Subject’s Rights
Article 29 Group Guidance
ARTICLE 29 DATA PROTECTION WORKING PARTY
This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data
protection and privacy. Its tasks are descr bed in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission,
Directorate General Justice, B-1049 Brussels, Belgium, Office No MO-59 02/013.
Website: http://ec.europa.eu/newsroom/article29/news.cfm?item type=1358&tpa id=6936
17/EN
WP260 rev.01
Article 29 Working Party
Guidelines on transparency under Regulation 2016/679
Adopted on 29 November 2017
As last Revised and Adopted on 11 April 2018
THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE
PROCESSING OF PERSONAL DATA
set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995,
having regard to Articles 29 and 30 thereof,
having regard to its Rules of Procedure,
HAS ADOPTED THE PRESENT GUIDELINES:
ARTICLE 29 DATA PROTECTION WORKING PARTY
Introduction
1. These guidelines provide practical guidance and interpretative assistance from the Article 29
Working Party (WP29) on the new obligation of transparency concerning the processing of
personal data under the General Data Protection Regulation 1 (the “GDPR”). Transparency is
an overarching obligation under the GDPR applying to three central areas: (1) the provision
of information to data subjects related to fair processing; (2) how data controllers
communicate with data subjects in relation to their rights under the GDPR; and (3) how data
controllers facilitate the exercise by data subjects of their rights2. Insofar as compliance with
transparency is required in relation to data processing under Directive (EU) 2016/680 3, these
guidelines also apply to the interpretation of that principle. 4 These guidelines are, like all
WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective
of the sectoral, industry or regulatory specifications particular to any given data controller.
As such, these guidelines cannot address the nuances and many variables which may arise in
the context of the transparency obligations of a specific sector, industry or regulated area.
However, these guidelines are intended to enable controllers to understand, at a high level,
WP29’s interpretation of what the transparency obligations entail in practice and to indicate
the approach which WP29 considers controllers should take to being transparent while
embedding fairness and accountability into their transparency measures.
2. Transparency is a long established feature of the law of the EU 5. It is about engendering trust
in the processes which affect the citizen by enabling them to understand, and if necessary,
challenge those processes. It is also an expression of the principle of fairness in relation to the
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC.
2 These guidelines set out general principles in relation to the exercise of data subjects’ rights rather than considering
specific modalities for each of the individual data subject rights under the GDPR.
3 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data,
and repealing Council Framework Decision 2008/977/JHA
4 While transparency is not one of the principles relating to processing of personal data set out in Article 4 of Directive (EU )
2016/680, Recital 26 states that any processing of personal data must be “lawful, fair and transparent” in relation to the
natural persons concerned.
5 Article 1 of the TEU refers to decisions being taken “as openly as possible and as close to the citizen as possible”; Article 11(2)
states that “The institutions shall maintain an open, transparent and regular dialogue with representative associations and civil
society”; and Article 15 of the TFEU refers amongst other things to citizens of the Union having a right of access to
documents of Union institutions, bodies, offices and agencies and the requirements of those Union institutions, bodies,
offices and agencies to ensure that their proceedings are transparent.
Page 5 of 40
processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of
the European Union. Under the GDPR (Article 5(1)(a)6), in addition to the requirements that
data must be processed lawfully and fairly, transparency is now included as a fundamental
aspect of these principles. 7 Transparency is intrinsically linked to fairness and the new
principle of accountability under the GDPR. It also follows from Article 5.2 that the controller
must always be able to demonstrate that personal data are processed in a transparent
manner in relation to the data subject. 8 Connected to this, the accountability principle
requires transparency of processing operations in order that data controllers are able to
demonstrate compliance with their obligations under the GDPR9.
3. In accordance with Recital 171 of the GDPR, where processing is already under way prior to
25 May 2018, a data controller should ensure that it is complian t with its transparency
obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means
that prior to 25 May 2018, data controllers should revisit all information provided to data
subjects on processing of their personal data (for example in privacy statements/ notices etc.)
to ensure that they adhere to the requirements in relation to transparency which are
discussed in these guidelines. Where changes or additions are made to such information,
controllers should make it clear to data subjects that these changes have been effected in
order to comply with the GDPR. WP29 recommends that such changes or additions be
actively brought to the attention of data subjects but at a minimum controllers should make
this information publically available (e.g. on their website). However, if the changes or
additions are material or substantive, then in line with paragraphs 29 to 32 below, such
changes should be actively brought to the attention of the data subject.
4. Transparency, when adhered to by data controllers, empowers data subjects to hold data
controllers and processors accountable and to exercise control over their personal data by,
for example, providing or withdrawing informed consent and actioning their data subject
rights10. The concept of transparency in the GDPR is user-centric rather than legalistic and is
realised by way of specific practical requirements on data controllers and processors in a
number of articles. The practical (information) requirements are outlined in Articles 12 – 14 of
the GDPR. However, the quality, accessibility and comprehensibility of the information is as
important as the actual content of the transparency information, which must be provided to
data subjects.
6 “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”.
7 In Directive 95/46/EC, transparency was only alluded to in Recital 38 by way of a requirement for processing of data to be
fair, but not expressly referenced in the equivalent Article 6(1)(a).
8 Article 5.2 of the GDPR obliges a data controller to demonstrate transparency (together with the five other principles
relating to data processing set out in Article 5.1) under the principle of accountability.
9 The obligation upon data controllers to implement technical and organisational measures to ensure and be able to
demonstrate that processing is performed in accordance with the GDPR is set out in Article 24.1.
10See, for example, the Opinion of Advocate General Cruz Villalon (9 July 2015) in the Bara case (Case C-201/14) at paragraph
74: “the requirement to inform the data subjects about the processing of their personal data, which guarantees transparency of
all processing, is all the more important since it affects the exercise by the data subjects of their right of access to the data being
processed, referred to in Article 12 of Directive 95/46, and their right to object to the processing of those data, set out in Article 14
of that directive”.
Page 6 of 40
5. The transparency requirements in the GDPR apply irrespective of the legal basis for
processing and throughout the life cycle of processing. This is clear from Article 12 which
provides that transparency applies at the following stages of the data processing cycle:
before or at the start of the data processing cycle, i.e. when the personal data is being
collected either from the data subject or otherwise obtained;
throughout the whole processing period, i.e. when communicating with data
subjects about their rights; and
at specific points while processing is ongoing, for example when data breaches occur
or in the case of material changes to the processing.
The meaning of transparency
6. Transparency is not defined in the GDPR. Recital 39 of the GDPR is informative as to the
meaning and effect of the principle of transparency in the context of data processing:
“It should be transparent to natural persons that personal data concerning them are
collected, used, consulted or otherwise processed and to what extent the personal data
are or will be processed. The principle of transparency requires that any information and
communication relating to the processing of those personal data be easily accessible
and easy to understand, and that clear and plain language be used. That principle
concerns, in particular, information to the data subjects on the identity of the controller
and the purposes of the processing and further information to ensure fair and
transparent processing in respect of the natural persons concerned and their right to
obtain confirmation and communication of personal data concerning them which are
being processed…”
Elements of transparency under the GDPR
7. The key articles in relation to transparency in the GDPR, as they apply to the rights of the
data subject, are found in Chapter III (Rights of the Data Subject). Article 12 sets out the
general rules which apply to: the provision of information to data subjects (under Articles 13
– 14); communications with data subjects concerning the exercise of their rights (under
Articles 15 – 22); and communications in relation to data breaches (Article 34). In particular
Article 12 requires that the information or communication in question must comply with the
following rules:
it must be concise, transparent, intelligible and easily accessible (Article 12.1);
clear and plain language must be used (Article 12.1);
the requirement for clear and plain language is of particular importance when
providing information to children (Article 12.1);
it must be in writing “or by other means, including where appropriate, by electronic
means” (Article 12.1);
where requested by the data subject it may be provided orally (Article 12.1) ; and
Page 7 of 40
it generally must be provided free of charge (Article 12.5).
“Concise, transparent, intelligible and easily accessible”
8. The requirement that the provision of information to, and communication with, data subjects
is done in a “concise and transparent” manner means that data controllers should present the
information/ communication efficiently and succinctly in order to avoid information fatigue.
This information should be clearly differentiated from other non-privacy related information
such as contractual provisions or general terms of use. In an online context, the use of a
layered privacy statement/ notice will enable a data subject to navigate to the particular
section of the privacy statement/ notice which they want to immediately access rather than
having to scroll through large amounts of text searching for particular issues.
9. The requirement that information is “intelligible” means that it should be understood by an
average member of the intended audience. Intelligibility is closely linked to the requirement
to use clear and plain language. An accountable data controller will have knowledge about
the people they collect information about and it can use this knowledge to determine what
that audience would likely understand. For example, a controller collecting the personal data
of working professionals can assume its audience has a higher level of understanding than a
controller that obtains the personal data of children. If controllers are uncertain about the
level of intelligibility and transparency of the information and effectiveness of user interfaces/
notices/ policies etc., they can test these, for example, through mechanisms such as user
panels, readability testing, formal and informal interactions and dialogue with industry
groups, consumer advocacy groups and regulatory bodies, where appropriate, amongst
other things.
10. A central consideration of the principle of transparency outlined in these provisions is that
the data subject should be able to determine in advance what the scope and consequences
of the processing entails and that they should not be taken by surprise at a later point about
the ways in which their personal data has been used. This is also an important aspect of the
principle of fairness under Article 5.1 of the GDPR and indeed is linked to Recital 39 which
states that “[n]atural persons should be made aware of risks, rules, safeguards and rights in
relation to the processing of personal data. . .” In particular, for complex, technical or
unexpected data processing, WP29’s position is that, as well as providing the prescribed
information under Articles 13 and 14 (dealt with later in these guidelines), controllers should
also separately spell out in unambiguous language what the most important consequences of
the processing will be: in other words, what kind of effect will the specific processing
described in a privacy statement/ notice actually have on a data subject? In accordance with
the principle of accountability and in line with Recital 39, data controllers should assess
whether there are particular risks for natural persons involved in this type of processing which
should be brought to the attention of data subjects. This can help to provide an overview of
the types of processing that could have the highest impact on the fundamental rights and
freedoms of data subjects in relation to the protection of their personal data.
Page 8 of 40
11. The “easily accessible” element means that the data subject should not have to seek out the
information; it should be immediately apparent to them where and how this information can
be accessed, for example by providing it directly to them, by linking them to it, by clearly
signposting it or as an answer to a natural language question (for example in an online layered
privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data
subject fills in an online form, or in an interactive digital context through a chatbot interface,
etc. These mechanisms are further considered below, including at paragraphs 33 to 40).
Example
Every organisation that maintains a website should publish a privacy statement/ notice on
the website. A direct link to this privacy statement/ notice should be clearly visible on each
page of this website under a commonly used term (such as “Privacy”, “Privacy Policy” or
“Data Protection Notice”). Positioning or colour schemes that make a text or link less
noticeable, or hard to find on a webpage, are not considered easily accessible.
For apps, the necessary information should also be made available from an online store
prior to download. Once the app is installed, the information still needs to be easily
accessible from within the app. One way to meet this requirement is to ensure that the
information is never more than “two taps away” (e.g. by including a “Privacy”/ “Data
Protection” option in the menu functionality of the app). Additionally, the privacy
information in question should be specific to the particular app and should not merely be
the generic privacy policy of the company that owns the app or makes it available to the
public.
WP29 recommends as a best practice that at the point of collection of the personal data in
an online context a link to the privacy statement/ notice is provided or that this information
is made available on the same page on which the personal data is collected.
“
Clear and plain language”
12. With written information (and where written information is delivered orally, or by audio/
audiovisual methods, including for vision-impaired data subjects), best practices for clear
writing should be followed. 11 A similar language requirement (for “plain, intelligible
language”) has previously been used by the EU legislator12 and is also explicitly referred to in
the context of consent in Recital 42 of the GDPR13. The requirement for clear and plain
language means that information should be provided in as simple a manner as possible,
avoiding complex sentence and language structures. The information should be concrete and
definitive; it should not be phrased in abstract or ambivalent terms or leave room for different
11 See How to Write Clearly by the European Commission (2011), to be found at:
https://publications.europa.eu/en/publication-detail/-/publication/c2dab20c-0414-408d-87b5-dd3c6e5dd9a5.
12 Article 5 of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts
13 Recital 42 states that a declaration of consent pre-formulated by a data controller should be provided in an intelligible
and easily accessible form, using clear and plain language and it should not contain unfair terms.
Page 9 of 40
interpretations. In particular the purposes of, and legal basis for, processing the personal data
should be clear.
Poor Practice Examples
The following phrases are not sufficiently clear as to the purposes of processing:
“We may use your personal data to develop new services” (as it is unclear what
the “services” are or how the data will help develop them);
“We may use your personal data for research purposes (as it is unclear what kind
of “research” this refers to); and
“We may use your personal data to offer personalised services” (as it is unclear
what the “personalisation” entails).
Good Practice Examples14
“We will retain your shopping history and use details of the products you have
previously purchased to make suggestions to you for other products which we believe
you will also be interested in ” (it is clear that what types of data will be processed,
that the data subject will be subject to targeted advertisements for products and
that their data will be used to enable this);
“We will retain and evaluate information on your recent visits to our website and how
you move around different sections of our website for analytics purposes to
understand how people use our website so that we can make it more intuitive” (it is
clear what type of data will be processed and the type of analysis which the
controller is going to undertake); and
“We will keep a record of the articles on our website that you have clicked on and use
that information to target advertising on this website to you that is relevant to your
interests, which we have identified based on articles you have read” (it is clear what
the personalisation entails and how the interests attributed to the data subject
have been identified).
13. Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be
avoided. Where data controllers opt to use indefinite language, they should be able, in
accordance with the principle of accountability, to demonstrate why the use of such language
could not be avoided and how it does not undermine the fairness of processing . Paragraphs
and sentences should be well structured, utilising bullets and indents to signal hierarchical
14 The requirement for transparency exists entirely independently of the requirement upon data controllers to ensure that
there is an appropriate legal basis for the processing under Article 6.
Page 10 of 40
relationships. Writing should be in the active instead of the passive form and excess nouns
should be avoided. The information provided to a data subject should not contain overly
legalistic, technical or specialist language or terminology. Where the information is
translated into one or more other languages, the data controller should ensure that all the
translations are accurate and that the phraseology and syntax makes sense in the second
language(s) so that the translated text does not have to be deciphered or re-interpreted. (A
translation in one or more other languages should be provided where the controller targets15
data subjects speaking those languages.)
Providing information to children and other vulnerable people
14. Where a data controller is targeting children 16 or is, or should be, aware that their goods/
services are particularly utilised by children (including where the controller is relying on the
consent of the child) 17, it should ensure that the vocabulary, tone and style of the language
used is appropriate to and resonates with children so that the child addressee of the
information recognises that the message/ information is being directed at them. 18 A useful
example of child-centred language used as an alternative to the original legal language can
be found in the “UN Convention on the Rights of the Child in Child Friendly Language”. 19
15. WP29’s position is that transparency is a free-standing right which applies as much to
children as it does to adults. WP29 emphasises in particular that children do not lose their
rights as data subjects to transparency simply because consent has been given/ authorised
by the holder of parental responsibility in a situation to which Article 8 of the GDPR applies.
While such consent will, in many cases, be given or authorised on a once-off basis by the
holder of parental responsibility, a child (like any other data subject) has an ongoing right to
transparency throughout the continuum of their engagement with a data controller. This is
consistent with Article 13 of the UN Convention on the Rights of the Child which states that
a child has a right to freedom of expression which includes the right to seek, receive and
impart information and ideas of all kinds. 20 It is important to point out that, while providing
for consent to be given on behalf of a child when under a particular age, 21 Article 8 does not
provide for transparency measures to be directed at the holder of parental responsibility who
15 For example, where the controller operates a website in the language in question and/or offers specific country options
and/or facilitates the payment for goods or services in the currency of a particular member state then these may be
indicative of a data controller targeting data subjects of a particular member state.
16 The term “child” is not defined under the GDPR, however WP29 recognises that, in accordance with the UN Convention
on the Rights of the Child, which all EU Member States have ratified, a child is a person under the age of 18 years.
17 i.e. children of 16 years or older (or, where in accordance with Article 8.1 of the GDPR Member State national law has set
the age of consent at a specific age between 13 and 16 years for children to consent to an offer for the provision of
information society services, children who meet that national age of consent).
18 Recital 38 states that “Children merit special protection with regard to their personal data as they may be less aware of
the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”. Recital
58 states that “Given that children merit specific protection, any information and communication, where processing is
addressed to a child, should be in such a clear and plain language that the child can easily understand”.
19 https://www.unicef.org/rightsite/files/uncrcchilldfriendlylanguage.pdf
20 Article 13 of the UN Convention on the Rights of the Child states that: “The child shall have the right to freedom of
expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of
frontiers, either orally, in writing or in print, in the form of art, or through any other media of the child’s choice.”
21 See footnote 17 above.
Page 11 of 40
gives such consent. Therefore, data controllers have an obligation in accordance with the
specific mentions of transparency measures addressed to children in Article 12.1 (supported
by Recitals 38 and 58) to ensure that where they target children or are aware that their goods
or services are particularly utilised by children of a literate age, that any information and
communication should be conveyed in clear and plain language or in a medium that children
can easily understand. For the avoidance of doubt however, WP29 recognises that with very
young or pre-literate children, transparency measures may also be addressed to holders of
parental responsibility given that such children will, in most cases, be unlikely to understand
even the most basic written or non-written messages concerning transparency.
16. Equally, if a data controller is aware that their goods/ services are availed of by (or targeted
at) other vulnerable members of society, including people with disabilities or people who may
have difficulties accessing information, the vulnerabilities of such data subjects should be
taken into account by the data controller in its assessment of how to ensure that it complies
with its transparency obligations in relation to such data subjects. 22 This relates to the need
for a data controller to assess its audience’s likely level of understanding, as discussed above
at paragraph 9.
“In writing or by other means”
17. Under Article 12.1, the default position for the provision of information to, or
communications with, data subjects is that the information is in writing. 23 (Article 12.7 also
provides for information to be provided in combination with standardised icons and this issue
is considered in the section on visualisation tools at paragraphs 49 to 53). However, the GDPR
also allows for other, unspecified “means” including electronic means to be used. WP29’s
position with regard to written electronic means is that where a data controller maintains (or
operates, in part or in full, through) a website, WP29 recommends the use of layered privacy
statements/ notices, which allow website visitors to navigate to particular aspects of the
relevant privacy statement/ notice that are of most interest to them (see more on layered
privacy statements/ notices at paragraph 35 to 37). 24 However, the entirety of the information
addressed to data subjects should also be available to them in one single place or one
complete document (whether in a digital or paper format) which can be easily accessed by a
data subject should they wish to consult the entirety of the information addressed to them.
Importantly, the use of a layered approach is not confined only to written electronic means
for providing information to data subjects. As discussed at paragraphs 35 to 36 and 38 below,
a layered approach to the provision of information to data subjects may also be utilised by
employing a combination of methods to ensure transparency in relation to processing.
22 For example, the UN Convention on the Rights of Persons with Disabilities requires that appropriate forms of assistance
and support are provided to persons with disabilities to ensure their access to information.
23 Article 12.1 refers to “language” and states that the information shall be provided in writing, or by other means, including,
where appropriate, by electronic means.
24 The WP29’s recognition of the benefits of layered notices has already been noted in Opinion 10/2004 on More Harmonised
Information Provisions and Opinion 02/2013 on apps on smart devices.
Page 12 of 40
18. Of course, the use of digital layered privacy statements/ notices is not the only written
electronic means that can be deployed by controllers. Other electronic means include “just-
in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards.
Non-written electronic means which may be used in addition to a layered privacy statement/
notice might include videos and smartphone or IoT voice alerts. 25 “Other means”, which are
not necessarily electronic, might include, for example, cartoons, infographics or flowcharts.
Where transparency information is directed at children specifically, controllers should
consider what types of measures may be particularly accessible to children (e.g. these might
be comics/ cartoons, pictograms, animations, etc. amongst other measures).
