personal data”.

[3] Pursuant to Article 12(3) of the GDPR, the “controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject”.

[4] Emphasis added.

[5] It is worth recalling that, pursuant to Article 12(2) of the GDPR, the “controller shall facilitate the exercise of data subject rights under Articles 15 to 22”. Moreover, the form made available by the Data Controller did not contain a complete and detailed list of the information indicated under Article 15 of the GDPR, therefore leading the individual in question to error as to the actual scope of the right of access.

[6] Agencia Española de Protección de Datos, Decision of 25 February 2022 against PageGroup Europe. Similarly, see also (among others) Decision of 14 January 2022 issued by the Dutch Data Protection Authority against DPG Media Magazines B.V. in which the Dutch Data Protection Authority held that requesting the ID card in order to identify the data subject is contrary to Article 12(2) of the GDPR. The Dutch Data Protection Authority held that a similar request would indeed hinder, rather than facilitate, the exercise of their rights. In Decision of 16 December 2020 of the Irish Data Protection Authority against Groupon International Limited, the Irish Data Protection Authority concluded that the request for the ID card for the purpose of activating the procedure relating to the management of data subjects’ rights is contrary to the principle of minimization, especially in view of the fact that the ID card is not required for the purpose of creating a Groupon account.

[7] Pursuant to Article 5(1)(c) of the GDPR, personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimisation»)”. In the opinion of the Spanish Data Protection Authority, the request for an ID card for the purpose of identifying the data subject is in breach of this principle in that, it entails the acquisition of personal data which are not strictly necessary for the purpose in question.

[8] EDPB, Guidelines 01/2022 on data subject rights – Right of access (version 1.0) of 18 January 2022. Please note that these Guidelines are not yet available in their final version.

[9] Unless the data subject has expressly limited their request to a specific subset of personal data (data subjects could, for instance, ask their employer for “only” a copy of personal data processed by the employer for performance appraisal).

[10] As clarified by the EDPB, this could, for instance, be the case where the Controller processes special categories of data or carries out processing that may present a risk for the data subject (e.g., processing activities involving medical information).