Without the right of access, data protection would be a toothless tiger. After all, a person can only be free to take action if he knows what another knows about him. However, there are several pitfalls that need to be taken into account if you are responsible for responding to an access request.
If a company or an authority receives a request for information, ignoring it is the worst possible thing to do. The law demands that, either way, the controller must provide an answer within a month at the longest. This deadline is new under the General Data Protection Regulation (GDPR).
An extension is only possible in exceptional cases (Art. 12 Para. 3 GDPR). Waiting and trying to ride it out is not an option unless you want to incur a fine.
Five key questions
With this in mind, prepare the response based on the following five considerations:
- Are we actually processing data belonging to the enquirer?
- Is there any way that we can refuse to provide the information?
- What content do we need to communicate?
- What format must the information take?
- Is the enquirer justified?
Are we actually processing data belonging to the enquirer?
First, clarify whether processing of data concerning the data subject is actually taking place in the concrete case in question. This is often easier said than done. It requires the controller to have an overview of where he processes which data (cf. also Ehmann, book 06/18, p. 1).
This does involve a lot of preparatory work, but it must be done, as otherwise it is not possible to compile a record of processing activities, for example. If it is clear that the controller is processing data belonging to the data subject, the first hurdle is cleared, and you can jump straight to the question “Is there any way that we can refuse to provide the information?”
If the controller does not have any data concerning the enquirer, he must inform the enquirer of such, as indicated in Art. 15 Para. 1, first semi-clause, GDPR. The thought behind this is that it is the only way for the enquirer to be able to gain a comprehensive picture of where his data are in circulation.
There are other points to consider when disclosing this “negative information”: for example, the request itself contains personal data, such as the name and address of the sender. The controller must process these data in order to be able to provide a response.
As such, remember to apply the general principles of data protection, in particular providing information on data protection as per Art. 13 GDPR.
The data protection notice must contain the usual information set out in Art. 13 GDPR. This includes information on how long the company or the authority will retain a request for information and its response.
The fact that it is sensible to store the provision of information – even negative information – for a certain period of time is clear from the principle of accountability set out in Art. 5 Para. 2 GDPR. This is the only way for the company to prove that it complies with the data protection legislation.
It will also be able to defend itself if the response leads to a dispute with the supervisory authority.
Example formulation of a negative information notice, in the case that no data are stored on the person requesting information:
Dear Mr/Ms …,
We do not have any personal data stored concerning you. This excludes the data that you communicated to us in your request for information.
Our data protection notice can be found … (e.g. below, overleaf, in the attached file, on the website www.xyz.de/dataprotection).
Storage period: three years
And how long should this process be stored for? Indefinite storage is – as in all other cases – not permissible. The period of limitation can be used as a guide; this is because a data subject cannot assert a claim based on failure to issue information or issue of false information after the end of the period of limitation.
A somewhat complicated chain of referencing indicates a period of limitation of three years. This is pursuant to Section 31 Para. 2 No. 1 of the German Act on Regulatory Offences (OWiG), which is applicable on the grounds of a reference in Section 41 Para. 1 of the German Federal Data Protection Act (BDSG), in reference to Art. 83 Para. 5 Letter b GDPR.
As such, controllers should retain a negative information notice for three years after issue of the information, and then erase it.
Is there any way that we can refuse to provide the information?
Normally, a controller has to provide the information. Exceptions only exist in the case of excessive enquiries, i.e. when the data subject makes an enquiry several times a year, for example without a clear reason to do so (Art. 12 Para. 5 Letter b GDPR).
In this case, the burden of proof lies with the controller, not the enquirer.
Exceptions in BDSG
Further exceptions are set out in special provisions that only apply in Germany. For example, there is no obligation to provide information
- if the data only still need to be stored on account of statutory provisions on retention (e.g. for reasons pertaining to bookkeeping) and providing information would require a disproportionate effort (Section 34 Para. 1 No. 2a BDSG),
- if the data are exclusively archiving or logging data (e.g. backups or log files) and providing information would require a disproportionate effort (Section 34 Para. 1 No. 2b BDSG), or
- if there are legitimate interests in keeping the information secret (Section 34 Para. 1 in conjunction with Section 29 Para. 1 Clause 2 BDSG).
The need for secrecy may apply by law or by “nature”, in particular because of “overriding legitimate interests of a third party”. This primarily applies to custodians of professional secrets, such as lawyers or doctors.
Other special cases
In addition, there are exceptions for special cases in the following areas:
- Data processing for the purposes of research or statistics (Section 27 Para. 2 BDSG)
- Data processing for archiving purposes in the public interest (Section 28 Para. 2 BDSG)
- Data processing by authorities if providing information would pose a risk (Section 34 Para. 1 No. 1 and Section 33 BDSG)
If one of these exceptions applies, the controller must justify such. He must inform the data subject of the reasons (Art. 12 Para. 4 GDPR).