19. It is critical that the method(s) chosen to provide the information is/are appropriate to the
particular circumstances, i.e. the manner in which the data controller and data subject
interact or the manner in which the data subject’s information is collected. For example, only
providing the information in electronic written format, such as in an online privacy statement/
notice may not be appropriate/ workable where a device that captures personal data does
not have a screen (e.g. IoT devices/ smart devices) to access the website/ display such written
information. In such cases, appropriate alternative additional means should be considered,
for example providing the privacy statement/ notice in hard copy instruction manuals or
providing the URL website address (i.e. the specific page on the website) at which the online
privacy statement/ notice can be found in the hard copy instructions or in the packaging.
Audio (oral) delivery of the information could also be additionally provided if the screenless
device has audio capabilities. WP29 has previously made recommendations around
transparency and provision of information to data subjects in its Opinion on Recent
Developments in the Internet of Things26 (such as the use of QR codes printed on internet of
things objects, so that when scanned, the QR code will display the required transparency
information). These recommendations remain applicable under the GDPR.
“..the information may be provided orally”
20. Article 12.1 specifically contemplates that information may be provided orally to a data
subject on request, provided that their identity is proven by other means. In other words, the
means employed should be more than reliance on a mere assertion by the individual that they
are a specific named person and the means should enable the controller to verify a data
subject’s identity with sufficient assurance. The requirement to verify the identity of the data
subject before providing information orally only applies to information relating to the
exercise by a specific data subject of their rights under Articles 15 to 22 and 34. This
precondition to the provision of oral information cannot apply to the provision of general
privacy information as outlined in Articles 13 and 14, since information required under Articles
13 and 14 must also be made accessible to future users/ customers (whose identity a data
controller would not be in a position to verify). Hence, information to be provided under
25 These examples of electronic means are indicative only and data controllers may develop new innovative methods to
comply with Article 12.
26 WP29 Opinion 8/2014 adopted on 16 September 2014
Page 13 of 40
Articles 13 and 14 may be provided by oral means without the controller requiring a data
subject’s identity to be proven.
21. The oral provision of information required under Articles 13 and 14 does not necessarily mean
oral information provided on a person-to-person basis (i.e. in person or by telephone).
Automated oral information may be provided in addition to written means. For example, this
may apply in the context of persons who are visually impaired when interacting with
information society service providers, or in the context of screenless smart devices, as
referred to above at paragraph 19. Where a data controller has chosen to provide information
to a data subject orally, or a data subject requests the provision of oral information or
communications, WP29’s position is that the data controller should allow the data subject to
re-listen to pre-recorded messages. This is imperative where the request for oral information
relates to visually impaired data subjects or other data subjects who may have difficulty in
accessing or understanding information in written format. The data controller should also
ensure that it has a record of, and can demonstrate (for the purposes of complying with the
accountability requirement): (i) the request for the information by oral means, (ii) the method
by which the data subject’s identity was verified (where applicable – see above at paragraph
20) and (iii) the fact that information was provided to the data subject.
“Free of charge”
22. Under Article 12.5, 27 data controllers cannot generally charge data subjects for the provision
of information under Articles 13 and 14, or for communications and actions taken under
Articles 15 – 22 (on the rights of data subjects) and Article 34 (communication of personal data
breaches to data subjects). 28 This aspect of transparency also means that any information
provided under the transparency requirements cannot be made conditional upon financial
transactions, for example the payment for, or purchase of, services or goods. 29
Information to be provided to the data subject – Articles 13 & 14
Content
23. The GDPR lists the categories of information that must be provided to a data subject in
relation to the processing of their personal data where it is collected from the data subject
(Article 13) or obtained from another source (Article 14). The table in the Annex to these
27 This states that “Information provided under Articles 13 and 14 and any communication and any actions taken under
Articles 15 to 22 and 34 shall be provided free of charge.”
28 However, under Article 12.5 the controller may charge a reasonable fee where, for example, a request by a data subject
in relation to the information under Article 13 and 14 or the rights under Articles 15 – 22 or Article 34 is excessive or manifestly
unfounded. (Separately, in relation to the right of access under Article 15.3 a controller may charge a reasonable fee based
on administrative costs for any further copy of the personal data which is requested by a data subject).
29 By way of illustration, if a data subject’s personal data is being collected in connection with a purchase, th e information
which is required to be provided under Article 13 should be provided prior to payment being made and at the point at which
the information is being collected, rather than after the transaction has been concluded. Equally though, where free services
are being provided to the data subject, the Article 13 information must be provided prior to, rather than after, sign-up given
that Article 13.1 requires the provision of the information “at the time when the personal data are obtained”.
Page 14 of 40
guidelines summarises the categories of information that must be provided under Articles 13
and 14. It also considers the nature, scope and content of these requirements. For clarity,
WP29’s position is that there is no difference between the status of the information to be
provided under sub-article 1 and 2 of Articles 13 and 14 respectively. All of the information
across these sub-articles is of equal importance and must be provided to the data subject.
“Appropriate measures”
24. As well as content, the form and manner in which the information required under Articles 13
and 14 should be provided to the data subject is also important. The notice containing such
information is frequently referred to as a data protection notice, privacy notice, privacy
policy, privacy statement or fair processing notice. The GDPR does not prescribe the format
or modality by which such information should be provided to the data subject but does make
it clear that it is the data controller’s responsibility to take “appropriate measures” in relation
to the provision of the required information for transparency purposes. This means that the
data controller should take into account all of the circumstances of the d ata collection and
processing when deciding upon the appropriate modality and format of the information
provision. In particular, appropriate measures will need to be assessed in light of the product/
service user experience. This means taking account of the device used (if applicable), the
nature of the user interfaces/ interactions with the data controller (the user “journey”) and
the limitations that those factors entail. As noted above at paragraph 17, WP29 recommends
that where a data controller has an online presence, an online layered privacy statement/
notice should be provided.
25. In order to help identify the most appropriate modality for providing the information, in
advance of “going live”, data controllers may wish to trial different modalities by way of user
testing (e.g. hall tests, or other standardised tests of readability or accessibility) to seek
feedback on how accessible, understandable and easy to use the proposed measure is for
users. (See also further comments above on other mechanisms for carrying out user testing
at paragraph 9). Documenting this approach should also assist data controllers with their
accountability obligations by demonstrating how the tool/ approach chosen to convey the
information is the most appropriate in the circumstances.
Timing for provision of information
26. Articles 13 and 14 set out information which must be provided to the data subject at the
commencement phase of the processing cycle30. Article 13 applies to the scenario where the
data is collected from the data subject. This includes personal data that:
30 Pursuant to the principles of fairness and purpose limitation, the organisation which collects the personal data from the
data subject should always specify the purposes of the processing at the time of collection. If the purpose includes the
creation of inferred personal data, the intended purpose of creating and further processing such inferred personal data, as
well as the categories of the inferred data processed, must always be communicated to the data subject at the time of
collection, or prior to the further processing for a new purpose in compliance with Article 13.3 or Article 14.4.
Page 15 of 40
a data subject consciously provides to a data controller (e.g. when completing an
online form); or
a data controller collects from a data subject by observation (e.g. using automated
data capturing devices or data capturing software such as cameras, network
equipment, Wi-Fi tracking, RFID or other types of sensors).
Article 14 applies in the scenario where the data have not been obtained from the data
subject. This includes personal data which a data controller has obtained from sources such
as:
third party data controllers;
publicly available sources;
data brokers; or
other data subjects.
27. As regards timing of the provision of this information, providing it in a timely manner is a vital
element of the transparency obligation and the obligation to process data fairly. Where
Article 13 applies, under Article 13.1 the information must be provided “at the time when
personal data are obtained”. In the case of indirectly obtained personal data under Article 14,
the timeframes within which the required information must be provided to the data subject
are set out in Article 14.3 (a) to (c) as follows:
The general requirement is that the information must be provided within a
“reasonable period” after obtaining the personal data and no later than one month,
“having regard to the specific circumstances in which the personal data are processed”
(Article 14.3(a)).
The general one-month time limit in Article 14.3(a) may be further curtailed under
Article 14.3(b), 31 which provides for a situation where the data are being used for
communication with the data subject. In such a case, the information must be
provided at the latest at the time of the first communication with the data subject. If
the first communication occurs prior to the one-month time limit after obtaining the
personal data, then the information must be provided at the latest at the time of the
first communication with the data subject notwithstanding that one month from the
point of obtaining the data has not expired. If the first communication with a data
subject occurs more than one month after obtaining the personal data then Article
14.3(a) continues to apply, so that the Article 14 information must be provided to the
data subject at the latest within one month after it was obtained.
31 The use of the words “if the personal data are to be used for..” in Article 14.3(b) indicates a specification to the general
position with regard to the maximum time limit set out in Article 14.3(a) but does not replace it.
Page 16 of 40
The general one-month time limit in Article 14.3(a) can also be curtailed under Article
14.3(c)32 which provides for a situation where the data are being disclosed to another
recipient (whether a third party or not)33. In such a case, the information must be
provided at the latest at the time of the first disclosure. In this scenario, if the
disclosure occurs prior to the one-month time limit, then the information must be
provided at the latest at the time of that first disclosure, notwithstanding that one
month from the point of obtaining the data has not expired. Similar to the position
with Article 14.3(b), if any disclosure of the personal data occurs more than one
month after obtaining the personal data, then Article 14.3(a) again continues to
apply, so that the Article 14 information must be provided to the data subject at the
latest within one month after it was obtained.
28. Therefore, in any case, the maximum time limit within which Article 14 information must be
provided to a data subject is one month. However, the principles of fairness and
accountability under the GDPR require data controllers to always consider the reasonable
expectations of data subjects, the effect that the processing may have on them and their
ability to exercise their rights in relation to that processing, when deciding at what point to
provide the Article 14 information. Accountability requires controllers to demonstrate the
rationale for their decision and justify why the information was provided at the time it was.
In practice, it may be difficult to meet these requirements when providing information at the
‘last moment’. In this regard, Recital 39 stipulates, amongst other things, that data subjects
should be “made aware of the risks, rules, safeguards and rights in relation to the processing of
personal data and how to exercise their rights in relation to such processing”. Recital 60 also
refers to the requirement that the data subject be informed of the existence of the processing
operation and its purposes in the context of the principles of fair and transparent processing.
For all of these reasons, WP29’s position is that, wherever possible, data controllers should,
in accordance with the principle of fairness, provide the information to data subjects well in
advance of the stipulated time limits. Further comments on the appropriateness of the
timeframe between notifying data subjects of the processing operations and such processing
operations actually taking effect are set out in paragraphs 30 to 31 and 48.
Changes to Article 13 and Article 14 information
29. Being accountable as regards transparency applies not only at the point of collection of
personal data but throughout the processing life cycle, irrespective of the information or
communication being conveyed. This is the case, for example, when changing the contents
of existing privacy statements/ notices. The controller should adhere to the same principles
when communicating both the initial privacy statement/ notice and any subsequent
substantive or material changes to this statement/ notice. Factors which controllers should
consider in assessing what is a substantive or material change include the impact on data
subjects (including their ability to exercise their rights), and how unexpected/ surprising the
32 The use of the words “if a disclosure to anther recipient is envisaged…” in Article 14.3(c) likewise indicates a specification to
the general position with regard to the maximum time limit set out in Article 14.3(a) but does not replace it.
33 Article 4.9 defines “recipient” and clarifies that a recipient to whom personal data are disclosed does not have to be a third
party. Therefore, a recipient may be a data controller, joint controller or processor.
Page 17 of 40
change would be to data subjects. Changes to a privacy statement/ notice that should always
be communicated to data subjects include inter alia: a change in processing purpose; a
change to the identity of the controller; or a change as to how data subjects can exercise their
rights in relation to the processing. Conversely, an example of changes to a privacy
statement/ notice which are not considered by WP29 to be substantive or material include
corrections of misspellings, or stylistic/ grammatical flaws. Since most existing customers or
users will only glance over communications of changes to privacy statements/ notices, the
controller should take all measures necessary to ensure that these changes are
communicated in such a way that ensures that most recipients will actually notice them. This
means, for example, that a notification of changes should always be communicated by way
of an appropriate modality (e.g. email, hard copy letter, pop-up on a webpage or other
modality which will effectively bring the changes to the attention of the data subject)
specifically devoted to those changes (e.g. not together with direct marketing content), with
such a communication meeting the Article 12 requirements of being concise, transparent,
intelligible, easily accessible and using clear and plain language. References in the privacy
statement/ notice to the effect that the data subject should regularly check the privacy
statement/notice for changes or updates are considered not only insufficient but also unfair
in the context of Article 5.1(a). Further guidance in relation to the timing for notification of
changes to data subjects is considered below at paragraph 30 to 31.
Timing of notification of changes to Article 13 and Article 14 information
30. The GDPR is silent on the timing requirements (and indeed the methods) that apply for
notifications of changes to information that has previously been provided to a data subject
under Article 13 or 14 (excluding an intended further purpose for processing, in which case
information on that further purpose must be notified prior to the commencement of that
further processing as per Articles 13.3 and 14.4 – see below at paragraph 45). However, as
noted above in the context of the timing for the provision of Article 14 information , the data
controller must again have regard to the fairness and accountability principles in terms of any
reasonable expectations of the data subject, or the potential impact of those changes upon
the data subject. If the change to the information is indicative of a fundamental change to
the nature of the processing (e.g. enlargement of the categories of recipients or introduction
of transfers to a third country) or a change which may not be fundamental in terms of the
processing operation but which may be relevant to and impact upon the data subject, then
that information should be provided to the data subject well in advance of the change
actually taking effect and the method used to bring the changes to the da ta subject’s
attention should be explicit and effective. This is to ensure the data subject does not “miss”
the change and to allow the data subject a reasonable timeframe for them to (a) consider the
nature and impact of the change and (b) exercise their rights under the GDPR in relation to
the change (e.g. to withdraw consent or to object to the processing).
31. Data controllers should carefully consider the circumstances and context of each situation
where an update to transparency information is required, including the potential impact of
the changes upon the data subject and the modality used to communicate the changes, and
be able to demonstrate how the timeframe between notification of the changes and the
Page 18 of 40
change taking effect satisfies the principle of fairness to the data subject. Further, WP29’s
position is that, consistent with the principle of fairness, when notifying such changes to data
subjects, a data controller should also explain what will be the likely impact of those changes
on data subjects. However, compliance with transparency requirements does not
“whitewash” a situation where the changes to the processing are so significant that the
processing becomes completely different in nature to what it was before. WP29 emphasises
that all of the other rules in the GDPR, including those relating to incompatible further
processing, continue to apply irrespective of compliance with the transparency obligations.
32. Additionally, even when transparency information (e.g. contained in a privacy statement/
notice) does not materially change, it is likely that data subjects who have been using a
service for a significant period of time will not recall the information provided to them at the
outset under Articles 13 and/or 14. WP29 recommends that controllers facilitate data subjects
to have continuing easy access to the information to re-acquaint themselves with the scope
of the data processing. In accordance with the accountability principle, controllers should
also consider whether, and at what intervals, it is appropriate for them to provide express
reminders to data subjects as to the fact of the privacy statement/ notice and where they can
find it.
Modalities – format of information provision
33. Both Articles 13 and 14 refer to the obligation on the data controller to “provide the data
subject with all of the following information…” The operative word here is “provide”. This
means that the data controller must take active steps to furnish the information in question
to the data subject or to actively direct the data subject to the location of it (e.g. by way of a
direct link, use of a QR code, etc.). The data subject must not have to actively search for
information covered by these articles amongst other information, such as terms and
conditions of use of a website or app. The example at paragraph 11 illustrates this point. As
noted above at paragraph 17, WP29 recommends that the entirety of the information
addressed to data subjects should also be available to them in one single place or one
complete document (e.g. whether in a digital form on a website or in paper format) which
can be easily accessed should they wish to consult the entirety of the information.
34. There is an inherent tension in the GDPR between the requirements on the one hand to
provide the comprehensive information to data subjects which is required under the GDPR,
and on the other hand do so in a form that is concise, transparent, intelligible and easily
accessible. As such, and bearing in mind the fundamental principles of accountability and
fairness, controllers must undertake their own analysis of the nature, circumstances, scope
and context of the processing of personal data which they carry out and decide, within the
legal requirements of the GDPR and taking account of the recommendations in these
Guidelines particularly at paragraph 36 below, how to prioritise information which must be
provided to data subjects and what are the appropriate levels of detail and methods for
conveying the information.
Page 19 of 40
Layered approach in a digital environment and layered privacy statements/ notices
35. In the digital context, in light of the volume of information which is required to be provided
to the data subject, a layered approach may be followed by data controllers where they opt
to use a combination of methods to ensure transparency. WP29 recommends in particular
that layered privacy statements/ notices should be used to link to the various categories of
information which must be provided to the data subject, rather than displaying all such
information in a single notice on the screen , in order to avoid information fatigue. Layered
privacy statements/ notices can help resolve the tension between completeness and
understanding, notably by allowing users to navigate directly to the section of the statement/
notice that they wish to read. It should be noted that layered privacy statements/ notices are
not merely nested pages that require several clicks to get to the relevant information. The
design and layout of the first layer of the privacy statement/ notice should be such that the
data subject has a clear overview of the information available to them on the processing of
their personal data and where/ how they can find that detailed information within the layers
of the privacy statement/ notice. It is also important that the information contained within
the different layers of a layered notice is consistent and that the layers do not provide
conflicting information.
36. As regards the content of the first modality used by a controller to inform data subjects in a
layered approach (in other words the primary way in which the controller first engages with
a data subject), or the content of the first layer of a layered privacy statement/ notice, WP29
recommends that the first layer/ modality should include the details of the purposes of
processing, the identity of controller and a description of the data subject’s rights.
(Furthermore this information should be directly brought to the attention of a d ata subject
at the time of collection of the personal data e.g. displayed as a data subject fills in an online
form.) The importance of providing this information upfront arises in particular from Recital
39. 34 While controllers must be able to demonstrate accountability as to what further
information they decide to prioritise, WP29’s position is that, in line with the fairness
principle, in addition to the information detailed above in this paragraph, the first layer/
modality should also contain information on the processing which has the most impact on
the data subject and processing which could surprise them. Therefore, the data subject
should be able to understand from information contained in the first layer/ modality what the
consequences of the processing in question will be for the data subject (see also above at
paragraph 10).
37. In a digital context, aside from providing an online layered privacy statement/ notice, data
controllers may also choose to use additional transparency tools (see further examples
considered below) which provide tailored information to the individual data subject which is
specific to the position of the individual data subject concerned and the goods/ services which
that data subject is availing of. It should be noted however that while WP29 recommends the
34 Recital 39 states, on the principle of transparency, that “That principle concerns, in particular, information to the data
subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and
transparent processing in respect of natural persons concerned and their right to obtain confirmation and communication
of personal data concerning them which are being processed.”
Page 20 of 40
use of online layered privacy statements/ notices, this recommendation does not exclude the
development and use of other innovative methods of compliance with transparency
requirements.
Layered approach in a non-digital environment
38. A layered approach to the provision of transparency information to data subjects can also be
deployed in an offline/ non-digital context (i.e. a real-world environment such as person-toperson engagement or telephone communications) where multiple modalities may be
deployed by data controllers to facilitate the provision of information . (See also paragraphs
33 to 37 and 39 to 40 in relation to different modalities for providing the information.) This
approach should not be confused with the separate issue of layered privacy statements/
notices. Whatever the formats that are used in this layered approach, WP29 recommends
that the first “layer” (in other words the primary way in which the controller first engages with
the data subject) should generally convey the most important information (as referred to at
paragraph 36 above), namely the details of the purposes of processing, the identity of
controller and the existence of the rights of the data subject, together with information on
the greatest impact of processing or processing which could surprise the data subject. For
example, where the first point of contact with a data subject is by telephone, this information
could be provided during the telephone call with the data subject and they could be provided
with the balance of the information required under Article 13/ 14 by way of further, different
means, such as by sending a copy of the privacy policy by email and/ or sending the data
subject a link to the controller’s layered online privacy statement/ notice.
“Push” and “pull” notices
39. Another possible way of providing transparency information is through the use of “push” and
“pull” notices. Push notices involve the provision of “just-in-time” transparency information
notices while “pull” notices facilitate access to information by methods such as permission
management, privacy dashboards and “learn more” tutorials. These allow for a more user-
centric transparency experience for the data subject.
