GDPR entails a right for the person whose data is being processed by an organisation to request access to their data. This is the so called “right of access”. You might also have heard about “extraction from the record of processing activities”. However, the right of access constitutes some question marks and confusions – how shall the proceedings be made in order to fulfil the requirements within GDPR? Does the data subject really have to provide a copy of his or her ID and shall the extract from the record of processing activities always be sent to the data subjects officially registered address? We at GDPR Hero are now sorting out these questions!
Scenario: A client sends an email and asks for access to all personal data you have on them. How should you act in order to make sure that everything is done properly?
1. Act on time – within a month
The regulation posts a time frame in regard to when the data subjects´ (the person whose data you are processing) request shall have been processed. The main rule is that the question shall be handled swiftly, and the data subject shall be informed of what measures you have taken absolutely latest within a month from the request. If you find that the request of access is not possible to meet, you have to motivate this position of yours.
If the request is complicated or if you at the time being have many requests, the time frame can be lengthened with two months. You always have to inform the data subject about the delay.
2. What can you demand in order to identify the data subject?
There are no administrative formalities, meaning requirements, for how the data subjects shall request the access to their data. The regulation therefore does not state any demands for e.g. an ID or signature. However, you as an organisation must be able to ensure that the extraction from the record of processing activities ends up with the right person. If the personal data fall into the wrong hands it constitutes a personal data breach, that in some cases must be reported to the Supervisory Authority. In some cases of request for access, it can therefore be necessary that the registered shows ID and signature.
In other cases, a phone call from the data subject can be enough for you to feel sure that it is the right person requesting the access. Although, it is important to keep in mind not to ask for more personal data of the data subject than you actually need. Only when you have reasonable doubts about the identity of the person requesting access, you may ask for more information in order to confirm his/her identity. You consequently have to secure the identity through a suitability assessment.
To simplify how a suitability assessment can work we will illustrate it with two different scenarios below!
Example: You have some close client relations and one of the clients now want an extract from the register of what personal data you have on him or her. The client makes the request through a phone call. The responsible person at your workplace recognize the clients voice based on previous contacts and is therefore certain that the personal data is requested access to by the right person. No other measures therefore have to be taken to secure the identity of the data subject.
Example: A client sends an email with a request of access. Since you have not had any contact with the client before you want to make sure that the person sending the email really is the owner of the personal data requested. You therefore ask the person to send a copy of their ID.
3. What shall the extraction from the register to the data subject include?
The data subject shall amongst other things receive the following information:
- For what purpose you process the personal data.
- What categories of personal data you process. E.g. name, address and phone number. You shall also provide the data subject with a copy of the personal data, in this case; what name(s), address(es) and phone number(s) you have on the person.
- If you provide another party with the data within the EU or a third country. E.g. when you use subcontractors.
- The presupposed period during which personal data will be stored.
- Information regarding the right to submit a complaint to the Supervisory Authority.
4. Shall the extraction from the record of processing activities be provided in paper or by electronic means?
The extraction from the record of processing activities can be made available both in writing and by electronic means. If the data subject leaves a request of access by electronic means, the extraction from the record of processing activities shall be made available with electronic means unless the data subject requests something else.
The information can also be made available orally, if the data subject requests it. Also, in this situation it is crucial that you can identify the data subject.
5. Where shall the extraction from the record of processing activities be sent?
There is, as mentioned before, no administrative formalities for how a request for access should look like. The same situation concerns you as a data controller – no special rules are imposed on you in this concern. However, in order to prevent a personal data breach, it is important to follow certain safety guidelines. To ensure that the extraction from the record of processing activities is sent to the data subject it is always the safest alternative, but not a must, to send it to his/her officially registered address.
Example: Your client has requested access to their personal data. The client is identified, and you have put together the information in a report. The client asks you to send the extraction to her work address since she is working a lot. At her company there are many workers. Since you are aware of the risk that an unauthorized person might access the personal data if you were to send the extraction to her work address, you tell her that it will be sent to her officially registered address instead.
6. What does an extraction from the record of processing activities cost?
An extraction shall not cost the data subject anything. The handling shall be cost free for the data subject exercising his or her right to access. The only situation when you can charge a fee is when the request is manifestly unfounded or unreasonable, e.g. if the request is recurring.
If the data subject wants several copies of the same extraction you are allowed to charge a fee for the administrative costs (recurring request).
7. In what cases do you not have to comply with the right to access?
You have to comply with the data subjects request of access. To do an exception from this is only possible if you are not capable of identifying the data subject. The data subject is then allowed to, but do not have to, give more information that can simplify the identification process.
Within national legislation, e.g. Swedish legislation, it is also stated that personal data within a continuous text that is not in its final form, does not have to be handed out (however, maximum one year). Also, personal data within memos and similar is being exempted. If the data is protected according to law, for example the Swedish Law on Official Secrets (offentlighets- och sekretesslagen), you do not have to provide the data subject with the data.
Remember the time limit – you have one month. To organize and constitute an action plan on how the extraction from the record on processing activities shall be made helps you save time. Always do a suitability assessment for what should be demanded of the data subject to secure his or her identity – the information shall never end up in wrongful hands!
Get help from GDPR Hero!
GDPR Hero has as a part of its tool a report function that rapidly and easily helps the user to identify and put together the information that all categories of data subjects are entitled to. The information is further administrated via a finished report ready for printing or being emailed as a PDF.