What content do we need to communicate?
The content of the information notice is based on the data subject’s access request.
The data subject has a statutory entitlement to the following information as a maximum (Art. 15 Para. 1 GDPR):
- For what purposes is the controller processing the data subject’s data? Example: to fulfil the contract with the data subject.
- Which categories of personal data does he process? It is not necessary to list each individual data field; it is sufficient to give umbrella terms.
- To which recipients or categories of recipients are his data disclosed? Recipients in third countries outside of the EU and EEC must also be named.
- What are the criteria used to determine the period for which the data will be stored? Supplement the frequently used statement that data “are stored for as long as they are needed for the aforementioned purposes and as long as statutory retention periods demand such” with periods of retention that are as concrete as possible.
- Refer to the rights of the data subject, i.e. rectification, erasure, restriction of processing and objection.
- Refer to the option of lodging a complaint about the data processing with a supervisory authority. However, concrete contact details do not have to be communicated.
- If the data came not from the data subject but from another source: all available information on the source of the data.
- If the data are subject to automated decision-making, including profiling – within the meaning of Art. 22 GDPR, such as in the case of credit scoring or location tracking: meaningful information about the logic involved as well as the implications and intended effects of such procedures on the data subject.
- If the data are transferred to a third country, i.e. a country outside of the EU and the EEC, the enquirer also has a right to be informed of the legal basis for such (e.g. EU standard contract, Privacy Shield certification, or similar).
PRACTICAL TIP: The attentive reader will notice several similarities between this information and the data protection information set out in Art. 13, 14 GDPR and the record of processing activities set out in Art. 30 GDPR. It is largely the same information.
A controller can therefore save himself time and effort by comparing the information.
What format must the information take?
The data subject is entitled to receive “a copy of the personal data undergoing processing” (Art. 15 Para. 3 GDPR). The controller must issue the data in the manner that he has them.
In practice, companies and authorities meet this requirement in the easiest manner, by printing out or copying and passing on the data set or file held on the data subject.
However, there is some room for manoeuvre in the form that the information takes. It does not necessarily have to be provided in writing as in the past. For example, the law stipulates that where the data subject makes the request by electronic means, it may be responded to in electronic form, unless otherwise requested by the data subject (Art. 15 Para. 3 Clause 3 GDPR). This may include, for example, transfer of a PDF file.
In the best-case scenario, the data subject will be given direct access to his data by means of remote access, e.g. a web interface. It is important that all communication channels are appropriately protected.
It must also be ensured that the copy of the data is complete. Blacking out or omitting parts is only permitted
- in the case of one of the exceptions described above, or
- if disclosure will “adversely affect the rights and freedoms of others” (this includes the controller himself, cf. Art. 15 Para. 4 GDPR). Such a restriction of the right of access may, for example, exist based on trade secrets or intellectual property and in particular copyright protecting software (Recital 63 of GDPR).
However, in such cases the controller must still issue the information. Only the sensitive passages may be omitted or rendered illegible.
The information must be provided free of charge. Controllers may only invoice costs in exceptional cases, and even then these must be reasonable administrative costs, for example if the data subject requests another copy or when the request is excessive (Art. 12 Para. 5 GDPR).
Is the enquirer justified?
Only the person to whom the data pertain may receive the information. The controller must prevent unauthorised persons from receiving information that is not intended for them. If an unauthorised person were to receive such information, this would usually be considered a data breach, which the controller would have to report to the authority (Art. 33 GDPR).
Clear internal stipulations are required in order to prevent such an event; for example, an identity check must be carried out. GDPR does not stipulate overly high requirements on this. According to the law, information may be issued if there are “no reasonable doubts concerning the identity” of the person making the request (cf. Art. 12 Para. 6 GDPR).
Reasonable doubt may be deemed to apply if the request comes from a fantasy e-mail address or there are deviations from the stored address.
What can you, as a data protection officer, recommend in such a case? In the event of a discussion in person, you could request to see photographic ID. In other cases, your colleagues could ask about data that are already stored in the system – e.g. date of birth or customer number – and compare the answer.
In the case of an electronic request, you could ask the person to confirm their postal address. If the data subject is seeking information on particularly sensitive data (such as health data), it is helpful if the enquirer provides a copy of his ID voluntarily. All information not required can then be blacked out in this copy.
Another important measure for reducing the risk is for the information to always only be sent to the address that was stored for the data subject before the request for information.
Summary: take these requests seriously!
Requests for information must be taken seriously. After all, an incomplete, omitted or late response brings the risk of large fines (up to 20 mil. euros or 4 per cent of the total worldwide annual turnover as per Art. 83 Para. 5 Letter b GDPR).
With that in mind, ensure: that the employees know what to do in such cases, that it is clear who is responsible for what, and that the information is disclosed securely and on time.
Andreas Grimme is an employee of fox-on Datenschutz GmbH. He advises other data protection officers and companies on matters of data protection.