A privacy dashboard is a single point from which data subjects can view ‘privacy
information’ and manage their privacy preferences by allowing or preventing their
data from being used in certain ways by the service in question. This is particularly
useful when the same service is used by data subjects on a variety of different
devices as it gives them access to and control over their personal data no matter how
they use the service. Allowing data subjects to manually adjust their privacy settings
via a privacy dashboard can also make it easier for a privacy statement/ notice to be
personalised by reflecting only the types of processing occurring for that particular
data subject. Incorporating a privacy dashboard into the existing architecture of a
service (e.g. by using the same design and branding as the rest of the service) is
preferable because it will ensure that access and use of it will be intuitive and may
help to encourage users to engage with this information, in the same way that they
would with other aspects of the service. This can be an effective way of
Page 21 of 40
demonstrating that ‘privacy information’ is a necessary and integral part of a service
rather than a lengthy list of legalese.
A just-in-time notice is used to provide specific ‘privacy information’ in an ad hoc
manner, as and when it is most relevant for the data subject to read. This method is
useful for providing information at various points throughout the process of data
collection; it helps to spread the provision of information into easily digestible
chunks and reduces the reliance on a single privacy statement/ notice containing
information that is difficult to understand out of context. For example, if a data
subject purchases a product online, brief explanatory information can be provided
in pop-ups accompanying relevant fields of text. The information next to a field
requesting the data subject’s telephone number could explain for example that this
data is only being collected for the purposes of contact regarding the purchase and
that it will only be disclosed to the delivery service.
Other types of “appropriate measures”
40. Given the very high level of internet access in the EU and the fact that data subjects can go
online at any time, from multiple locations and different devices, as stated above, WP29’s
position is that an “appropriate measure” for providing transparency information in the case
of data controllers who maintain a digital/ online presence, is to do so through an electronic
privacy statement/ notice. However, based on the circumstances of the data collection and
processing, a data controller may need to additionally (or alternatively where the data
controller does not have any digital/online presence) use other modalities and formats to
provide the information. Other possible ways to convey the information to the data subject
arising from the following different personal data environments may include the following
modes applicable to the relevant environment which are listed below. As noted previously, a
layered approach may be followed by controllers where they opt to use a combination of such
methods while ensuring that the most important information (see paragraph 36 and 38) is
always conveyed in the first modality used to communicate with the data subject.
a. Hard copy/ paper environment, for example when entering into contracts by postal
means: written explanations, leaflets, information in contractual documentation,
cartoons, infographics or flowcharts;
b. Telephonic environment: oral explanations by a real person to allow interaction and
questions to be answered or automated or pre-recorded information with options to
hear further more detailed information;
c. Screenless smart technology/ IoT environment such as Wi-Fi tracking analytics:
icons, QR codes, voice alerts, written details incorporated into paper set-up
instructions, videos incorporated into digital set-up instructions, written information
on the smart device, messages sent by SMS or email, visible boards containing the
information, public signage or public information campaigns;
d. Person to person environment, such as responding to opinion polls, registering in
person for a service: oral explanations or written explanations provided in hard or soft
copy format;
Page 22 of 40
e. “Real-life” environment with CCTV/ drone recording: visible boards containing the
information, public signage, public information campaigns or newspaper/ media
notices.
Information on profiling and automated decision-making
41. Information on the existence of automated decision-making, including profiling, as referred
to in Articles 22.1 and 22.4, together with meaningful information about the logic involved
and the significant and envisaged consequences of the processing for the data subject, forms
part of the obligatory information which must be provided to a data subject under Articles
13.2(f) and 14.2(g). WP29 has produced guidelines on automated individual decision-making
and profiling 35 which should be referred to for further guidance on how transparency should
be given effect in the particular circumstances of profiling. It should be noted that, aside from
the specific transparency requirements applicable to automated decision-making under
Articles 13.2(f) and 14.2(g), the comments in these guidelines relating to the importance of
informing data subjects as to the consequences of processing of their personal data, and the
general principle that data subjects should not be taken by surprise by the processing of their
personal data, equally apply to profiling generally (not just profiling which is captured by
Article 2236), as a type of processing. 37
Other issues – risks, rules and safeguards
42. Recital 39 of the GDPR also refers to the provision of certain information which is not
explicitly covered by Articles 13 and Article 14 (see recital text above at paragraph 28). The
reference in this recital to making data subjects aware of the risks, rules and safeguards in
relation to the processing of personal data is connected to a number of other issues. These
include data protection impact assessments (DPIAs). As set out in the WP29 Guidelines on
DPIAs, 38 data controllers may consider publication of the DPIA (or part of it), as a way of
fostering trust in the processing operations and demonstrating transparency and
accountability, although such publication is not obligatory. Furthermore, adheren ce to a
code of conduct (provided for under Article 40) may go towards demonstrating transparency,
as codes of conduct may be drawn up for the purpose of specifying the application of the
GDPR with regard to: fair and transparent processing; information provided to the public and
to data subjects; and information provided to, and the protection of, children, amongst other
issues.
43. Another relevant issue relating to transparency is data protection by design and by default
(as required under Article 25). These principles require data controllers to build data
35 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP 251
36 This applies to decision-making based solely on automated processing, including profiling , which produces legal effects
concerning the data subject or similarly significantly affects him or her.
37 Recital 60, which is relevant here, states that “Furthermore, the data subject should be informed of the existence of
profiling and the consequences of such profiling”.
38 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high
risk” for the purposes of Regulation 2016/679, WP 248 rev.1
Page 23 of 40
protection considerations into their processing operations and systems from the ground up,
rather than taking account of data protection as a last-minute compliance issue. Recital 78
refers to data controllers implementing measures that meet the requirements of data
protection by design and by default including measures consisting of transparency with
regard to the functions and processing of personal data.
44. Separately, the issue of joint controllers is also related to making data subjects aware of the
risks, rules and safeguards. Article 26.1 requires joint controllers to determine their respective
responsibilities for complying with obligations under the GDPR in a transparent manner, in
particular with regard to the exercise by data subjects of their rights and the duties to provide
the information under Articles 13 and 14. Article 26.2 requires that the essence of the
arrangement between the data controllers must be made available to the data subject. In
other words, it must be completely clear to a data a subject as to which data controller he or
she can approach where they intend to exercise one or more of their rights under the GDPR. 39
Information related to further processing
45. Both Articles 13 and Article 14 contain a provision 40 that requires a data controller to inform
a data subject if it intends to further process their personal data for a purpose other than that
for which it was collected/ obtained. If so, “the controller shall provide the data subject prior to
that further processing with information on that other purpose and with any relevant further
information as referred to in paragraph 2”. These provisions specifically give effect to the
principle in Article 5.1(b) that personal data shall be collected for specified, explicit and
legitimate purposes, and further processing in a manner that is incompatible with these
purposes is prohibited. 41 The second part of Article 5.1(b) states that further processing for
archiving purposes in the public interest, scientific or historical research purposes or for
statistical purposes, shall, in accordance with Article 89.1, not be considered to be
incompatible with the initial purposes. Where personal data are further processed for
purposes that are compatible with the original purposes (Article 6.4 informs this issue 42),
Articles 13.3 and 14.4 apply. The requirements in these articles to inform a data subject about
further processing promotes the position in the GDPR that a data subject should reasonably
expect that at the time and in the context of the collection of personal data that processing
39 Under Article 26.3, irrespective of the terms of the arrangement between joint data controllers under Article 26.1, a data
subject may exercise his or her rights under the GDPR in respect of and against each of the joint data controllers.
40 At Articles 13.3 and 14.4, which are expressed in identical terms, apart from the word “collected”, which is used in Article
13, and which is replaced with the word “obtained” in Article 14.
41 See, for example on this principle, Recitals 47, 50, 61, 156, 158; Articles 6.4 and 89
42 Article 6.4 sets out, in non-exhaustive fashion, the factors which are to be taken into account in ascertaining whether
processing for another purpose is compatible with the purpose for which the personal data are initially collected, namely:
the link between the purposes; the context in which the personal data have been collected; the nature of the personal data
(in particular whether special categories of personal data or personal data relating to criminal offences and convictions are
included); the possible consequences of the intended further processing for data subjects; and the existence of appropriate
safeguards.
Page 24 of 40
for a particular purpose may take place. 43 In other words, a data subject should not be taken
by surprise at the purpose of processing of their personal data.
46. Articles 13.3 and 14.4, insofar as they refer to the provision of “any relevant further information
as referred to in paragraph 2”, may be interpreted at first glance as leaving some element of
appreciation to the data controller as to the extent of and the particular categories of
information from the relevant sub-paragraph 2 (i.e. Article 13.2 or 14.2 as applicable) that
should be provided to the data subject. (Recital 61 refers to this as “other necessary
information”.) However the default position is that all such information set out in that subarticle should be provided to the data subject unless one or more categories of the
information does not exist or is not applicable.
47. WP29 recommends that, in order to be transparent, fair and accountable, controllers should
consider making information available to data subjects in their privacy statement/ notice on
the compatibility analysis carried out under Article 6.444 where a legal basis other than
consent or national/ EU law is relied on for the new processing purpose. (In other words, an
explanation as to how the processing for the other purpose(s) is compatible with the original
purpose). This is to allow data subjects the opportunity to consider the compatibility of the
further processing and the safeguards provided and to decide whether to exercise their rights
e.g. the right to restriction of processing or the right to object to processing, amongst
others. 45 Where controllers choose not to include such information in a privacy notice/
statement, WP29 recommends that they make it clear to data subjects that they can obtain
the information on request.
48. Connected to the exercise of data subject rights is the issue of timing. As emphasised above,
the provision of information in a timely manner is a vital element of the transparency
requirements under Articles 13 and 14 and is inherently linked to the concept of fair
processing. Information in relation to further processing must be provided “prior to that
further processing”. WP29’s position is that a reasonable period should occur between the
notification and the processing commencing rather than an immediate start to the
processing upon notification being received by the data subject. This gives data subjects the
practical benefits of the principle of transparency, allowing them a meaningful opportunity
to consider (and potentially exercise their rights in relation to) the further processing. What
is a reasonable period will depend on the particular circumstances. The principle of fairness
requires that the more intrusive (or less expected) the further processing, the longer the
period should be. Equally, the principle of accountability requires that data controllers be able
to demonstrate how the determinations they have made as regards th e timing for the
provision of this information are justified in the circumstances and how the timing overall is
fair to data subjects. (See also the previous comments in relation to ascertaining reasonable
timeframes above at paragraphs 30 to 32.)
43 Recitals 47 and 50
44 Also referenced in Recital 50
45 As referenced in Recital 63, this will enable a data subject to exercise the right of access in order to be aware of and to
verify the lawfulness of the processing.
Page 25 of 40
Visualisation tools
49. Importantly, the principle of transparency in the GDPR is not limited to being effected simply
through language communications (whether written or oral). The GDPR provides for
visualisation tools (referencing in particular, icons, certification mechanisms, and data
protection seals and marks) where appropriate. Recital 5846 indicates that the accessibility of
information addressed to the public or to data subjects is especially important in the online
environment. 47
Icons
50. Recital 60 makes provision for information to be provided to a data subject “in combination”
with standardised icons, thus allowing for a multi-layered approach. However, the use of
icons should not simply replace information necessary for the exercise of a data subject’s
rights nor should they be used as a substitute to compliance with the data controller’s
obligations under Articles 13 and 14. Article 12.7 provides for the use of such icons stating
that:
“The information to be provided to data subjects pursuant to Articles 13 and 14 may be
provided in combination with standardised icons in order to give in an easily visible,
intelligible and clearly legible manner a meaningful overview of the intended processing.
Where icons are presented electronically they shall be machine-readable”.
51. As Article 12.7 states that “Where the icons are presented electronically, they shall be machine-
readable”, this suggests that there may be situations where icons are not presented
electronically, 48 for example icons on physical paperwork, IoT devices or IoT device
packaging, notices in public places about Wi-Fi tracking, QR codes and CCTV notices.
52. Clearly, the purpose of using icons is to enhance transparency for data subjects by potentially
reducing the need for vast amounts of written information to be presented to a data subject.
However, the utility of icons to effectively convey information required under Articles 13 and
14 to data subjects is dependent upon the standardisation of symbols/ images to be
46 “Such information could be provided in electronic form, for example, when addressed to the public, through a website.
This is of particular relevance in situations where the proliferation of actors and the techn ological complexity of practice
make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data
relating to him or her are being collected, such as in the case of online advertising.”
47 In this context, controllers should take into account visually impaired data subjects (e.g. red-green colour blindness).
48 There is no definition of “machine-readable” in the GDPR but Recital 21 of Directive 2013/37/EU17 defines “machine-
readable” as:
“a file format structured so that software applications can easily identify, recognize and extract specific data, including
individual statements of fact, and their internal structure. Data encoded in files that are structured in a machine-readable
format are machine-readable data. Machine-readable formats can be open or proprietary; they can be formal standards or
not. Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be
extracted from them, should not be considered to be in a machine-readable format. Member States should where
appropriate encourage the use of open, machine-readable formats.”
Page 26 of 40
universally used and recognised across the EU as shorthand for that information. In this
regard, the GDPR assigns responsibility for the development of a code of icons to the
Commission but ultimately the European Data Protection Board may, either at the request
of the Commission or of its own accord, provide the Commission with an opinion on such
icons. 49 WP29 recognises that, in line with Recital 166, the development of a code of icons
should be centred upon an evidence-based approach and in advance of any such
standardisation it will be necessary for extensive research to be conducted in conjunction
with industry and the wider public as to the efficacy of icons in this context.
Certification mechanisms, seals and marks
53. Aside from the use of standardised icons, the GDPR (Article 42) also provides for the use of
data protection certification mechanisms, data protection seals and marks for the purpose of
demonstrating compliance with the GDPR of processing operations by data controllers and
processors and enhancing transparency for data subjects. 50 WP29 will be issuing guidelines
on certification mechanisms in due course.
Exercise of data subjects’ rights
54. Transparency places a triple obligation upon data controllers insofar as the rights of data
subjects under the GDPR are concerned, as they must: 51
provide information to data subjects on their rights52 (as required under Articles
13.2(b) and 14.2(c));
comply with the principle of transparency (i.e. relating to the quality of the
communications as set out in Article 12.1) when communicating with data subjects
in relation to their rights under Articles 15 to 22 and 34; and
facilitate the exercise of data subjects’ rights under Articles 15 to 22.
55. The GDPR requirements in relation to the exercise of these rights and the nature of the
information required are designed to meaningfully position data subjects so that they can
vindicate their rights and hold data controllers accountable for the processing of their
personal data. Recital 59 emphasises that “modalities should be provided for facilitating the
exercise of the data subject’s rights” and that the data controller should “also provide means
49 Article 12.8 provides that the Commission is empowered to adopt delegated acts under Article 92 for the purpose of
determining the information to be presented by the icons and the information for providing standardised icons. Recital
166 (which deals with delegated acts of the Commission in general) is instructive, providing that the Commission must
carry out appropriate consultations during its preparatory work, including at expert level. However, the European Data
Protection Board (EDPB) also has an important consultative role to play in relation to the standardisation of icons as
Article 70.1(r) states that the EDPB shall on its own initiative or, where relevant, at the request of the Commission, provide
the Commission with an opinion on icons.
50 See the reference in Recital 100
51 Under the Transparency and Modalities section of the GDPR on Data Subject Rights (Section 1, Chapter III, namely Article
12)
52 Access, rectification, erasure, restriction on processing, object to processing, portability
Page 27 of 40
for requests to be made electronically, especially where personal data are processed by electronic
means”. The modality provided by a data controller for data subjects to exercise their rights
should be appropriate to the context and the nature of the relationship and interactions
between the controller and a data subject. To this end, a data controller may wish to provide
one or more different modalities for the exercise of rights that are reflective of the different
ways in which data subjects interact with that data controller.
Example
A health service provider uses an electronic form on its website, and paper forms in
the receptions of its health clinics, to facilitate the submission of access requests for
personal data both online and in person. While it provides these modalities, the health
service still accepts access requests submitted in other ways (such as by letter and by
email) and provides a dedicated point of contact (which can be accessed by email and
by telephone) to help data subjects with the exercise of their rights.
Exceptions to the obligation to provide information
Article 13 exceptions
56. The only exception to a data controller’s Article 13 obligations where it has collected personal
data directly from a data subject occurs “where and insofar as, the data subject already has the
information”. 53 The principle of accountability requires that data controllers demonstrate
(and document) what information the data subject already has, how and when they received
it and that no changes have since occurred to that information that would render it out of
date. Further, the use of the phrase “insofar as” in Article 13.4 makes it clear that even if the
data subject has previously been provided with certain categories from the inventory of
information set out in Article 13, there is still an obligation on the data controller to
supplement that information in order to ensure that the data subject now has a complete set
of the information listed in Articles 13.1 and 13.2. The following is a best practice example
concerning the limited manner in which the Article 13.4 exception should be construed.
Example
An individual signs up to an online email service and receives all of the required Article
13.1 and 13.2 information at the point of sign-up. Six months later the data subject
activates a connected instant message functionality through the email service
provider and provides their mobile telephone number to do so. The service provider
gives the data subject certain Article 13.1 and 13.2 information about the processing
of the telephone number (e.g. purposes and legal basis for processing, recipients,
retention period) but does not provide other information that the individual already
53 Article 13.4
Page 28 of 40
has from 6 months ago and which has not since changed (e.g. the identity and contact
details of the controller and the data protection officer, information on data subject
rights and the right to complain to the relevant supervisory authority). As a matter of
best practice however, the complete suite of information should be provided to the
data subject again but the data subject also should be able to easily tell what
information amongst it is new. The new processing for the purposes of the instant
messaging service may affect the data subject in a way which would prompt them to
seek to exercise a right they may have forgotten about, having been informed six
months prior. Providing all the information again helps to ensure the data subject
remains well informed about how their data is being used and their rights.
Article 14 exceptions
57. Article 14 carves out a much broader set of exceptions to the information obligation on a data
controller where personal data has not been obtained from the data subject. These
exceptions should, as a general rule, be interpreted and applied narrowly. In addition to the
circumstances where the data subject already has the information in question (Article
14.5(a)), Article 14.5 also allows for the following exceptions:
The provision of such information is impossible or would involve a disproportionate
effort, in particular for processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes, or where it would
make the achievement of the objectives of the processing impossible or seriously
impair them;
The data controller is subject to a national law or EU law requirement to obtain or
disclose the personal data and that the law provides appropriate protections for the
data subject’s legitimate interests ; or
An obligation of professional secrecy (including a statutory obligation of secrecy)
which is regulated by national or EU law means the personal data must remain
confidential.
Proves impossible, disproportionate effort and serious impairment of objectives
58. Article 14.5(b) allows for 3 separate situations where the obligation to provide the
information set out in Articles 14.1, 14.2 and 14.4 is lifted:
(i) Where it proves impossible (in particular for archiving, scientific/ historical research
or statistical purposes);
(ii) Where it would involve a disproportionate effort (in particular for archiving, scientific/
historical research or statistical purposes); or
(iii) Where providing the information required under Article 14.1 would make the
achievement of the objectives of the processing impossible or seriously impair them.
Page 29 of 40
“Proves impossible”
59. The situation where it “proves impossible” under Article 14.5(b) to provide the information is
an all or nothing situation because something is either impossible or it is not; there are no
degrees of impossibility. Thus if a data controller seeks to rely on this exemption it must
demonstrate the factors that actually prevent it from providing the information in question
to data subjects. If, after a certain period of time, the factors that caused the “impossibili ty”
no longer exist and it becomes possible to provide the information to data subjects then the
data controller should immediately do so. In practice, there will be very few situations in
which a data controller can demonstrate that it is actually impossible to provide the
information to data subjects. The following example demonstrates this.
Example
A data subject registers for a post-paid online subscription service. After registration, the
data controller collects credit data from a credit-reporting agency on the data subject in
order to decide whether to provide the service. The controller’s protocol is to inform data
subjects of the collection of this credit data within three days of collection, pursuant to
Article 14.3(a). However, the data subject’s address and phone number is not registered
in public registries (the data subject is in fact living abroad). The data subject did not leave
an email address when registering for the service or the email address is invalid. The
controller finds that it has no means to directly contact the data subject. In this case,
however, the controller may give information about collection of credit reporting data on
its website, prior to registration. In this case, it would not be impossible to provide
information pursuant to Article 14.
