A priority of the DPC’s Regulatory Strategy for 2022 – 2027 is to increase stakeholder engagement by issuing more guidance to help businesses navigate compliance with the General Data Protection Regulation (GDPR).
On 10 October 2022, the Data Protection Commission (DPC) published guidance which provides welcome clarity for businesses when responding to data subject access requests (DSARs).
The key takeaway from the DPC’s guidance is that a high standard of compliance is expected from controllers in relation to handling DSARs, particularly when it comes to response times. It will be important for all businesses to take stock of the DPC’s guidance as the right of access (the vehicle for individuals to submit DSARs) is the most complained about data protection right that the DPC deals with year-on-year.
It is also worth highlighting that the European Data Protection Board (EDPB) recently published draft guidelines on navigating DSARs for businesses in January. Together, these regulatory standards are a key indicator that DSARs are very much in the spotlight from a regulatory enforcement perspective. While the DPC and the EDPB standards do not have the force of law, businesses might consider bridging any gaps in existing DSAR response policies and procedures where they do not meet the standards of compliance set by the DPC and EDPB.
What are the key impacts for businesses?
We highlight key impacts and best practices set out by the DPC and EDPB that businesses need to be aware of and implement when responding to DSARs:
1. Businesses to respond within “15 working days” or as soon as possible
The DPC expects controllers to implement policies that respond to DSARs “without undue delay”, as mandated by the GDPR. The DPC guidance ‘strongly recommends’ that businesses’ policies aim to respond to DSARs (by providing the information requested in an intelligible manner) within “15 working days” and, in all cases, as soon as possible. This is also the standard expected even where a response timeframe is extended (e.g. businesses should not wait until the end of a DSAR response deadline to respond). The EDPB Guidelines do not mention this 15 day timeframe, however, it would help to ensure that these deadlines are not missed.
2. “Complexity” is a factual assessment
Controllers may extend the timeframe for responding to DSARs by two months where they can objectively demonstrate that a DSAR gives rise to “complexity” under Article 12(3) of the GDPR. In its guidelines, the DPC provides some examples as to the meaning of “complexity“, confirming that it is a case-by-case and fact-specific assessment. These examples include the following factual questions:
- Is the amount of personal data readily available to the controller?
- Does the controller need extra resources to respond to the DSAR? The DPC’s example here is not “human” resources but technological ones.
- Does the DSAR response require considerable redaction?
- Does the controller need to apply an exemption?
The draft EDPB guidelines also provide a list of relevant factors when considering if a request gives rise to “complexity” to require an extension of time for responding to DSAR. These include:
- the amount of personal data processed by the controller;
- how the personal data are stored;
- redaction requirements;
- whether personal data needs further work to be intelligible.
Each of the DPC and EDPB indicates that reliance on “complexity” to extend a DSAR response timeframe should be the exception rather than the general approach adopted by businesses.
3. The clock starts to run on the date of receiving a DSAR
The DPC outlines that controllers must ensure their organisations have a dedicated way for individuals to submit DSARs and for businesses to record them. The DPC also provides that the clock begins to run the day on which a DSAR is received by a controller, even if it is sent to the wrong representative / mailbox of the controller’s entity. This will also be the case if the person managing the designated mailbox, or DSARs more generally, is on annual leave.
There is a caveat, however, to this point. The DPC and the EDPB recognise that the 1 month response clock will stop if the controller needs to communicate with the data subject due to uncertainty regarding their identity.
The EDPB also provides that the clock begins to run the day on which a DSAR is received, provided the request has reached the controller through one of its official channels. However, if a correct email address has been provided by the controller, requests do not have to be acted upon by controllers where they are sent to:
- a random or incorrect email address;
- a channel that clearly was not intended to receive it;
- an email address not provided by the controller; or
- an email address of an employee who is not involved in processing such requests.
However, there is a fine line since if the request is sent to an employee who deals with the data subject’s daily affairs, it must be acted on.
The DPC’s “solution” to these compliance standards is that employees should receive adequate training to deal with DSAR responses. For example, employees should be aware of and note any DSARs lodged (particularly if done so orally) and re-direct such requests to the correct department / person in the organisation.
4. Receipt of a DSAR should be acknowledged
An acknowledgement of receipt of a DSAR is a recommended practice according to the DPC guidance. Doing so allows the controller and the individual who has submitted a DSAR to identify the date from which the clock starts, to respond to the DSAR in time.
5. Controllers may ask for DSAR scope to be limited but should continue with the response
Individuals are not required to respond to a controller where the controller seeks to limit the scope of a DSAR. If the controller does not receive any acknowledgement or limitation from the individual, the controller must still respond within the statutory timeframe. The EDPB guidelines also reflect this standard. The DPC guidelines recommend that controllers should provide reasons for seeking to limit the scope of a DSAR, in line with the GDPR’s overarching principle of accountability.
6. Only verify identity where there is “reasonable doubt”
The DPC guidance is clear that controllers should only seek to verify an individual’s identity where there is reasonable doubt as to their identity. The steps taken by a controller to verify an individual’s identity should be at most what is necessary, applying a proportionality test. In cases of reasonable doubt as to identity, the clock for the time limit to respond to a DSAR stops until the controller verifies an individual’s identity.
Controllers may look to implement a method of confirming the identity of such individuals in their organisation. Such measures are only justified where there is an actual security requirement (i.e. reasonable doubt exists), otherwise it could be seen as an obstacle to the data subject’s right of access.
The draft EDPB guidelines echo this standard and emphasise that the method used to verify individuals’ identity must be proportionate to the nature of the personal data being processed.
7. Third party authorisation is best practice
An authorisation to act for or represent an individual should be provided to a controller where a third party (e.g. solicitor) is acting for that individual. There is no formal requirement in terms of what form an authorisation should take, however, the third party submitting the DSAR must be able to prove that the authorisation came from the data subject.
8. Controllers should not copy and paste “supplemental information”
The DPC guidance requires that the supplemental information provided in the DSAR response should not simply be a copy and paste of a controller’s privacy notice. Rather, it should reflect the processing carried out for the relevant individual and adapt the information for the particular processing at hand. The draft EDPB guidelines also reflect this position and require privacy notices to be ‘updated and tailored’ to reflect processing carried out on the DSAR.
What should businesses do?
The GDPR’s right of access to personal data is continually under the spotlight for businesses and the DPC. A tangible reality of the GDPR is that businesses must often internally manage a DSAR. While not the general rule, this reality is due mainly to DSARs being either a precursor to prospective or pending employment-related or other litigation or the basis of a data subject complaint filed against a business with the DPC. The DPC and draft EDPB standards set a high compliance threshold for businesses responding to DSARs, particularly concerning the time it takes to respond to such requests.
Businesses should review existing DSAR response policies and procedures to ensure consistency with required standards of law, considering the standards prescribed by the DPC and the EDPB. Our Technology team can help you figure out how these new standards impact your business and we would be happy to advise you further. If you have any data protection needs concerning DSARs or would like further information on these new standards, please contact a member of the Technology team or your usual William Fry contact.
Contributed by Kate Sullivan & Rachel Hayes