THE RIGHT OF ACCESS TO PERSONAL DATA
By Mugurel Olariu, RPD protectie date
One of the main rights of the data subject is the right of access to personal data. It is governed by the European legal instrument – Article 8 of the EU Charter of Fundamental Rights and specifically specified by Article 15 of the GDPR.
Guidance 1/2022 on the rights of the data subject – right of access has been issued at the EDPB*1 level , a document in the public consultation phase until 11.03.2022.
The general purpose of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and to verify the lawfulness of the processing and the accuracy of the data processed. This will make it easier – but not a condition – for the individual to exercise other rights such as the right to erasure or rectification.
The right of access under data protection law must be differentiated from rights similar to other objectives, such as the right of access to public documents aimed at ensuring transparency in the decision-making process of public authorities and good administrative practice.
The right of access includes three different components:
■ Confirmation whether or not the data about the person is processed,
■ Access to this personal data and
■ Access to information on processing, such as purpose, categories of data and recipients, duration of processing, rights of data subjects and corresponding guarantees in case of a transfer to a third country.
The guide is structured in six chapters, the first being General Observations. The content chapters numbered 2 to 6 refer to:
✔ The purpose of the right of access, the structure of Article 15 of the GDPR and the general principles. The chapter presents the definition of the right of access, provisions on the modalities and possible limitation of this right. The principles of the right of access with the completeness and correctness of the information, the temporal reference point of the evaluation and the observance of the data security requirements are also pointed out.
✔ General considerations regarding the evaluation of access requests. The introductory notions are presented, with the analysis of the content of the application, the form of the application and the identification of the data subject, as well as the connection between the personal data and the data subject. This chapter also contains three specialized sections on Problems with Determining the Identity of the Applicant, Assessing Proportionality on Identifying the Applicant, and Requests Made by Third Parties / Proxies.
✔ The scope of the right of access and the data and personal information to which it relates, with three sections, as follows: Definition of personal data, Personal data to which the right of access refers, and Information on processing and rights targeted persons.
✔ How can an operator provide access?, is the main topic of this chapter. It has three sections, as follows: How can the operator retrieve the requested data?, Appropriate measures to ensure access, and Time to provide access.
✔ Limits and restrictions of the right of access is the last chapter. General observations are made and the application of art. 15 paragraph (4) of the GDPR. And of art.12 paragraph (5) of the RGPD. The last section clarifies key issues, namely: What is clearly unfounded ?, What is excessive ?, Consequences and Possible restrictions in Union or Member State law under Article 23 GDPR and derogations.
In the Annex, a Flowchart of the receipt, analysis and settlement of the request of the data subject is presented, in three steps, as follows:
Step 1: How is the application interpreted and evaluated?, exemplifying the six issues to be clarified, namely:
✔ Does the requests concern personal data?
✔ Is it a GDPR request?
✔ Is it an art.15 request?
✔ Does the request relate to the requesting person?
✔ Identity check, in case of doubts.
✔ What is the scope of the application?
Step 2: How do I respond to the request?, with three sections:
✔ 3 main components of the right of access (structure of art. 15).
✔ Take appropriate measures.
✔ How can the controller retrieve all data about the data subject?
Step 3: Check the limits and restrictions, with two sections:
✔ Art. 15 (4) GPRD: Would rights or freedoms of others be affected by answering the access request?
✔ Art. 12 (5) GDPR: Is the request manifestly unfounded?
We consider that this guide is an effective working tool for operators, and will be deepened and used in the practical activity by the data protection officer at their level.
————————————————————
[1] See https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022- data-subject-rights-right_en