Impossibility of providing the source of the data
60. Recital 61 states that “where the origin of the personal data cannot be provided to the data
subject because various sources have been used, general information should be provided”. The
lifting of the requirement to provide data subjects with information on the source of their
personal data applies only where this is not possible because different pieces of personal data
relating to the same data subject cannot be attributed to a particular source. For example,
the mere fact that a database comprising the personal data of multiple data subjects has
been compiled by a data controller using more than one source is not enough to lift this
requirement if it is possible (although time consuming or burdensome) to identify the source
from which the personal data of individual data subjects derived. Given the requirements of
data protection by design and by default, 54 transparency mechanisms should be built into
processing systems from the ground up so that all sources of personal data received into an
organisation can be tracked and traced back to their source at any point in the data
processing life cycle (see paragraph 43 above).
54 Article 25
Page 30 of 40
“
“Disproportionate effort”
61. Under Article 14.5(b), as with the “proves impossible” situation, “disproportionate effort”
may also apply, in particular, for processing “for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes, subject to the safeguards
referred to in Article 89(1)”. Recital 62 also references these objectives as cases where the
provision of information to the data subject would involve a disproportionate effort and
states that in this regard, the number of data subjects, the age of the data an d any
appropriate safeguards adopted should be taken into consideration. Given the emphasis in
Recital 62 and Article 14.5(b) on archiving, research and statistical purposes with regard to
the application of this exemption, WP29’s position is that this exception should not be
routinely relied upon by data controllers who are not processing personal data for the
purposes of archiving in the public interest, for scientific or historical research purposes or
statistical purposes. WP29 emphasises the fact that where these are the purposes pursued,
the conditions set out in Article 89.1 must still be complied with and the provision of the
information must constitute a disproportionate effort.
62. In determining what may constitute either impossibility or disproportionate effort under
Article 14.5(b), it is relevant that there are no comparable exemptions under Article 13 (where
personal data is collected from a data subject). The only difference between an Article 13 and
an Article 14 situation is that in the latter, the personal data is not collected from the data
subject. It therefore follows that impossibility or disproportionate effort typically arises by
virtue of circumstances which do not apply if the personal data is collected from the data
subject. In other words, the impossibility or disproportionate effort must be directly
connected to the fact that the personal data was obtained other than from the data subject.
Example
A large metropolitan hospital requires all patients for day procedures, longer-term
admissions and appointments to fill in a Patient Information Form which seeks the details
of two next-of-kin (data subjects). Given the very large volume of patients passing
through the hospital on a daily basis, it would involve disproportionate effort on the part
of the hospital to provide all persons who have been listed as next-of-kin on forms filled
in by patients each day with the information required under Article 14.
63. The factors referred to above in Recital 62 (number of data subjects, the age of the data and
any appropriate safeguards adopted) may be indicative of the types of issues that contribute
to a data controller having to use disproportionate effort to notify a data subject of the
relevant Article 14 information.
Example
Historical researchers seeking to trace lineage based on surnames indirectly obtain a
large dataset relating to 20,000 data subjects. However, the dataset was collected 50
Page 31 of 40
years ago, has not been updated since, and does not contain any contact details.
Given the size of the database and more particularly, the age of the data, it would
involve disproportionate effort for the researchers to try to trace the data subjects
individually in order to provide them with Article 14 information.
64. Where a data controller seeks to rely on the exception in Article 14.5(b) on the basis that
provision of the information would involve a disproportionate effort, it should carry out a
balancing exercise to assess the effort involved for the data controller to provide the
information to the data subject against the impact and effects on the data subject if he or she
was not provided with the information. This assessment should be documented by the data
controller in accordance with its accountability obligations. In such a case, Article 14.5(b)
specifies that the controller must take appropriate measures to protect the data subject’s
rights, freedoms and legitimate interests. This applies equally where a controller determines
that the provision of the information proves impossible, or would likely render impossible or
seriously impair the achievement of the objectives of the processing. One appropriate
measure, as specified in Article 14.5(b), that controllers must always take is to make the
information publicly available. A controller can do this in a number of ways, for instance by
putting the information on its website, or by proactively advertising the information in a
newspaper or on posters on its premises. Other appropriate measures, in addition to making
the information publicly available, will depend on the circumstances of the processing, but
may include: undertaking a data protection impact assessment; applying pseudonymisation
techniques to the data; minimising the data collected and the storage period; and
implementing technical and organisational measures to ensure a high level of security.
Furthermore, there may be situations where a data controller is processing personal data
which does not require the identification of a data subject (for example with pseudonymised
data). In such cases, Article 11.1 may also be relevant as it states that a data controller shall
not be obliged to maintain, acquire or process additional information in order to identify the
data subject for the sole purposes of complying with the GDPR.
Serious impairment ofobjectives
65. The final situation covered by Article 14.5(b) is where a data controller’s provision of the
information to a data subject under Article 14.1 is likely to make impossible or seriously impair
the achievement of the processing objectives. To rely on this exception, data controllers must
demonstrate that the provision of the information set out in Article 14.1 alone would nullify
the objectives of the processing. Notably, reliance on this aspect of Article 14.5(b) presupposes that the data processing satisfies all of the principles set out in Article 5 and that
most importantly, in all of the circumstances, the processing of the personal data is fair and
that it has a legal basis.
Example
Bank A is subject to a mandatory requirement under anti-money laundering
legislation to report suspicious activity relating to accounts held with it to the relevant
financial law enforcement authority. Bank A receives information from Bank B (in
Page 32 of 40
another Member State) that an account holder has instructed it to transfer money to
another account held with Bank A which appears suspicious. Bank A passes this data
concerning its account holder and the suspicious activities to the relevant financial
law enforcement authority. The anti-money laundering legislation in question makes
it a criminal offence for a reporting bank to “tip off” the account holder that they may
be subject to regulatory investigations. In this situation, Article 14.5(b) applies
because providing the data subject (the account holder with Bank A) with Article 14
information on the processing of account holder’s personal data received from Bank
B would seriously impair the objectives of the legislation, which includes the
prevention of “tip-offs”. However, general information should be provided to all
account holders with Bank A when an account is opened that their personal data may
be processed for anti-money laundering purposes.
Obtaining or disclosing is expressly laid down in law
66. Article 14.5(c) allows for a lifting of the information requirements in Articles 14.1, 14.2 and
14.4 insofar as the obtaining or disclosure of personal data “is expressly laid down by Union or
Member State law to which the controller is subject”. This exemption is conditional upon the
law in question providing “appropriate measures to protect the data subject’s legitimate
interests”. Such a law must directly address the data controller and the obtaining or disclosure
in question should be mandatory upon the data controller. Accordingly, the data controller
must be able to demonstrate how the law in question applies to them and requires them to
either obtain or disclose the personal data in question. While it is for Union or Member State
law to frame the law such that it provides “appropriate measures to protect the data subject’s
legitimate interests”, the data controller should ensure (and be able to demonstrate) that its
obtaining or disclosure of personal data complies with those measures. Furthermore, the
data controller should make it clear to data subjects that it obtains or discloses personal data
in accordance with the law in question, unless there is a legal prohibition preventing the data
controller from doing so. This is in line with Recital 41 of the GDPR, which states that a legal
basis or legislative measure should be clear and precise, and its application should be
foreseeable to persons subject to it, in accordance with the case law of the Court of Justice of
the EU and the European Court of Human Rights. However, Article 14.5(c) will not apply
where the data controller is under an obligation to obtain data directly from a data subject, in
which case Article 13 will apply. In that case, the only exemption under the GDPR exempting
the controller from providing the data subject with information on the processing will be that
under Article 13.4 (i.e. where and insofar as the data subject already has the information).
However, as referred to below at paragraph 68, at a national level, Member States may also
legislate, in accordance with Article 23, for further specific restrictions to the right to
transparency under Article 12 and to information under Articles 13 and 14.
Example
A tax authority is subject to a mandatory requirement under national law to obtain the
details of employees’ salaries from their employers. The personal data is not obtained
Page 33 of 40
from the data subjects and therefore the tax authority is subject to the requirements of
Article 14. As the obtaining of the personal data by the tax authority from employers is
expressly laid down by law, the information requirements in Article 14 do not apply to the
tax authority in this instance.
Confidentiality by virtue of a secrecy obligation
67. Article 14.5(d) provides for an exemption to the information requirement upon data
controllers where the personal data “must remain confidential subject to an obligation of
professional secrecy regulated by Union or Member State law, including a statutory obligation
of secrecy”. Where a data controller seeks to rely on this exemption, it must be able to
demonstrate that it has appropriately identified such an exemption and to show how the
professional secrecy obligation directly addresses the data controller such that it prohibits
the data controller from providing all of the information set out in Articles 14.1, 14.2 and 14.4
to the data subject.
Example
A medical practitioner (data controller) is under a professional obligation of secrecy in
relation to his patients’ medical information. A patient (in respect of whom the obligation
of professional secrecy applies) provides the medical practitioner with information about
her health relating to a genetic condition, which a number of her close relatives also have.
The patient also provides the medical practitioner with certain personal data of her
relatives (data subjects) who have the same condition. The medical practitioner is not
required to provide those relatives with Article 14 information as the exemption in Article
14.5(d) applies. If the medical practitioner were to provide the Article 14 information to
the relatives, the obligation of professional secrecy, which he owes to his patient, would
be violated.
Restrictions on data subject rights
68. Article 23 provides for Member States (or the EU) to legislate for further restrictions on the
scope of the data subject rights in relation to transparency and the substantive data subject
rights55 where such measures respect the essence of the fundamental rights and freedoms
and are necessary and proportionate to safeguard one or more of the ten objectives set out
in Article 23.1(a) to (j). Where such national measures lessen either the specific data subject
rights or the general transparency obligations, which would otherwise apply to data
controllers under the GDPR, the data controller should be able to demonstrate how the
national provision applies to them. As set out in Article 23.2(h), the legislative measure must
contain a provision as to the right of the data subject to be informed about a restriction on
55 As set out in Articles 12 to 22 and 34, and in Article 5 insofar as its provisions correspond to the rights and obligations
provided for in Articles 12 to 22.
Page 34 of 40
their rights, unless so informing them may be prejudicial to the purpose of the restriction .
Consistent with this, and in line with principle of fairness, the data controller should also
inform data subjects that they are relying on (or will rely on, in the event of a particular data
subject right being exercised) such a national legislative restriction to the exercise of data
subject rights, or to the transparency obligation, unless doing so would be prejudicial to the
purpose of the legislative restriction. As such, transparency requires data controllers to
provide adequate upfront information to data subjects about their rights an d any particular
caveats to those rights which the controller may seek to rely on, so that the data subject is
not taken by surprise at a purported restriction of a particular right when they later attempt
to exercise it against the controller. In relation to pseudonymisation and data minimisation,
and insofar as data controllers may purport to rely on Article 11 of the GDPR, WP29 has
previously confirmed in Opinion 3/ 201756 that Article 11 of the GDPR should be interpreted
as a way of enforcing genuine data minimisation without hindering the exercise of data
subject rights, and that the exercise of data subject rights must be made possible with the
help of additional information provided by the data subject.
69. Additionally, Article 85 requires Member States, by law, to reconcile data protection with the
right to freedom of expression and information. This requires, amongst other things, that
Member States provide for appropriate exemptions or derogations from certain provisions
of the GDPR (including from the transparency requirements under Articles 12 – 14) for
processing carried out for journalistic, academic, artistic or literary expression purposes, if
they are necessary to reconcile the two rights.
Transparency and data breaches
70. WP29 has produced separate Guidelines on Data Breaches57 but for the purposes of these
guidelines, a data controller’s obligations in relation to communication of data breaches to a
data subject must take full account of the transparency requirements set out in Article 12. 58
The communication of a data breach must satisfy the same requirements, detailed above (in
particular for the use of clear and plain language), that apply to any other communication
with a data subject in relation to their rights or in connection with conveying information
under Articles 13 and 14.
EDPB Guidance Subject Rights
Guidelines 01/2022 on data subject rights – Right of access
Version 2.0
Adopted on 28 March 2023
Version history
Version 1.0 18 January 2022 Adoption of the Guidelines for public consultation
Version 2.0 28 March 2023 Adoption of the Guidelines after public consultation
EXECUTIVE SUMMARY
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Aim and overall structure of the right of access
The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier
– but is not a condition – for the individual to exercise other rights such as the right to erasure or rectification.
The right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice.
However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights. The controller will have to deal with the request unless it is clear that the request is made under other rules than data protection rules.
The right of access includes three different components:
Confirmation as to whether data about the person is processed or not,
Access to this personal data and
Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.
General considerations on the assessment of the data subject’s request
When analysing the content of the request, the controller must assess whether the request concerns personal data of the individual making the request, whether the request falls within the scope of Art. 15 and whether there are other, more specific, provisions that regulate access in a certain sector. It must also assess whether the request refers to all or only parts of the data processed about the data subject.
There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject. However, the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller. The controller is not obliged to act on requests that are sent to completely random, or apparently incorrect, addresses.
Where the controller is not able to identify data that refers to the data subject, it shall inform the data subject about this and may refuse to give access unless the data subject provides additional information that enables identification. Further more, if the controller has doubts about whether the data subject is who they claim to be, the controller may request additional information in order to confirm the identity of the data subject. The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.
Scope of the right of access
The scope of the right of access is determined by the scope of the concept of personal data as defined in Art. 4(1) GDPR. Aside from basic personal data like name, address, phone number etc. a broad variety of data may fall within this definition like medical findings, history of purchases, creditworthiness indicators, activity logs, search activities etc. Personal data which have undergone pseudonymisation are still personal data as opposed to anonymised data. The right of access refers to personal data concerning the person making the request. This should not be interpreted overly restrictively and may include data that could concern other persons too, for example communication history involving incoming and outgoing messages.
In addition to providing access to the personal data, the controller has to provide additional information about the processing and on data subjects’ rights. Such information can be based on what is already compiled in the controller’s record of processing activities (Art. 30 GDPR) and the privacy notice (Art. 13 and 14 GDPR). However, this general information may have to be updated to the time of the request or tailored to reflect the processing operations that are carried out in relation to the specific person making the request.
How to provide access
The ways to provide access may vary depending on the amount of data and the complexity of the processing that is carried out. Unless explicitly stated otherwise, the request should be understood as referring to all personal data concerning the data subject and the controller may ask the data subject to specify the request if they process a large quantity of data.
The controller will have to search for personal data throughout all IT systems and non-IT filing systems based on search criteria that mirrors the way in which the information is structured, for example name and customer number. The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The more precise requirements in this regard depend on the circumstances of the data processing as well as the data subject’s ability to grasp and comprehend the communication (for example taking into account that the data subject is a child or a person with special needs). If the data consists of codes or other “raw data”, these may have to be explained in order to make sense to the data subject.
The main modality for providing access is to provide the data subject with a copy of their data but other modalities (such as oral information and on site access) can be foreseen if the data subject requests it. The data can be sent by e-mail, provided that all necessary safeguards are applied taken into consideration, for example, the nature of the data, or in other ways, for example a self-service tool.
Sometimes, when there is a large quantity of data and it would be difficult for the data subject to comprehend the information if given all in one bulk – especially in the online context – the most appropriate measure could be a layered approach. Providing information in different layers may facilitate the data subject’s understanding of the data. The controller must be able to demonstrate that the layered approach has an added value for the data subject and all layers should be provided at the same time if the data subject chooses it.
The copy of the data and the additional information should be provided in a permanent form such as written text, which could be in a commonly used electronic form, so that the data subject can easily download it. The data can be given in a transcript or a compiled form as long as all the information is included and this does not alter or change the content of the information.
The request must be fulfilled as soon as possible and in any event within one month of receipt of the request. This can be extended by two further months where necessary, taking into account the complexity and number of the request. The data subject then has to be informed about the reason for the delay. The controller must implement necessary measures to deal with requests as soon as possible and adapt these measures to the circumstances of the processing. Where data is stored only for a very short period, there must be measures to guarantee that a request for access can be fulfilled without the data being erased while the request is being dealt with. Where a large quantityof data is processed, the controller will have to put in place routines and mechanisms that are adapted to the complexity of the processing.
The assessment of the request should reflect the situation at the moment when the request was received by the controller. Even data that may be incorrect or unlawfully processed will have to be provided. Data that has already been deleted, for example in accordance with a retention policy, and therefore is no longer available to the controller cannot be provided.
Limits and restrictions
The GDPR allows for certain limitations of the right of access. There are no further exemptions or derogations. The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject´s request.
According to Art. 15(4) the right to obtain a copy shall not adversely affect the rights and freedoms of others. The EDPB is of the opinion that these rights must be taken into consideration not only when granting access by providing a copy, but also, if access to data is provided by other means (on-site access for example). Art. 15(4) is not, however, applicable to the additional information on the processing as stated in Art. 15(1) lit. a.-h. The controller must be able to demonstrate that the rights or freedoms of others would be adversely affected in the concrete situation. Applying Art. 15(4) should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others.
Art. 12(5) GDPR allows controllers to reject requests that are manifestly unfounded or excessive, or to charge a reasonable fee for such requests. These concepts have to be interpreted narrowly. Since there are very few prerequisites regarding access requests, the scope of considering a request as manifestly unfounded is rather limited. Excessive requests depend on the specifics of the sector in which the controller operates. The more often changes occur in the controller’s data base, the more often the data subject may be permitted to request access without it being excessive. Instead of refusing access, the controller may decide to charge a fee from the data subject. This would only be relevant in the case of excessive requests in order to cover the administrative costs that such requests may cause. The controller must be able to demonstrate the manifestly unfounded or excessive character of a request.
Restrictions of the right of access may also exist in Member States’ national law as per Art. 23 GDPR and the derogations therein. Controllers who intend to rely on such restrictions must carefully check the requirements of the national provisions and take note of any specific conditions that may apply. Such conditions may be that the right of access is only temporarily delayed or that the restriction only applies to certain categories of data.
Table of contents
1 Introduction – general observations 8
2 Aim of the right of access, structure of Article 15 GDPR and general principles 10
2.1 Aim of the right of access 10
2.2 Structure of Article 15 GDPR 11
2.2.1 Defining the content of the right of access 12
2.2.1.1 Confirmation as to ‘whether’ or not personal data are being processed 12
2.2.1.2 Access to the personal data being processed 12
2.2.1.3 Information on the processing and on data subject rights 13
2.2.2 Provisions on Modalities 13
2.2.2.1 Providing a copy 13
2.2.2.2 Providing further copies 14
2.2.2.3 Making the information available in a commonly used electronic form 15
2.2.3 Possible limitation of the right of access 15
2.3 General principles of the right of access 15
2.3.1 Completeness of the information 16
2.3.2 Correctness of the information 18
2.3.3 Time reference point of the assessment 18
2.3.4 Compliance with data security requirements 19
3 General considerations regarding the assessment of access requests 20
3.1 Introduction 20
3.1.1 Analysis of the content of the request 20
3.1.2 Form of the request 22
3.2 Identification and authentication 24
3.3 Proportionality assessment regarding authentication of the requesting person 26
3.4 Requests made via third parties / proxies 29
3.4.1 Exercise of the right of access on behalf of children 30
3.4.2 Exercising the right of access through portals / channels provided by a third party 30
4 Scope of the right of access and the personal data and information to which it refers 31
4.1 Definition of personal data 31
4.2 The personal data the right of access refers to 34
4.2.1 “personal data concerning him or her” 34
4.2.2 Personal data which “are being processed” 36
4.2.3 The scope of a new request to access 37
4.3 Information on the processing and on data subject rights 37
5 How can a controller provide access? 41
5.1 How can the controller retrieve the requested data? 41
5.2 Appropriate measures for providing access 42
5.2.1 Taking “appropriate measures” 42
5.2.2 Different means to provide access 43
5.2.3 Providing access in a ”concise, transparent, intelligible and easily accessible form using clear and plain language” 44
5.2.4 A large quantity of information necessitates specific requirements on how the information is provided 46
5.2.5 Format 47
5.3 Timing for the provision of access 50
6 Limits and restrictions of the right of access 51
6.1 General remarks 51
6.2 Article 15 (4) GDPR 52
6.3 Article 12(5) GDPR 55
6.3.1 What does manifestly unfounded mean? 55
6.3.2 What does excessive mean? 56
6.3.3 Consequences 59
6.4 Possible restrictions in Union or Member States law based on Article 23 GDPR and derogations 60
Annex – Flowchart 61
The European Data Protection Board
Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20181,
Having regard to Article 12 and Article 22 of its Rules of Procedure,
Whereas the preparatory work of these guidelines involved the collection of inputs from stakeholders, both in writing and at a dedicated stakeholders event on data subject rights, in order to identify the challenges and interpretation issues faced in the application of the relevant provisions of the GDPR;
HAS ADOPTED THE FOLLOWING GUIDELINES
1 INTRODUCTION – GENERAL OBSERVATIONS
1. In today´s society, personal data are processed by public and private entities, during many activities, for a wide array of purposes and in many different ways. Individuals may often be in a disadvantaged position in terms of understanding how their personal data are processed, including the technology used in the particular case, whether it is by a private or a public entity. In order to protect personal data of natural persons in these situations, the GDPR has created a coherent and robust legal framework, generally applicable with regard to different types of processing, including specific provisions relating to data subject rights.
2. The right of access to personal data is one of the data subjects’ rights provided for in Chapter III of the GDPR among other rights, such as for instance the right to rectification and erasure, the right to restriction of processing, the right to portability, the right to object or the right of not being subject to automated individual decision making, including profiling2. The right of access by the data subject is enshrined both in the Charter of Fundamental Rights of the EU (the Charter)3 and in Art. 15 GDPR, where it is precisely formulated as the right of access to personal data and to other related information.
3. Under the GDPR, the right of access consists of three components i.e. confirmation of whether or not personal data are processed, access to it, and information about the processing itself. The data subject can also obtain a copy of the processed personal data, whereas this possibility is not an additional data subject right but the modality of providing access to the data. Thus, the right of access can be understood both as the possibility of the data subject to ask the controller if personal data about him or her are processed and as the possibility to access and to verify these data. The controller shall
1 References to “Member States” made throughout this document should be understood as references to “EEA Member States”.
2 Art. 15 – 22 GDPR.
3 Under Art. 8 para. 1 of the Charter of Fundamental Rights of the European Union Everyone has the right to the protection of personal data concerning him or her. Under Art. 8 para. 2 sentence 2 Everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified.
provide to the data subject, on the basis of his/her request, the information falling within the scope of Art. 15(1) and (2) GDPR.
4. The exercise of the right of access is realised both in the framework of data protection law, in accordance with the objectives of data protection law, and more specifically, in the framework of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”, as put forward by Art. 1(2) GDPR. The right of access is an important element of the whole data protection system.
5. The practical aim of the right of access is to enable the natural persons to have the control over their own personal data4. In order to realise this goal effectively in practice, the GDPR is aiming to facilitate this exercise by number of guarantees enabling the data subject to exercise this right easily, without unnecessary constraints, at reasonable intervals and without excessive delay or expense. All this should lead to more effective enforcement of the right of access by data subject in the digital age, part of which in a broader sense is also the data subject’s right to file a complaint to the supervisory authority and the right to effective judicial protection5.
6. With regards to the development of the right of access, as part of the data protection legal framework, it should be stressed that it has been an element of the European data protection system from its beginning. In comparison with Directive 95/46/EC, the standard of the data subject rights set out in the GDPR has been both refined and strengthened; this also applies to the right of access. As the modalities of the right of access are now specified more precisely in the GDPR, this right is also more instructive from the point of legal certainty for both the data subject and the controller. Besides, the specific wording of Art. 15, and the precise deadline for the provision of data under Art. 12(3) GDPR, obliges the controller to be prepared for data subject inquiries by developing procedures for handling requests.
7. The right of access should not be seen in isolation as it is closely linked with other provisions of the GDPR, in particular with data protection principles including the fairness and lawfulness of processing, the controller´s transparency obligation and with other data subject rights provided for in Chapter III of the GDPR.
8. In the framework of data subject rights, it is also important both to stress the significance of Art. 12 GDPR, which lays down requirements for appropriate measures adopted by the controller in providing the information referred to in Art. 13 and 14 GDPR, and the communications referred to in Art. 15-22 and 34 GDPR; these requirements generally specify the form, manner and time limit for the responses to the data subject, and in particular for any information addressed to the child.
9. The EDPB considers it necessary to provide more precise guidance on how the right of access has to be implemented in different situations. These guidelines aim at analysing the various aspects of the right of access. More particularly, the section hereafter is meant to give a general overview and explanation of the content of the Art. 15 itself whereas the subsequent sections provide deeper analysis of the most frequent practical questions and issues concerning the implementation of the right of access.
4 See recitals 7, 68, 75 and 85 of the GDPR
5 See Chapter VIII Articles 77, 78 and 79 of the GDPR
2 AIM OF THE RIGHT OF ACCESS, STRUCTURE OF ARTICLE 15 GDPR AND GENERAL PRINCIPLES
2.1 Aim of the right of access
10. The right of access is thus designed to enable natural persons to have control over personal data relating to them in that it allows them, “to be aware of, and verify, the lawfulness of the processing”6. More specifically, the purpose of the right of access is to make it possible for the data subjects to understand how their personal data are being processed as well as the consequences of such processing, and to verify the accuracy of the data processed without having to justify their intention. In other words, the purpose of the right of access is to provide individuals with sufficient, transparent and easily accessible information about data processing, regardless of the technologies used, and to enable them to verify different aspects of a particular processing activity under the GDPR (e.g. lawfulness, accuracy).
11. The interpretation of the GDPR provided in these guidelines is based on the CJEU case law which has been rendered so far. Taking into account the importance of the right of access, related case law can be expected to evolve significantly in future.
12. In accordance with CJEU decisions7, the right of access serves the purpose of guaranteeing the protection of the data subjects’ right to privacy and data protection with regard to the processing of data relating to them 8 and may facilitate the exercise of their rights flowing from, for example, Art. 16 to 19, 21 to 22 and 82 GDPR. However, the exercise of the right of access is an individual’s right and not conditional upon the exercise of those other rights and the exercise of the other rights does not depend on the exercise of the right of access.
13. Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller.9 Regarding limits and restrictions of the right of access, please see section 6.
6 Recital 63 GDPR.
7 CJEU, C-434/16, Nowak, and joined cases C-141/12 and C-372/12, YS and Others.
8 CJEU, C-434/16, Nowak, para. 56.
9 Questions related to this topic are at issue in a case currently pending before the CJEU (C-307/22).
14. Although the aim of the right of access is broad, the CJEU illustrated also the limits of the remit of data protection law and the right of access. For instance, the CJEU found that the objective of the right of access guaranteed by EU data protection law is to be distinguished from that of the right of access to public documents established by EU and national legislation, the latter aiming at, “the greatest possible transparency of the decision-making process of the public authorities and to promote good administrative practices”11, an objective not sought by data protection law. The CJEU concluded that the right of access to personal data applies irrespective of whether a different kind of right of access with a different aim applies, such as in the context of an examination procedure.
2.2 Structure of Article 15 GDPR
15. In order to reply to a request for access and to ensure that none of its aspects might be disregarded, it is necessary first to understand the structure of Art. 15 and the constituent components of the right of access stipulated in this Article.
16. Art. 15 can be broken down into eight different elements as listed in the table below:
1. Confirmation as to whether or not the controller is processing personal data concerning the requesting person Art. 15(1), first half of the sentence
2. Access to the personal data concerning the requesting person Art. 15(1), second half of the sentence (first part)
3. Access to the following information on the processing:
(a) the purposes of the processing;
(b) the categories of personal data;
(c) the recipients or categories of recipients;
(d) the envisaged duration of the processing or the criteria for determining the duration;
(e) the existence of the rights to rectification, erasure, restriction of processing and objection to processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) any available information on the source of the data, if not collected from the data subject; Art. 15(1), second half of the sentence (second part)
10 EDPB Guidelines 10/2020 on restrictions under article 23 GDPR, version for public consultation, 18 December 2020.
11 CJEU, Joined cases C-141/12 and C-372/12, YS and Others, para. 47.
(h) the existence of automated decision-making, including profiling and other information relating thereto.
4. Information on safeguards pursuant to Art. 46 where the personal data are transferred to a third country or to an international organisation Art. 15(2)
5. The obligation of the controller to provide a copy of the personal data undergoing processing Art. 15(3), first sentence
6. Charging of a reasonable fee by the controller based on administrative costs for any further copies requested by the data subject Art.15(3), second sentence
7. Provision of information in electronic form Art. 15(3), third sentence
8. Taking into account the rights and freedoms of others Art. 15(4)
While all elements of Art. 15(1) and (2) together define the content of the right of access, Art.15(3) deals with the modalities of access, in addition to the general requirements set out in Art. 12 GDPR. Art. 15(4) supplements the limits and restrictions that Art. 12(5) GDPR provides for all data subjects’ rights with a specific focus on rights and freedoms of others in the context of access.
2.2.1 Defining the content of the right of access
17. Art. 15(1) and (2) contain the following three aspects: first, the confirmation whether personal data of the requesting person are being processed, if yes, second, access to those data, and, third, information on the processing. They can be regarded as three different components which together build the right of access.
2.2.1.1 Confirmation as to ‘whether’ or not personal data are being processed
18. When making a request for access to personal data, the first thing that the data subjects need to know is whether or not the controller processes data concerning them. Consequently, this information constitutes the first component of the right of access under Art. 15(1). Where the controller does not process personal data relating to the data subject requesting the access, the information to be provided would be limited to confirming that no personal data relating to the data subject are being processed. Where the controller does process data relating to the requesting person, the controller must confirm this fact to this person. This confirmation may be communicated separately, or it may be encompassed as part of the information on the personal data being processed (see below).
2.2.1.2 Access to the personal data being processed
19. Access to personal data is the second component of the right of access under Art. 15(1) and it constitutes the core of this right. It relates to the notion of personal data as defined by Art. 4(1) GDPR. Aside from basic personal data like name and address, an unlimited variety of data may fall within this definition, provided that they fall under the material scope of the GDPR, notably with regards to the way in which there are processed (Art. 2 GDPR). Access to personal data hereby means access to the actual personal data themselves, not only a general description of the data nor a mere reference to the categories of personal data processed by the controller. If no limits or restrictions apply12, data subjects are entitled to have access to all data processed relating to them, or to parts of the data,
12 See section 6 of these Guidelines.
depending on the scope of the request (see sec. 2.3.1). The obligation to provide access to the data does not depend on the type or source of those data. It applies to its full extent even in cases where the requesting person had initially provided the controller with the data, because its aim is to let the data subject know about the actual processing of those data by the controller. The scope of personal data under Art. 15 is explained in detail in sec. 4.1 and 4.2.
2.2.1.3 Information on the processing and on data subject rights
20. The third component of the right of access is the information on the processing and on data subjects’ rights that the controller has to provide under Art. 15(1)(a) to (h) and 15(2). Such information could be based on text taken, for example, from the privacy notice of the controller13 or from the controller’s record of processing activities referred to in Art. 30 GDPR, but may have to be updated and tailored to the data subject’s request. The content and degree of specification of the information is further elaborated in section 4.3.
2.2.2 Provisions on Modalities
21. Art. 15(3) supplements the requirements for the modalities of the reply to access requests laid down in Art. 12 GDPR by some specifications in context of access requests.
2.2.2.1 Providing a copy
22. Under the first sentence of Art. 15(3) GDPR, the controller shall provide a free copy of the personal data which the processing relates to. The copy therefore refers only to the second component of the right of access («access to the personal data processed», see above). The controller must ensure that the first copy is free of charge, even where it considers the cost of reproduction to be high (example: the cost of providing a copy of the recording of a telephone conversation).
23. The obligation to provide a copy is not to be understood as an additional right of the data subject, but as modality of providing access to the data. It strengthens the right of access to the data14 and helps to interpret this right because it makes clear, that access to the data under Art. 15(1) comprises complete information on all data and cannot be understood as granting only a summary of the data. At the same time, the obligation to provide a copy is not designed to widen the scope of the right of access: it refers (only) to a copy of the personal data undergoing processing, not necessarily to a reproduction of the original documents (see section 5, para. 152). More generally speaking, there is no additional information to be given to the data subject upon providing a copy: the scope of the information to be contained in the copy is the scope of the access to the data under 15(1) (second component of the right of access as referred to above, see para. 19), which includes all information necessary to enable the data subject to understand and verify the lawfulness of the processing.15
24. In light of the above, if access to the data in the sense of Art. 15(1) is given by providing a copy, the obligation to provide a copy mentioned under 15(3) is complied with. The obligation to provide a copy serves the objectives of the right of access to allow the data subject to be aware of, and verify the lawfulness of the processing (Recital 63). To achieve these objectives, the data subject will in most
13 See for information on this Art. 29 Working Party, WP260 rev.01, 11 April 2018, Guidelines on transparency under Regulation 2016/679 – endorsed by the EDPB (hereinafter “WP29 Guidelines on transparency – endorsed by the EDPB”).
14 The obligation to provide a copy was not mentioned in the Data Protection Directive 95/46/EC.
15 Questions related to the topic of this paragraph are at issue in a case currently pending before the CJEU (C- 487/21
cases need to see the information not only temporarily. Therefore, the data subject will need to get access to the information by receiving a copy of the personal data.
25. In view of the above, the notion of a copy has to be interpreted in a broad sense and includes the different kinds of access to personal data as long as it is complete (i.e. it includes all personal data requested) and possible for the data subject to keep. Thus, the requirement to provide a copy means, that the information on the personal data concerning the person who makes the request is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it.
26. In spite of this broad understanding of a copy, and regarding that it is the main modality by which access should be provided, under some circumstances other modalities could be appropriate. Further explanations on copies and other modalities of providing access are given in section 5, in particular
5.2.2 – 5.2.5.
2.2.2.2 Providing further copies
27. Art. 15(3), second sentence concerns situations where the data subject asks the controller for more than one copy, for example in case the first copy was lost or damaged or the data subject wants to pass on a copy to another person or a Supervisory Authority. On the basis that further copies must be provided by the controller upon request of the data subject, Art. 15(3) rules, that for any further copy requested, the controller may charge a reasonable fee based on administrative costs (Art. 15(3) second sentence).
28. If the data subject asks for an additional copy after the first request was made, questions may arise on whether this should be regarded as a new request, or whether the data subject wants an additional copy of the data in the sense of Art. 15(3) second sentence, in which case a fee for an additional copy may be charged. The response to these questions depends solely on the content of the request: the request should be interpreted as asking for an additional copy, insofar as, in terms of time and scope, it concerns the same processing of personal data as the former request. If, however, the data subject aims to get information on the data processed at a different point in time or relating to a different set of data from the one initially requested, the right to obtain a free copy according to Art. 15(3), applies once again. This also is valid in cases where the data subject has made a first request shortly beforehand. A data subject may exercise its right of access through a subsequent request and obtain a free copy, unless the request is regarded as excessive under Art. 12(5) with the possibility of charging a reasonable fee in accordance with Art. 12(5)(a) (on excessive character of repetitive requests, see section 6).
29. If the data subject repeats a first request for access on the grounds that the answer received was not complete or that no reasons had been given for the refusal, this request is not to be regarded as a new request, since it is merely a reminder of a first unsatisfied request.
30. Concerning the allocation of costs in cases of requests for an additional copy, Art. 15(3) establishes that the controller may charge a reasonable fee based on the administrative costs that are caused by the request. This means, that the administrative costs are a relevant criterion for fixing the level of the fee. At the same time, the fee should be appropriate, taking into account the importance of the right of access as a fundamental right of the data subject. The controller should not pass on overhead costs or other general expenses to the data subject, but should focus on the specific costs that where caused by providing the additional copy. When organising this process the controller should deploy its human and material resources efficiently in order to keep the costs of the copy low, including if the controller involves external support.
31. In case the controller decides to charge a fee, the controller should indicate in advance that a fee will be charged and – as accurately as is possible – the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request.
2.2.2.3 Making the information available in a commonly used electronic form
32. In the event of a request by electronic form means, information shall be provided by electronic means where possible and unless otherwise requested by the data subject (see Art. 12(3) GDPR). Art. 15(3), third sentence, complements this requirement in the context of access requests by stating, that the controller is in addition obliged to provide the answer in a commonly used electronic form, unless otherwise requested by the data subject. Art. 15(3) presupposes, that for controllers who are able to receive electronic requests it will be possible to provide the reply to the request in a commonly used electronic form (for details see sec. 5.2.5). This provision refers to all the information that needs to be provided in accordance with Art. 15(1) and (2). Therefore, if the data subject submits the request for access by electronic means, all information must be provided in a commonly used electronic form. Questions of format are further developed in section 5. The controller should, as always, deploy appropriate security measures, in particular when dealing with special category of personal data (see below, under 2.3.4 ).
2.2.3 Possible limitation of the right of access
33. Finally, in context of the right of access, a specific limitation is foreseen in Art. 15(4). It states, that possible adverse effects on the rights and freedoms of others have to be considered. Questions as to the scope and the consequences of this limitation as well as to additional limits and restrictions set forth in Art. 12(5) GDPR or under Art. 23 GDPR are explained in section 6.
2.3 General principles of the right of access
34. When data subjects make a request for access to their data, in principle, the information referred to in Art. 15 GDPR must always be provided in full. Accordingly, where the controller processes data relating to the data subject, the controller shall provide all the information referred to in Art. 15(1)
and, where applicable, the information referred to in Art. 15(2). The controller has to take the appropriate measures to ensure that the information is complete, correct and up-to-date, corresponding as close as possible to the state of data processing at the time of receiving the request16. Where two or more controllers process data jointly, the arrangement of the joint controllers regarding their respective responsibilities with regards to the exercise of data subject’s rights, especially concerning the answer to access requests, does not affect the rights of the data subjects towards the controller to whom they address their request17.
2.3.1 Completeness of the information
35. Data subjects have the right to obtain, with the exceptions mentioned below, full disclosure of all data relating to them (for details on the scope, see section 4.2). Unless explicitly requested otherwise by the data subject, a request to exercise the right of access shall be understood in general terms, encompassing all personal data concerning the data subject18. Limiting access to part of the information may be considered in the following cases:
a) The data subject has explicitly limited the request to a subset. In order to avoid providing incomplete information, the controller may consider this limitation of the data subject’s request only if it can be certain that this interpretation corresponds to the wish of the data subject (for further details, see section 3.1.1, para. 51). In principle, the data subject shall not have to repeat the request for the transmission of all the data the data subject is entitled to obtain.
b) In situations where the controller processes a large quantity of data concerning the data subject, the controller may have doubts if a request of access, that is expressed in very general terms, really aims at receiving information on all kind of data being processed or on all branches of activity of the controller in detail. These may arise in particular in situations, where there was no possibility to provide the data subject with tools to specify their request from the beginning or where the data subject did not make use of them. The controller then faces problems of how to give a full answer while simultaneously avoiding the creation of an overflow of information for the data subject that the data subject is not interested in and cannot effectively handle. There may be ways to solve this problem, depending on the circumstances and the technical possibilities, for example by providing self-service tools in online contexts (see section 5 on the layered approach). If such solutions are not applicable, a controller who processes a large quantity of information relating to the data subject may request the data subject to specify the information or processing to which the request relates before the information is delivered (see Recital 63 GDPR). Examples of this may include a company with several fields of activity or a public authority with different administrative units, if the controller found that numerous data relating to the data subject are processed in those branches. In addition, a large quantity of data may be processed by controllers who collect data regarding frequent activities of the data subject over a prolonged time period.
16 For guidance on appropriate measures see sec. 5 para. 123 – 129
17 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, par. 162f.. Processors have to assist the controller, ibd., para. 129.
18 For details please see section 5.2.3 below on the topic of layered approach.
If, in such cases, the controller decides to ask the data subject to specify the request, in order to fulfil its obligation to facilitate the exercise of the right of access (Art. 12(2) GDPR) the controller shall at the same time give meaningful information about its processing operations that could concern the data subject, by informing about relevant branches of its activities, databases etc.
It is important to underline that the request for specification shall not aim at a limitation of the reply to the access request and shall not be used to hide any information on the data or the processing concerning the data subject. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller of course has to provide it in full.
In any case, the controller should always be able to demonstrate, that the way to handle the request aims to give the broadest effect to the right of access and that it is in line with its obligation to facilitate the exercise of data subjects rights (Art. 12(2) GDPR). Subject to these principles, the controller may await the answer of the data subject before providing additional data according to the data subject’s wish, if the controller has provided the data subject with a clear overview of all processing operations that could concern the data subject, including especially those that the data subject might not have expected, if the controller has also given access to all data that the data subject clearly aimed for, and if, furthermore, this information has been combined with clear indication of how to get access to the remaining parts of the processed data.
c) Exceptions or restrictions to the right of access apply (see below in section 6). In such cases, the controller should carefully check to which parts of the information the exception relates to and provide all information that is not excluded by the exception. For example, confirmation of the processing of personal data itself (component 1) may not be affected by the exception. As a result, information has
to be provided about all the personal data and all the information referred to in Art. 15(1) and (2) that are not concerned by the exception or the restriction.
2.3.2 Correctness of the information
36. The information included in the copy of the personal data given to the data subject has to comprise the actual information or personal data held about the data subject. This includes the obligation to give information about data that are inaccurate or about data processing which is not or no longer lawful. The data subject may for example use the right of access to find out about the source of inaccurate data being circulated between different controllers. If the controller corrected inaccurate data before informing the data subject about it, the data subject would be deprived of this possibility. The same applies in case of unlawful processing. The possibility to know about unlawful processing concerning the data subject is one of the main purposes of the right of access. The obligation to inform about the unchanged state of processing is without prejudice to the obligation of the controller to end unlawful processing or to correct inaccurate data. Questions about the order in which those obligations should be fulfilled, are answered in the following.
2.3.3 Time reference point of the assessment
37. The assessment of the data being processed shall reflect as close as possible the situation when the controller receives the request and the response should cover all data available at that point in time. This means that the controller has to try to find out about all the data processing activities relating to the data subject without undue delay. Controllers are thus not required to provide personal data, which they processed in the past but which they no longer have at their disposal19. For instance, the controller may have deleted personal data in accordance with its data retention policy and/or statutory provisions and may thus no longer be able to provide the requested personal data. In this context, it should be recalled that the length of time for which the data are stored should be fixed in accordance with Art. 5(1)(e) GDPR, as any retention of data must be objectively justifiable.
38. At the same time, the controller shall implement in advance the necessary measures in order to facilitate the exercise of the right of access and to deal with such requests as soon as possible (see Art. 12(3)) and before the data will have to be deleted. Therefore, in the case of short retention periods, the measures taken to answer the request should be adapted to the appropriate retention period in order to facilitate the exercise of the right of access and to avoid the permanent impossibility of providing access to the data processed at the moment of the request20. In some cases it may nevertheless not be possible to reply to a request before the time the data are scheduled for deletion. For example, if in course of replying to a request as promptly as possible, a controller retrieves personal data that were scheduled to be deleted the following day, the controller may need some additional time to consider whether redactions need to be made to protect the freedoms of others before releasing a copy of the personal data to the requester. If the data have been retrieved within the
19 See, to that effect, further clarifications in section 4 of these guidelines, as well as in Court of Justice of the European Union, C-553/07, 7 May 2009, College van burgemeester en wethouders van Rotterdam v M. E. E. Rijkeboer on a right of access to information on the recipients or categories of recipients in respect of the past. 20 For example, the implementation of a self-service tool enabling the data subject to easily access the requested personal data and a notification system alerting the controller about a request that relates to personal data with short retention periods could be considered in order to facilitate prompt action.
scheduled retention period, the controller may continue to process those data for the purpose to fulfill its obligation to answer the request. Processing in such cases may be based on Art. 6(1)(c) in combination with Article 15 GDPR and its duration has to comply with the requirements of Art. 12(3) GDPR21. The application of this legal basis is limited to processing of the data identified to be necessary for answering the concrete request and is not to be used as a justification for general extentions of retention periods.
39. Furthermore, the controller shall not deliberately escape the obligation to provide the requested personal data by erasing or modifying personal data in response to a request for access (see 2.3.2). If, in the course of processing the access request, the controller discovers inaccurate data or unlawful processing, the controller has to assess the state of the processing and to inform the data subject accordingly before complying with its other obligations. In its own interest, to avoid the need of further communication on this as well as to be compliant with the transparency principle, the controller should add information about the subsequent rectifications or deletions.
In order to comply with the principle of transparency, controllers should infom the data subject as of the specific point in time of the processing to which the response of the controller refers. In some cases, for example in contexts of frequent communication activities, additional processing or modifications of the data may occur between this time reference point, at which the processing was assessed, and the response of the controller. If the controller is aware of such changes, it is recommended to include information about those changes as well as information about additional processing necessary to reply to the request.
2.3.4 Compliance with data security requirements
40. Since communicating and making available personal data to the data subject is a processing operation, the controller is always obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing (see Art. 5(1)(f), 24 and 32 GDPR). This applies independently of the modality in which access is provided. In case of non-electronic transmission of the data to the data subject, depending on the risks that are presented by the processing, the controller may consider using registered mail or, alternatively, to offer, but not oblige, the data subject to collect the file against signature directly from one of the controller’s establishments. If, in line with Art. 12(1) and (3), information is provided by electronic means, the controller shall choose electronic means that comply with data security requirements. Also in case of providing a copy of the data in a commonly used electronic form (see Art. 15(3)), the controller shall take into account data security requirements when choosing the means of how to transmit the electronic file to the data subject. This may include applying encryption, password protection etc. In order to facilitate access to the encrypted data, the controller should also ensure that appropriate information is made available so that the data subject can access the decrypted information. In cases
21 This is without prejudice to subsequent processing of data for evidence purposes in connection with the handling of the access request for an appropriate period of time.
where data security requirements would necessitate end-to-end encryption of electronic mails but the controller would only be able to send a normal e-mail, the controller will have to use other means, such as sending a USB-stick by (registered) letter post to the data subject.
3 GENERAL CONSIDERATIONS REGARDING THE ASSESSMENT OF ACCESS REQUESTS
3.1 Introduction
41. When receiving requests for access to personal data, the controller must assess each request individually. The controller shall take into consideration, inter alia, the following issues, further developed in the following paragraphs: whether the request concerns personal data linked to the requesting person and who the requesting person is. This section aims to clarify what elements of the request for access the controller should take into account when carrying out its assessment and to discuss possible scenarios for such an assessment as well as its consequences. The controller, when assessing a request for access to personal data, shall also take into account, pursuant to Art. 12(2) GDPR, the obligation to facilitate the exercise of the data subject rights, while keeping in mind the appropriate security of the personal data22.
42. Therefore, the controllers should be proactively ready to handle the requests for access to personal data. This means that the controller should be prepared to receive the request, assess it properly (this assessment is the subject of this section of the guidelines) and provide an appropriate reply without undue delay to the requesting person. The way the controllers will prepare themselves for the exercise of access requests should be adequate and proportionate and depend on the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, in accordance with Art. 24 GDPR. Depending on the particular circumstances, the controllers may, for example, be required to implement an appropriate procedure, the implementation of which should guarantee the security of the data without hindering the exercise of the data subject’s rights.
3.1.1 Analysis of the content of the request
43. This issue can be more specifically assessed by asking the following questions.
a) Does the request concern personal data?
44. Under the GDPR, the scope of the request shall only cover personal data23. Therefore, any request for information about other issues, including general information about the controller, its business models or its processing activities not related to personal data, is not to be considered as a request made pursuant to Art. 15 GDPR. Additionally, a request for information about anonymous data or data that
22 The controller shall ensure appropriate security of the personal data, in accordance with the integrity and confidentiality principle (Art. 5(1)(f) GDPR), by implementing appropriate technical and organisational measures, as referred to in Art. 32 GDPR and elaborated in Art. 24 GDPR. The controller shall be able to demonstrate that it ensures an adequate level of data protection, in line with the accountability principle (see also: Art. 29 Working Party Opinion 3/2010 on the principle of accountability adopted on 13 July 2010, 00062/10/EN WP 173 and EDPB Guidelines nr 07/2020 on the concepts of controller and processor in the GDPR).
23 Unless the request covers also non-personal data inextricably linked to the personal data of the data subject. For further explanations see para 100.
does not concern the requesting person or the person on whose behalf the authorised person made the request, will not be within the scope of the right of access. This question will be analysed more in detail in section 4.
45. Unlike anonymous data (which are not personal data), pseudonymised data, which could be attributed to a natural person by the use of additional information, are personal data24. Thus, pseudonymised data that can be linked to a data subject – e.g. when the data subject provides the respective identifier allowing their identification, or when the controller is able to connect the data to the requesting person by its own means – are to be considered within the scope of the request25.
b) Does the request relate to the requesting person (or the person on whose behalf the authorised person makes the request)?
46. As a general rule, a request may only concern the data of the person making the request. Access to other people’s data can only be requested subject to appropriate authorisation26.
c) Do provisions, other than the GDPR, regulating access to a certain category of data apply?
47. Data subjects are not required to specify the legal basis in their request. However, if the data subjects clarify that their request is based on sectoral legislation or on national legislation regulating the specific issue of access to certain categories of data, and not on the GDPR, such a request shall be examined by the controller in accordance with such sectoral or national rules, where applicable. Often, depending on the relevant national legislation, controllers may be required to provide separate replies, each dealing with the specific requirements set out by the different legislative acts. This is not to be confused with national or EU legislation setting out restrictions on the right of access which needs to be complied with when answering access requests.
48. If the controller has doubts as to which right the data subject wishes to exercise, it is recommended to ask the data subject making the request to explain the subject matter of the request. Such correspondence with the data subject shall not affect the duty of the controller to act without undue delay27. However, in case of doubts, if the controller asks the data subject for further explanation and receives no response, bearing in mind the obligation to facilitate the exercise of the person’s right of access, the controller should interpret the information contained in the first request and act on this basis. In accordance with the accountability principle, the controller may determine an appropriate
24 See Recital 26 GDPR. Further explanations on the concepts of anonymous data and pseudonymised data can be found in WP29 Opinion 4/2007 on the concept of personal data, p. 18-21.
25 Art. 29 Working Party, WP242 rev.01, 5 April 2017, Guidelines on the right to data portability – endorsed by the EDPB (hereinafter “WP29 Guidelines on the right to data portability – endorsed by the EDPB”), p. 9.
26 See section 3.4 (“Requests made via third parties/proxies”).
27 See further guidance on the timing in section 5.3.
timeframe during which the data subject may provide further explanation. When fixing such timeframe, the controller should leave enough time to comply with the request after it elapsed and therefore consider how much time is objectively necessary to compile and provide the requested data once the specification was provided (or not) by the data subject.
49. If the request is in the scope of the GDPR, the existence of such specific legislation does not override the general application of the right of access, as provided by the GDPR. There might be restrictions set out by EU or national law, when allowed by Art. 23 GDPR (see section 6.4).
d) Does the request fall within the scope of Article 15?
50. It should be noted that the GDPR does not introduce any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting persons to specify that they want to know what personal data concerning them the controller processes. Therefore, the controller cannot refuse to provide the data by referring to the lack of indication of the legal basis of the request, especially to the lack of a specific reference to the right of access or to the GDPR.
For example, in order to make a request, it would be sufficient for the requesting person to indicate that:
• they wish to obtain access to the personal data concerning them;
• they are exercising their right of access; or
• they wish to know the information concerning them that the controller processes.
It should be borne in mind that applicants may not be familiar with the intricacies of the GDPR and that it is advisable to be lenient towards persons exercising their right of access, in particular when it is exercised by minors. As indicated above, in case of any doubts it is recommended for the controller to ask the data subject making the request to specify the subject matter of the request.
e) Do the data subjects want to access all or parts of the information processed about them?
51. Additionally, the controller needs to assess whether the requests made by the requesting persons refer to all or parts of the information processed about them. Any limitation of the scope of a request to a specific provision of Art. 15 GDPR, made by the data subjects, must be clear and unambiguous. For example, if the data subjects require verbatim “information about the data processed in relation to them”, the controller should assume that the data subjects intend to exercise their full right under Art. 15(1) – (2) GDPR. Such a request should not be interpreted as meaning that the data subjects wish to receive only the categories of personal data that are being processed and to waive their right to receive the information listed in Art. 15(1)(a) to (h). This would be different, for example, where the data subjects wish, with regard to data which they specify, to have access to the source or origin of the personal data or to the specified period of storage. In such a case the controller may limit its reply to the specific information requested.
3.1.2 Form of the request
52. As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are, in principle, no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller.
53. The EDPB encourages controllers to provide the most appropriate and user-friendly communication channels, in line with Art. 12(2) and Art. 25 GDPR, to enable the data subject to make an effective request. Nevertheless, if a data subject makes a request using a communication channel provided by the controller28, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request accordingly (see the examples below). The controllers should undertake all reasonable efforts to make sure that the exercise of data subject rights is facilitated (for example, when a data subject sends an access request to an employee who is on leave, an automatic message informing the data subject about an alternative communication channel for this request could be a reasonable effort).
54. It should be noted that the controller is not obliged to act on a request sent to a random or incorrect e-mail (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject’s rights if the controller has provided an appropriate communication channel, that can be used by the data subject.
55. The controller is also not obliged to act on a request sent to the e-mail address of a controller’s employee who may not be involved in the processing of requests concerning data subjects’ rights (e.g. drivers, cleaning staff, etc.). Such requests shall not be considered effective, if the controller has clearly provided the data subject with appropriate communication channel. However, if the data subject sends a request to the controller’s employee who has been assigned to them as their regular contact person (such as e.g. a personal account manager at a bank or a regular consultant at a mobile phone operator), such contact should not to be considered as a random one and the controller should make all reasonable efforts, to handle such a request so that it can be redirected to the contact point and answered within the time limits provided for by the GDPR.
56. Nevertheless, the EDPB recommends, as good practice, that controllers introduce appropriate mechanisms to facilitate the exercise of data subjects’ rights, including autoresponder systems to inform of staff absences and appropriate alternate contact and, where possible, mechanisms to improve internal communication between employees on requests received by those who may not be competent to deal with such requests.
28 This may include, for example, communication data of the controller provided in its communications addressed directly to data subjects or contact data provided by the controller publicly, such as in the controller’s privacy policy or other mandatory legal notices of the controller (e.g. owner or business contact information on a website).
7. Date of receipt of the request by the controller triggers, as a rule, the one month period for the controller to provide information on action taken on a request, in accordance with Art. 12(3) GDPR (further guidance on timing is provided in section 5.3). The EDPB considers as good practice for the controllers to confirm receipt of requests in writing, for example by sending e-mails (or information by post, if applicable) to the requesting persons confirming that their requests have been received and that the one month period runs from day X to day Y.
3.2 Identification and authentication
58. In order to ensure the security of processing and minimise the risk of unauthorised disclosure of personal data, the controller must be able to find out which data refer to the data subject (identification) and confirm the identity of that person (authentication).
59. It may be recalled that in situations in which the purpose for which the personal data are processed do not or no longer require the identification of a data subject, the controller does not need to maintain identification for the sole purpose of complying with data subjects’ rights, also in light of the principle of data minimisation. These situations are dealt with in Art. 11(1) GDPR.
60. Art. 12(2) GDPR states that the controller shall not refuse to act on the request of the data subject to exercise his or her rights, unless the controller processes personal data for a purpose that does not require the identification of the data subject and it demonstrates that it is not in a position to identify the data subject. In such circumstances, the data subject may, however, decide to provide additional information enabling this identification (Art. 11(2) GDPR)29.
61. The controller is not obliged to acquire such additional information in order to identify the data subject for the sole purpose of complying with the data subject’s request, also in light of the principle of data minimisation. However, it should not refuse to take such additional information provided by the data subject in order to support the exercise of his or her rights (Recital 57 GDPR).
29 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 13.
62. In case of demonstrated impossibility to identify the data subject (Art. 11 GDPR), the controller needs to inform the data subject accordingly, if possible, since the controller shall respond to requests from the data subject without undue delay and give reasons where it does not intend to comply with such requests . This information needs to be provided only “if possible”, as the controller may not be in a position to inform the data subjects if their identification is impossible.
63. Both where the processing does not require identification and where it requires it, if the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject (Art.12(6) GDPR).
64. The GDPR does not impose any requirements on how to authenticate the data subject. However, Art. 11 and 12 GDPR indicate the conditions for the exercise of all the data subject rights, including the right of access to personal data.
65. It should be remembered that, as a rule, the controller cannot request more personal data than is necessary to enable this authentication, and that the use of such information should be strictly limited to fulfilling the data subjects’ request.
66. Authentication procedures often already exist between the data subjects and the controllers. The controllers may use these authentication procedures in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR30. Otherwise, controllers should implement an authentication procedure to do so31.
67. In cases where the controller requests or is provided by the data subject with additional information necessary to confirm the identity of the data subject, the controller shall, each time, assess what information will allow it to confirm the data subject’s identity and possibly ask additional questions to the requesting person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3).
68. In order to allow the data subject to provide the additional information required to identify his or her data, the controller should inform the data subject of the nature of the additional information required to allow identification. Such additional information should not be more than the information initially needed for the authentication of the data subject. In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested32.
69. As a consequence, where information collected online is linked to pseudonyms or other unique identifiers, the controller can implement appropriate procedures enabling the requesting person to make a data access request and receive the data relating to them33.
3.3 Proportionality assessment regarding authentication of the requesting person
70. As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject’s identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.
71. The controller should implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data34, and ensure security of the processing throughout the
30 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 14.
31 See further guidance regarding authentication in section 3.3.
32 Ibid, p. 14.
33 Ibid, p. 13-14.
34 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 14.
process of handling an access requests in accordance with Art. 32 GDPR, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at authentifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).
72. In an online context, the authentication mechanism may include the same credentials, used by the data subject to log-in to the online service offered by the controller (Recital 57 GDPR)35.
73. In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject36. Furthermore, the data subjects are often already authenticated by the controller before entering into a contract or collecting their consent to the processing and, as a result, the personal data used to register the individual concerned by the processing can also be used as evidence to authenticate the data subject for access purposes37. Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller.
74. It should be emphasised that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorised or unlawful processing, and, as such, it should be considered inappropriate, unless it is necessary, suitable, and in line with national law. In such cases, the controllers should have systems in place that ensure a level of security appropriate to mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to note that authentication by means of an identity card does not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to the user account.
75. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication. Alternatively, the controller may implement a quick and effective security measure to identify a data subject based on the authentication it has previously carried out, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes38.
76. Information on the ID that is not necessary for confirming the identity of the data subject, such as the access and serial-number, nationality, size, eye colour, photo and machine-readable zone, depending on a case by case assessment, may be redacted or hidden by the data subject before submitting it to the controller, except where national legislation requires a full unredacted copy of the identity card (see para. 78 below). Generally, the date of issue or expiry date, the issuing authority and the full name matching with the online account are sufficient for the controller to verify the identity, always provided
35 See further guidance regarding authentication methods in the EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification, adopted on 14 January 2021, p. 30-31., and in the EDPBGuidelines 02/2021 on virtual voice assistants , Version 2.0, Adopted on 7 July 2021, section 3.7.
36 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 14.
37 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 14.
38 See also Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC that has put forth different services that allow secure remote identification.
that the authenticity of the copy and the relation to the applicant are ensured. Additional information such as the birth date of the data subject may only be required in case the risk of mistaken identity persists, if the controller is able to compare it with the information it already processes.
77. To follow the principle of data minimisation the controller should inform the data subject about the information that is not needed and about the possibility to redact or hide those parts of the ID document. In such a case, if the data subject does not know how or is not able to redact such information, it is good practice for the controller to redact it upon receipt of the document, if this is possible for the controller, taking into account the means available to the controller in the given circumstances.
78. Without prejudice to the above general principles, under certain circumstances, authentication on the basis of an ID may be a justified and proportionate measure, in particular for entities processing special categories of personal data or undertaking data processing which may pose a risk for data subject (e.g. medical or health information). However, at the same time, it should be borne in mind that certain national provisions provide for restrictions on the processing of data contained in public documents, including documents confirming the identity of a person (also on the basis of Art. 87 GDPR). Restrictions on the processing of data from these documents may relate in particular to the scanning or photocopying of ID cards or processing of official personal identification numbers39.
79. Taking the above into account, where an ID is requested (and this is both in line with national law and justified and proportionate under the GDPR), the controller must implement safeguards to prevent
39 Several member states introduced such restriction in their national provisions in this regard stating, for example, that making copies of ID cards is lawful only if it results directly from the provisions of a legal act.
unlawful processing of the ID. Notwithstanding any applicable national provisions regarding ID authentication, this may include refraining from making a copy or deleting a copy of an ID immediately after the successful authentication of the identity of the data subject. This is because further storage of a copy of an ID is likely to amount to an infringement of the principles of purpose limitation and storage limitation (Art. 5(1)(b) and (e) GDPR) and, in addition, national legislation regarding the processing of the national identification number (Art. 87 GDPR). The EDPB recommends, as good practice, that the controller, after checking the ID card, makes a note e.g. ” ID card was checked ” to avoid unnecessary copying or storage of copies of ID cards.
3.4 Requests made via third parties / proxies
80. Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorised to exercise the right of access as well as authorisation to act on behalf of the data subject may require verification, where it is suitable and proportionate (see section 3.3 above)40. It should be recalled that making personal data available to someone who is not entitled to access it can amount to a personal data breach41.
81. In doing so, national laws governing legal representation (e.g. powers of attorney), which may impose specific requirements for demonstrating authorisation to make a request on behalf of the data subject, should be taken into account, since the GDPR does not regulate this issue. In accordance with the principle of accountability, as well as of the other data protection principles, controllers shall be able to demonstrate the existence of the relevant authorisation to make a request on behalf of the data subject, and to receive the requested information, except if national law differs (e.g. national law contains specific rules regarding the trustworthiness of lawyers) leaving the controller to verify the identity of the proxy (e.g. in the case of lawyers checking enrolment at the bar). Therefore, it is recommended to collect appropriate documentation in this respect, in relation to the previously indicated general rules regarding confirmation of identity of a natural person making a request and, if the controller has reasonable doubts concerning the identity of a person acting on behalf of data subject, it shall request additional information to confirm the identity of this person.
82. While the exercise of the right of access to personal data of deceased persons amounts to another example of access by a third party other than the data subject, Recital 27 specifies that the GDPR does not apply to the personal data of deceased persons. The matter is therefore dealt with by national law and Member States may provide for rules regarding the processing of personal data of deceased persons. However, it should be borne in mind that the data may, in addition, relate to living third persons, e.g. in the context of requested access to a deceased person’s correspondence. The confidentiality of such data still needs to be protected.
40 Regarding the time limits for exercising the right of access when the controller needs to obtain additional information, see para. 157.
41 Art. 4(12) GDPR.
3.4.1 Exercise of the right of access on behalf of children
83. Children deserve specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerning their rights in relation to the processing of personal data42. Any information and communication to a child, where personal data of a child are processed, should be in clear and plain language so that the child can easily understand43.
84. Children are data subjects in their own right and, as such, the right of access belongs to the child. Depending on the maturity and capacity of the child, the child may need a third party to act on it’s behalf e.g. the holder of parental responsibility.
85. The best interests of the child should be a leading consideration in all decisions taken with respect to the exercise of the right of access in the context of children, in particular where the right of access is exercised on behalf of the child, for example, by the holder of parental authority.
86. Due to the special protection of children’s personal data contained in the GDPR, the controller shall take appropriate measures to avoid any disclosure of personal data of a minor to an unauthorised person (in this respect see also section 3.4 above).
87. Finally, the right of the holder of parental responsibility to act on behalf of the child should not be confused with instances, outside of data protection law, where national legislation may provide the right of the holder of parental responsibility to ask and receive information on the child (e.g. performance of the child at school).
3.4.2 Exercising the right of access through portals / channels provided by a third party
88. There are companies that provide services which enable data subjects to make access requests through a portal. The data subject signs in and gets access to a portal through which they can submit for example an access request, request data rectification or data erasure from different controllers. Different questions arise from the use of portals provided for by a third party.
89. The first issue controllers need to deal with when facing these circumstances is to ensure that the third party is acting legitimately on behalf of the data subject, as it is necessary to make sure that no data is disclosed to unauthorised parties.
90. Additionally, a controller that receives a request made through such a portal needs, invariably, to handle that request in a timely manner44. There is, however, no obligation for the controller to provide the data under Art. 15 GDPR directly to the portal, if the controller, for example, establishes that the security measures are insufficient or it would be deemed appropriate to use another way for the disclosure of data to the data subject. Under such circumstances, when the controller has other procedures in place to deal with access requests in an efficient and secure way, the controller can provide the requested information through these procedures.
42 Recital 38 GDPR. As provided in the work programme of the EDPB, it is its intent to provide guidance on children’s data. Such a document is expected to provide more guidance on the conditions under which a child may exercise their own right of access, and the holder of parental responsibility can exercise the right of access on behalf of the child.
43 Recital 58 GDPR. EDPB Guidelines 05/2020 on consent under Regulation 2016/679, section 7.
44 Regarding the time limits for exercising the right of access when the controller needs to obtain additional information, see para. 157
4 SCOPE OF THE RIGHT OF ACCESS AND THE PERSONAL DATA AND INFORMATION TO WHICH IT REFERS
91. The present section aims at shedding light on the definition of personal data (4.1) and clarifying the scope of the information covered by the right of access in general (4.2 and 4.3). Of note is that the scope of the concept of personal data and thus, the differentiation between personal data and other data, is an integral part of the assessment carried out by the controller to identify the scope of the data that the data subject is entitled to obtain access to45.
92. As a preliminary consideration it should be recalled that the right of access can only be exercised with regard to processing of personal data falling within the material and territorial scope of the GDPR. Therefore, personal data that are not processed by automated means or that are not part of or intended to become part of a filing system as per Art. 2(1) GDPR or processed by a natural person in the course of a purely personal or household activity as per Art. 2 (2) GDPR, are not covered by the right of access.
4.1 Definition of personal data
93. Art. 15(1) and (3) GDPR refer to “personal data”, and “personal data undergoing processing”, respectively. Therefore, the scope of the right of access is first and foremost determined by the scope of the concept of personal data, defined in Art. 4(1) GDPR46. The concept of personal data has already been the subject of several Art. 29 Working Party47 documents48 and has been interpreted by the CJEU, including in the context of the right of access under Art. 12 of the Directive 95/46/CE.
94. The WP29 considered that the definition of personal data in the Directive 95/46/EC “reflects the intention of the European lawmaker for a wide notion of ‘personal data’”49. Under the GDPR, the definition still refers to “any information relating to an identified or identifiable natural person”. Aside from basic personal data like name and address, telephone number etc., unlimited broad variety of data may fall within this definition, including medical findings, history of purchases, creditworthiness indicators, communication contents, etc. In light of the broad scope of the definition of personal data,
45 In accordance with the principle of privacy by design, such analysis is part of the assessment of appropriate measures and safeguards to protect data protection principles and data subject rights, which is carried out “at the time of the determination of the means for processing and at the time of the processing itself”, e.g. reducing the response time when data subjects exercise their rights may be one of the metrics. For further explanations, see guidelines 4/2019 on Article 25 Data Protection by Design and by Default.
46 As per Art. 4(1) GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
47 The Art. 29 Working Party (Art. 29 WP) is the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR), the predecessor of the EDPB.
48 e.g. WP251 rev01 Guidelines on automated individual decision-making and profiling for the purposes of regulation 2016/679 i.e., p.19; WP29 Guidelines on the right to data portability – endorsed by the EDPB,p. 9.
49 WP29 Opinion 4/2007 on the concept of personal data, p. 4.
a restrictive assessment of that definition by the controller would lead to an erroneous classification of personal data50 and ultimately to a violation of the right of access.
95. In joint cases C-141/12 and C-372/1251 the CJEU ruled that the right of access covered personal data contained in minutes, namely the “name, date of birth, nationality, gender, ethnicity, religion and language of the applicant” “and, “where relevant, the data in the legal analysis contained in the minute”, but not the legal analysis itself52. The legal analysis was in this context not liable in itself to be the subject of a check of its accuracy by the data subject nor of rectification. Furthermore, providing access to the legal analysis does not fulfil the purpose of guaranteeing privacy but access to administrative documents.
96. In Nowak53, the CJEU made a broader analysis and found that written answers submitted by a candidate at a professional examination and any comments of an examiner with respect to those answers constitute personal data concerning the exam candidate. More precisely, such subjective information are personal data “in the form of opinions and assessments, provided that it ‘relates’ to the data subject”54 as opposed to the examination questions, which are not considered personal data55. Thus, a contextual assessment should shed light on the effect or result an information may have on an individual and thus the scope of the right of access.
97. Thus, subject to the specific facts of the case, when assessing a specific request for access, the following types of data are, inter alia, to be provided by controllers without prejudice to Art. 15(4) GDPR:
– Special categories of personal data as per Art. 9 GDPR;
– Personal data relating to criminal convictions and offences as per Art. 10 GDPR;
– Data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire)56;
– Observed data or raw data provided by the data subject by virtue of the use of the service or the device (e.g. data processed by connected objects, transaction history, activity logs such as
50 as information not relating to an identified or identifiable natural person.
51 CJEU, joined Cases C-141/12 and C-372/12, YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S, 17 July 2014.
52 CJEU, joined Cases C-141/12 and C-372/12, YS and Others, paras. 38 and 48.
53 CJEU, C-434/16, Peter Nowak v Data Protection Commissioner, 20 December 2017.
54 CJEU, C 434/16, Nowak, paras. 34- 35.
55 CJEU, C-434/16, Nowak, para. 58.
56 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 9.
access logs, history of website usage, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, particular way of walking or speaking) 57;
– Data derived from other data, rather than directly provided by the data subject (e.g. credit ratio, classification based on common attributes of data subjects, country of residence derived from postcode)58;
– Data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalization or recommendation process)59;
– Pseudonymised data as opposed to anonymized data (see also section 3 of these guidelines).
98. Several considerations may be drawn from the above non-exhaustive list of personal data which may be provided to the data subject in the context of an access request. It is apparent from the above, that the controller may not operate a distinction when providing access to personal data between those data contained in paper files and those stored electronically as long as they fall within the scope of the GDPR. In other words, personal data which are contained in paper files as part of a filing system, or which are intended to form part of a filing system, are covered by the right of access in the same way as personal data stored in a computer memory by means of, for example, binary code or videotape.
99. Moreover, like most data subject rights, the right of access includes both inferred and derived data, including personal data created by a service provider, whereas the right to data portability only includes data provided by the data subject60. Therefore, in case of an access request and unlike a data portability request, the data subject should be provided not only with personal data provided to the
57 WP29 Opinion 4/2007 on the concept of personal data, p. 8
58 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 10-11
59 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p.10-11; Art. 29 Working Party, WP 251 rev.01, 6 February 2018, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 – endorsed by the EDPB (hereinafter “WP29 Guidelines on Automated individual decision-making and profiling – endorsed by the EDPB”), p. 9-10.
60 As previously stated in WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 10 and reiterated in WP29 Guidelines on Automated individual decision-making and profiling – endorsed by the EDPB,
p. 17.
controller in order to make a subsequent analysis or assessment about these data but also with the result of any such subsequent analysis or assessment.
100. It also is important to recall that there is information, such as anonymous data61, which is data that do not relate directly or indirectly to an identifiable person, and that are hence excluded from the scope of the GDPR. For example, the location of the server on which the personal data of the data subject processed is not personal data. The distinction can be challenging and controllers may wonder how to draw a clear line between personal and non-personal data in particular in the case of mixed datasets. In such case it may be useful to differentiate between mixed datasets in which personal and non- personal data are inextricably linked and those in which this is not the case. Personal and non-personal data may be inextricably linked in mixed datasets and fall altogether under the scope of the right of access of the data subject to which the personal data relates62. In other cases personal and non- personal data in mixed datasets may not be inextricably linked rendering only the personal data in the set accessible to the data subject. For example, a company might need to provide a data subject with the individual IT incident reports it triggered, but not with the company’s knowledge database of IT problems. However, which security measures the controller has put in place is generally not to be understood as being personal data, provided that these are not inextricably linked with personal data, and therefore not covered by the right of access.
101. Before concluding the section, the EDPB recalls in this context that the protection of natural persons with regard to the processing of personal data encompasses all the types of personal data listed above and that a restrictive interpretation of the definition contravenes the provisions of the GDPR and ultimately violates Art. 8 of the Charter of Fundamental Rights. The application of a differing regime for the exercise of a right in relation to some types of personal data, which has not been foreseen by the GDPR can be introduced exclusively by law, in accordance with Art. 23 GDPR (as further explained in section 6.4). Thus, controllers cannot limit the exercise of the right of access by unduly restricting the scope of personal data.
4.2 The personal data the right of access refers to
102. According to Art. 15(1) GDPR, “the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information”(emphasis added).
103. Several elements emerge from paragraph (1) of Art. 15 GDPR. The paragraph refers expressis verbis to “personal data concerning him or her”(4.2.1) , which “are being processed”(4.2.2) by the controller:
4.2.1 “personal data concerning him or her”
104. The right of access can be exercised exclusively with regard to personal data relating to the data subject requesting access or, where applicable, by an authorised person or proxy (see section 3.4). There are also situations in which data do not have a link to the person exercising the right of access but to
61 Further explanations on the concept of anonymization can be found in Art. 29 Working Party, Opinion 05/2014 on Anonymisation Techniques, WP216, 10 April 2014, p. 5-19.
62 Communication from the Commission to the European Parliament and the Council, Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union, 29.05.2019, COM/2019/250 final.
another individual. The data subject is however, only entitled to personal data relating to themselves excluding data which exclusively concern someone else63.
105. The classification of data as personal data concerning the data subject does, however, not depend upon the fact that those personal data also relate to someone else64. It is thus possible that personal data relate to more than one individual at the same time. This does not automatically mean that access to personal data also relating to someone else should be granted, as the controller needs to comply with Art. 15(4) GDPR.
106. The words “personal data concerning him or her” should not be interpreted in an “overly restrictive” way by controllers, as the Art. 29 Working Party already stated with regard to the right to data portability65. Applied to the right of access, the EDPB considers for example that recordings of telephone conversations (and their transcription) between the data subject that requests access and the controller, may fall under the right of access provided that the latter are personal data66. Provided that the GDPR applies and that the processing is not covered by the household exemption as per Art. 2(2)(c) GDPR, if the data subject uses the obtained record which includes personal data of the interlocutor for other purposes by, for instance, publishing the record, the data subject will become a controller for this processing of personal data relating to the other person whose voice was recorded. Although this will not exempt the controller from its data protection obligations when duly analysing whether access to the full record may be given, the controller is encouraged to inform the data subject about the fact that they may become controller in such case. This is without prejudice to any further assessment under Art. 15(4) GDPR detailed in section 6. In the same vein, messages that data subjects have sent to others in the form of interpersonal messages and deleted themselves from their device, that are still avaible to the service provider, may fall under the right of access.
107. Then again, there are situations in which the link between the data and several individuals may seem blurred to the controller, such as in the case of identity theft. In case of identity theft, a person fraudulently acts in the name of another person. In this context it is important to recall that the victim should be provided with information on all personal data the controller stores in connection with their identity, including those that have been collected on the basis of the fraudster’s actions. In other words, even after the controller learned about the identity theft, personal data which are associated with or related to the identity of the victim constitute personal data of the data subject.
63 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 9: “Only personal data is in scope of a data portability request. Therefore, any data that is anonymous or does not concern the data subject, will not be in scope. However, pseudonymous data that can be clearly linked to a data subject (e.g. by them providing the respective identifier, cf. Article 11 (2)) is within the scope.”
64 CJEU, judgment in case C-434/16 Peter Nowak v. Data Protection Commissioner, 2017, para. 44.
65 WP29 Guidelines on the right to data portability – endorsed by the EDPB, p. 9: In many circumstances, controllers will process information that contains the personal data of several data subjects. Where this is the case, controllers should not take an overly restrictive interpretation of the sentence “personal data concerning the data subject”. As an example, telephone, interpersonal messaging or VoIP records may include (in the subscriber’s account history) details of third parties involved in incoming and outgoing calls. Although records will therefore contain personal data concerning multiple people, subscribers should be able to have these records provided to them in response to data portability requests, because the records are (also) concerning the data subject. However, where such records are then transmitted to a new controller, this new controller should not process them for any purpose which would adversely affect the rights and freedoms of the third-parties (see below: third condition).”
66 See example 34 in section 6.2.
108. If appropriate, internal connection logs can be used to hold record about accesses to a file and to trace back which actions were performed in connection with accesses to a record, such as printing, copying, or deleting personal data. These logs may include the time of logging, the reason for the access to file as well as information identifying the person having had access. Questions related to this topic are at issue in a case currently pending before the CJEU (C-579/21). The putting in place and the supervision and revision of connection logs fall within the controller’s responsibility and are liable to be checked by the supervisory authorities. The controller should thus make sure that the persons acting under its authority who have access to personal data do not process personal data except on instructions from the controller, as per Art. 29 GDPR. If the person nevertheless processes the personal data for other purposes than fulfilling the controller’s instructions, it may become controller for that processing and subject to disciplinary or criminal proceedings or administrative sanctions issued by supervisory authorities. The EDPB notes that it is part of the employer’s responsibility under Art. 24 GDPR to make use of appropriate measures, extending from education to disciplinary procedures, to ensure that processing is in compliance with the GDPR and that no infringement occurs.
4.2.2 Personal data which “are being processed”
109. Paragraph (1) of Art. 15 GDPR moreover refers to personal data, which “are being processed”. The time reference point for determining the range of personal data falling within the access request has already been elaborated in section 2.3.3. The wording however also suggests that the right of access does not distinguish between the purposes of the processing operations.
110. Archived personal data needs to be distinguished from back-up data that is personal data stored solely for the purpose of restoring the data in the case of a data loss event. It should be pointed out, that in respect of the principles of data protection by design and data minimisation, the back-up data is in principle similar to the data in the live system. Where there are slight differences between personal data in the back-up and the live production system, these are generally linked to the collection of additional data since the last back-up. A decrease in data in the live system (e.g. erasure after the
retention period of some data came to an end or following an erasure request) will in some cases only be overwritten in the back-up data at the time of the subsequent back-up. In case there is an access request at the moment where there are more personal data relating to the data subject in the back- up than in the live system or different personal data (noticeable for example via log of deletions in the live production system implemented in full compliance with the principle of data minimisation), the controller needs to be transparent about this situation and where technically feasible provide access as requested by the data subject, including to personal data stored in the back-up. For instance, with the aim of being transparent to data subjects who exercise their right, a log of deletions in the live production system may enable the controller to see that there are data in the back-up which are not in the live system anymore as they have been recently deleted has and have not yet been overwritten in the back-up.
4.2.3 The scope of a new request to access
111. What remains to say is that data subjects are entitled to have access to all data processed relating to them, or to parts of the data, depending on the scope of the request (see also 2.3.1 on the completeness of the information and 3.1.1 for the analysis of the content of the request). As a consequence, where a controller already complied with a request for access in the past and provided that the request is not excessive, the controller cannot narrow the scope of this new request. This means that in relation to any further access request of the same data subject, the controller should not inform the data subject only about the mere changes in the personal data processed or the processing itself since the last request, unless the data subject expressly agrees to this. Otherwise, data subjects would be obliged to compile their personal data provided in order to a complete set of personal data concerning their information on the processing and on data subjects rights.
4.3 Information on the processing and on data subject rights
112. In addition to the access to the personal data themselves, the controller has to provide information on the processing and on data subject rights according to Art. 15(1)(a) to (h) and 15(2) GDPR. Most of the information on those specific points is already compiled, at least in general form, in the controller’s record of processing activities referred to in Art. 30 GDPR and/or in its privacy notice elaborated in accordance with Art.s 12 to 14 GDPR. Therefore, it might be helpful as a first step to consult the “Guidelines on transparency under Regulation 2016/679” 67 of the Art. 29 Working Party, on the content of the information to be given under Art. 13 and 14 GDPR.
113. In order to comply with Art. 15(1)(a) to (h) and 15(2), controllers may carefully use text modules of their privacy notice as long as they make sure that they are up-to-date and precise with regards to the request of the data subject. Before or at the beginning of the data processing, some information, such as the identification of specific recipients or the specific duration of the data processing, can often not yet be provided. Some information, like for example the right to complain to a supervisory authority (see Art. 15(1)(f)), does not change depending on the person making the access request.Therefore, it may be communicated in general terms as it is also done in the privacy notice. Other types of information, such as the information on recipients, on categories and on the source of the data may vary depending on who makes the request and what the scope of the request is. In the context of an access request under Art. 15, any information on the processing available to the controller may therefore have to be updated and tailored for the processing operations actually carried out with
67 Art. 29 Working Party, WP260 rev.01, 11 April 2018, Guidelines on transparency under Regulation 2016/679 – endorsed by the EDPB (hereinafter “WP29 Guidelines on transparency – endorsed by the EDPB”).
regard to the data subject making the request. Thus, referring to the wording of its privacy policy would not be a sufficient way for the controller to give information required by Art. 15(1)(a) to (h) and (2) unless the « tailored and updated » information is the same as the information provided at the beginning of the processing. In explaining which information relates to the requesting person, the controller could, where appropriate, refer to certain activities (such as “if you have used this service
…”, “if you have payed by invoice”) as long as it is obvious for the data subjects if they are concerned. In the following, the degree of specification required is explained in relation to the individual types of information.
114. Information on the purposes according to Art. 15(1)(a) needs to be specific as to the precise purpose(s) in the actual case of the requesting data subject. It would not be enough to list the general purposes of the controller without clarifying which purpose(s) the controller pursues in the current case of the requesting data subject. If the processing is carried out for several purposes, the controller has to clarify which data or which categories of data are processed for which purpose(s). Unlike Art. 13(1)(c) and Art. 14(1)(c) GDPR, the information on the processing referred to in Art. 15(1)(a) does not contain information on the legal basis for the processing. However, as some data subjects’ rights depend on the applicable legal basis, this information is important for the data subjects to verify the lawfulness of the data processing and to determine which data subject’s rights are applicable in the specific situation. Therefore, in order to facilitate the exercise of data subjects’ rights in line with Art. 12(2) GDPR, the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation or to indicate where they can find this information. In any event, the principle of transparent processing requires that the information on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).
115. Information on categories of data (Art. 15(1)(b)) may also have to be tailored to the data subject’s situation such that categories which have turned out not to be relevant in case of the requester should be eliminated.
116. Information on “recipients or categories of recipients” (Art. 15(1)(c)) has firstly to take into account the definition of recipients given in Art. 4(9) GDPR. The definition of recipients is based on the disclosure of personal data to a natural or legal person, public authority, agency or other body68. From Art. 4(9) GDPR follows, that public authorities acting in the framework of a particular enquiry subject to specific national provisions are not to be considered as recipients.
117. Concerning the question, if the controller is free to choose between information on recipients or on categories of recipients, it has to be noted that “unlike Art. 13 and 14 of the GDPR, which lay down an obligation on the part of the controller (…), Article 15 of the GDPR lays down a genuine right of access
68 It should further be noted, that different controllers as defined by Art. 4(7) GDPR may exist within the same company. In this constellation a disclosure of data from one recipient to another within one company is possible.
for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipients.”69 It has also to be recalled, that, as stated in the above-mentioned guidelines on transparency70, already under Art. 13 and 14 GDPR information on the recipients or categories of recipients should be as concrete as possible in respect of the principles of transparency and fairness. Under Article 15, if the data subject has not chosen otherwise, the controller is obliged to name the actual recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR71 72. The EDPB recalls in this regard, that storing information relating to the actual recipients is necessary inter alia to be able to comply with the controller’s obligations under Art. 5(2) and 19 GDPR.
Where, respecting the conditions mentioned above, a controller may only provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients73.
118. According to Art. 15(1)(d), information has to be given on the envisaged period for which the personal data will be stored, where possible. Otherwise, the criteria used to determine that period have to be provided. The information given by the controller has to be precise enough for the data subject to know how long the data relating to the data subject will continue to be stored. If it is not possible to specify the time of deletion, the duration of storage periods and the beginning of this period or the triggering event (e.g. termination of a contract, expiration of a warranty period, etc.) shall be specified. The mere reference, for example to “deletion after expiry of the statutory storage periods” is not sufficient. Indications concerning data storage periods will have to focus on the specific data relating to the data subject. If the personal data of the data subject is subject to different deletion periods (e.g. because not all data is subject to legal storage obligations), the deletion periods shall be stated in relation to the respective processing operations and categories of data.
119. Whereas information on the right to lodge a complaint with a supervisory authority (Art. 15(1)(f)) is not dependant on the specific circumstances, the data subjects rights mentioned in Art. 15(1)(e) vary depending on the legal basis underlying the processing. With regard to its obligation to facilitate the
69 CJEU, C-154/21 (Österreichische Post AG), para. 36.
70 Art. 29 Working Party, WP260 rev.01, 11 April 2018, Guidelines on transparency under Regulation 2016/679 – endorsed by the EDPB (hereinafter “WP29 Guidelines on transparency – endorsed by the EDPB”), p. 37 (Annex)
71 CJEU, C-154/21 (Österreichische Post AG)
72 The mere fact, that the data have been disclosed to a large number of recipients would not per se render the request excessive,see section 6, para 188.
73 WP29 Guidelines on transparency – endorsed by the EDPB, p. 37 (Annex)
exercise of data subject rights pursuant to Art. 12(2) GDPR, the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided.
120. According to Art. 15(1)(g), “any available information” as to the source of the data has to be provided, where the personal data are not collected from the data subject. The degree of available information may change over time.
Example 21: The privacy policy of a large company states:
“Credit checks help us to prevent problems in payment transactions. They guarantee the protection of our company against financial risks, which can also affect sales prices in the medium to long term. A credit check is necessarily carried out when we are going to ship goods without receiving the respective purchase price at the same time, e.g. in the case of a purchase on account. Without carrying out the credit check, only a prepayment payment option (immediate bank transfer, online payment provider, credit card) is possible.
For the purpose of credit checking, we will send your name, address and date of birth to the following service providers, for example: (1) Financial Information Agency X (2) Business Information Provider Y,
(3) Commercial Credit Reference Agency Z.
The data are passed on to the above-mentioned credit institutions only within the scope of what is legally permissible and only for the purposes of the analysis of your past payment behaviour as well as for the assessment of the risk of default on the basis of mathematical-statistical procedures using address data as well as for verification of your address (examination of delivery). Depending on the result of the credit check, we may no longer be able to offer you individual payment methods, such as the purchase of invoices.”
The privacy notice thus contains general information on the possibility of obtaining information from the listed Economic Information Offices in accordance with Art. 13 and 14 GDPR. If it is not clear ex ante, which of the companies will get involved in the processing, it is sufficient to mention the names of the eligible companies in the privacy policy. In the context of a request based on Art. 15, in addition to the information that a creditworthiness information has been obtained, it would then (ex post) be necessary to disclose, which of the companies mentioned has been involved exactly. It is clearly expressed by Art. 15(1)(g), that information on the processing of the data comprise “any available information as to their source” where the personal data are not collected from the data subject.
121. Art. 15(1)(h) provides that every data subject should have the right to be informed, in a meaningful way, inter alia, about the existence and underlying logic of automated decision-making including profiling concerning the data subject and about the significance and the envisaged consequences that such processing could have74. If possible, information under Art. 15(1)(h) has to be more specific in relation to the reasoning that lead to specific decisions concerning the data subject who asked for access.
74 See on this behalf Guidelines on transparency under Regulation 2016/679 (WP 260), para. 41, with reference to Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 (WP 251).
122. Information about intended transfers of data to a third country or an international organisation, including the existence of a Commission adequacy decision or suitable safeguards, has to be given under Art. 13(1)(f) and 14(1)(f) GDPR. In the context of a request for access under Art. 15, Art. 15(2) requires information on the appropriate safeguards pursuant to Art. 46 GDPR only in cases where transfer to a third country or an international organisation is actually taking place.
5 HOW CAN A CONTROLLER PROVIDE ACCESS?
123. The GDPR is not very prescriptive as to how the controller has to provide access. The right of access may be easy and straight forward to apply in some situations, for example when a small organisation holds limited information about the data subject. In other situations, the right of access is more complicated because the data processing is more complex; with regard to the number of data subjects, the categories of processed data as well as the flow of data within and between different organisations. Considering the differences in personal data processing, the appropriate way to provide access may vary accordingly.
124. This section aims at giving some guidance and practical examples on different ways for controllers to comply with an access request as well as to the meaning of Art. 12(1) GDPR in relation to the right of access. This section will also give some guidance about what is considered to be a commonly used electronic form as well as the timing for the provision of access under Art. 12(3) GDPR.
5.1 How can the controller retrieve the requested data?
125. The data subjects should have access to all the information that the controller processes regarding them. This means, for example, that the controller is obliged to search for personal data throughout its IT systems and non-IT filing systems. When carrying out such search, the controller should use available information in the organisation regarding the data subject that likely will result in matches in the systems depending on how the information is structured75. For example, if the information is sorted in files depending on name or a reference number, the search could be limited to these factors. But if the structure of the data depends on other factors, such as family relations or professional titles or any kind of direct or indirect identifiers (e.g. customer number, user name or IP-addresses), the search needs to be extended to include these, provided that the controller also holds this information related to the data subject, or is provided with that information by the data subject. The same applies when records regarding third persons are likely to contain personal data regarding the data subject. The controller may, however, not require the data subject to provide more information than necessary to identify the data subject. If a controller uses a processor for its data processing activities the search naturally has to be extended to also include personal data processed by the processor.
126. In line with Art. 25 GDPR on data protection by design and by default, the controller (and any processors it uses) should also already have implemented functions enabling the compliance with data subject rights. This means, in this context, that there should be appropriate ways to find and retrieve information regarding a data subject when handling a request. However, it should be noted that an excessive interpretation in this regard could lead to functions for finding and retrieving information that in itself pose a risk for the privacy of data subjects. It is therefore important to keep in mind that
75 Such a search should naturally also include information that is held by a processor, see. Article 28(3)(e) GDPR.
the process to retrieve data should also be designed in a data protection friendly way, so that it doesn’t compromise the privacy of others, for example the employees of the controller.
5.2 Appropriate measures for providing access
5.2.1 Taking “appropriate measures”
127. Art. 12 GDPR lays down the requirements for providing access, i.e. for providing the confirmation, the personal data and the supplementary information under Art. 15, and also specifies the form, manner and time limit in relation to the right of access. Art. 29 Working Party’s “Guidelines on transparency under Regulation 2016/679”76 provides further guidance as regards Art. 12, mostly in relation to Art. 13 and 14 GDPR but also in relation to Art. 15 and on transparency in general. Thus, what is defined in those guidelines can often equally apply with regards to providing access under Article 15.
128. Art. 12(1) of the GDPR states that the controller shall take appropriate measures to provide any communication under Art. 15 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Art. 12(2) provides that the controller shall facilitate the data subject’s exercise of access right. The more precise requirements in this regard will have to be assessed case by case. When deciding which measures are appropriate, the controllers have to take into account all the relevant circumstances, including, but not limited to, the amount of data being processed, the complexity of their data processing and the knowledge they have about their data subjects, for example if the majority of the data subjects are children, elderly people or people with disabilities. In addition, in situations where the controller is made aware of any particular needs of the data subject making the request, for example through additional information in the request made, the controller needs to take these circumstances into consideration. As a result the appropriate measures will vary.
129. It is important to keep in mind when making the assessment that the term ”appropriate” should never be understood as a way of limiting the scope of the data covered by the right of access. The term “appropriate” does not mean that the efforts to provide the information can be balanced against, for example, any interest the data subject may have in obtaining the personal data. Instead the assessment should aim at choosing the most appropriate method for providing all information covered by this right, depending on the specific circumstances in each case. As a consequence, a controller who processes a large quantity of data on a large scale must accept to undertake great efforts to ensure the right of access to the data subjects in a consice, transparent, intelligible and easily accessible form, by using plain and clear language.
130. It needs to be avoided to direct the data subject to different sources in response to a data access request. As previously stated in the WP29 Guidelines on Transparency (with regard to the notion of “provide” in Art. 13 and 14 GDPR), the notion of “provide” entails that “the data subject must not have to actively search for information covered by these articles amongst other information, such as terms and conditions of use of a website or app”77. Therefore, and in respect of the transparency principle, data subjects must obtain from the controller the information and personal data required by Art. 15(1), 15(2) and 15(3) in a way that enables complete access to the requested information. In special circumstances, it would be inappropriate or even unlawful to share the information within the controller, for example due to the sensitive nature of the information (such as information relating to
76 Art. 29 Working Party, WP260 rev.01, 11 April 2018, Guidelines on transparency under Regulation 2016/679 – endorsed by the EDPB (hereinafter “WP29 Guidelines on transparency – endorsed by the EDPB”).
77 WP29 Guidelines on transparency – endorsed by the EDPB, para. 33.
whistleblowing). In these cases, it would be deemed appropriate to split the information into several replies as a response to the data subjects access request. The method chosen by the controller must actually provide the data subject with the requested data and information, hence it would not be appropriate to solely refer the data subject to check the requested data stored on their own device including, for example, to check clickstream history and IP addresses on their mobile phone.
131. In accordance with the accountability principle, a controller must document their approach to be able to demonstrate how the means chosen to provide the necessary information under Art. 15 are appropriate in the circumstances at hand.
5.2.2 Different means to provide access
132. As already explained in section 2.2.2 above, when making an access request the data subjects are entitled to receive a copy of their data undergoing processing pursuant to Art. 15(3) together with the supplementary information, which is considered as the main modality for providing access to the personal data.
133. However, in some circumstances it could be appropriate for the controller to provide access through other ways than providing a copy. Such non-permanent modalities of access to the data could be, for example: oral information, inspection of files, onsite or remote access without possibility to download. These modalities may be appropriate ways of granting access for example in cases where it is in the interest of the data subject or the data subject asks for it. Onsite access could also be appropriate, as an initial measure, when a controller handles a large quantity of non-digitalized data to allow the data subject to be made aware of what personal data are undergoing processing and to be able to make an informed decision about what personal data he or she wants to be provided through a copy. Non- permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data processed by the controller are correct by giving data subjects a chance to view the original data. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Giving access through other ways than providing a copy does not preclude the data subjects from the right to also have a copy, unless they choose not to.
134. The controller may choose, depending on the situation at hand, to provide the copy of the data undergoing processing, together with the supplementary information, in different ways, e.g. by e-mail, physical mail or by the use of a self-service tool. If the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form as stated in Art. 15(3). In any case, the controller has to consider appropriate technical and organizational measures, including adequate encryption when providing information via e-mail or online-self-service tools.
135. In the situation, where the controller is processing personal data regarding the person making the request only in a small scale, the copy of the personal data and the supplementary information can and should be provided through a simple procedure.
136. Even controllers that process a large quantity of data can choose to rely on manual routines for handling access requests. If the controller processes data in several different departments, the controller needs to collect the personal data from each department to be able to respond to the data subject request.
137. Although manual processes for handling access requests could be regarded as appropriate, some controllers may benefit from using automated processes to handle data subject requests. This could, for example, be the case for controllers that receive a large number of requests. One way to provide the information under Art. 15 is by providing the data subject with self-service tools. This could facilitate an efficient and timely handling of data subjects’ requests of access and will also enable the controller to include the verification mechanism in the self-service tool.
138. The use of self-service tools should never limit the scope of personal data received. If not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs to be provided in a different manner. The controller may indeed encourage the data subject to use a self-service tool that the controller has set in place for handling access requests. However, it should be noted that the controller must also handle access requests that are not sent through the established channel of communication78.
5.2.3 Providing access in a ”concise, transparent, intelligible and easily accessible form using clear and plain language”
139. According to Art. 12(1) GDPR the controller shall take appropriate measures to provide access under Art. 15 in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
140. The requirement that providing access to the data subject has to be done in a concise and transparent form means, that controllers should present the information efficiently and succinctly in order to be
78 See section 3.1.2.
easily understood by the data subject, especially if it is a child. The controller needs to take into account the quantity and complexity of the data when choosing the means for providing access under Art. 15.
141. Under the circumstances in the example above, the use of a layered approach, similar to the layered approach advocated in the Guidelines on transparency with regard to privacy notices79, could be an appropriate measure to fulfil both the requirements in Art. 15 and 12(1) GDPR. This will be further developed under section 5.2.4. below. The requirement that the information is “intelligible” means that it should be understood by the intended audience80, whilst keeping in mind any particular needs that the data subject might have that is known to the controller81. Since the right of access often enables the exercise of other data subject rights, it is crucial that the information provided is made understandable and clear. This is because data subjects will only be able to consider whether to invoke their right to, for example, rectification under Art. 16 GDPR once they know what personal data are being processed, for what purposes etc. As a result, the controller might need to supply the data subject with additional information that explains the data provided. It should be emphasised that the complexity of data processing obliges the controller to provide the means to make the data understandable and could not be used as an argument to limit the access to all data. Similarly, the controller’s obligation to provide data in a concise manner cannot be used as an argument to limit access to all data.
79 WP29 Guidelines on transparency – endorsed by the EDPB, para. 35.
80 Intelligibility is closely linked to the requirement to use a plain and clear language (WP29 Guidelines on transparency – endorsed by the EDPB, para. 9). What is said about a plain and clear language in para. 12-16 with regards to information referred to in Articles 13 and 14 GDPR, equally applies to communication under Article 15.
81 See para. 128.
82 The raw format in the example is to be understood as unanalysed data underlying a processing, and not the lowest level of raw data that may only be machine-readable (such as “bits”).
142. The “easily accessible” element means that the information under Art. 15 should be presented in a way that is easy for the data subject to access. This applies for example, to the layout, appropriate headings and paragraphing. The information should always be provided in plain and clear language. A controller that offers a service in a country should also offer answers in the language that is understood by the data subjects in that country. The use of standardised icons is also encouraged when it facilitates the intelligibility and accessibility of the information. When the request for information relates to visually impaired data subjects or other data subjects who may have difficulty in accessing or understanding information, the controller is expected to take measures facilitating the understanding of the information provided, including oral information, when adequate83. The controller should take special care to ensure that elderly people, children, visually impaired persons or persons with cognitive or other disabilities can exercise their rights, for instance, by proactively providing easily accessible elements to facilitate exercise of these rights.
5.2.4 A large quantity of information necessitates specific requirements on how the information is provided
143. Regardless of the means used to provide access there may be a tension between the amount of information the controller needs to provide data subjects with and the requirement that it must be concise. One way of achieving both, and an example of an appropriate measure for certain controllers, when a large quantity of data is to be provided, is to use a layered approach. This approach can facilitate the data subjects’ understanding of the data. It should nevertheless be stressed that this approach can only be used under certain circumstances and needs to be carried out in a way that does not limit the right of access, as explained below. Furthermore, the use of a layered approach should not create an extra burden for the data subject. Hence, it would be best suited when access is provided in an online context. A layered approach is merely a way to present the information under Art. 15 in a manner which is also compliant with the requirements in Art. 12(1) GDPR and should not be confused with the possibility for the controllers to request that the data subject specifies the information or processing activities to which the request relates, as prescribed in Recital 63 of the GDPR84.
144. A layered approach in relation to the right of access means that a controller, under certain circumstances, can provide the personal data and the supplementary information required under Art. 15 in different layers. The first layer should include information about the processing and data subject’s rights according to Art. 15(1)(a)-(h) and 15(2) as well as a first part of the processed personal data. In a second layer, more personal data should be provided.
145. When deciding what information should be given in the different layers the controller should consider what information the data subject in general would consider as most relevant. In line with the fairness principle, the first layer should also contain information on the processing which has the most impact on the data subject85. The controllers need to be able to demonstrate accountability as to their reasoning of the above.
83 See WP29 Guidelines on transparency – endorsed by the EDPB, para. 21.
84 See also section 2.3.1.
85 See WP29 Guidelines on transparency – endorsed by the EDPB, para. 36.
146. For the use of layered approach to be considered as an appropriate measure, it is necessary that the data subject is informed at the outset that the information under Art. 15 is structured into different layers and provided with a description of what personal data and information that will be contained in the different layers. In this way it will be easier for the data subject to decide what layers they want to access. The description should objectively reflect all the categories of personal data that are actually processed by the controller. It also needs to be clear how the data subject can get access to the different layers. Access to the different layers shall not entail any disproportionate effort for the data subject and shall not be made conditional on the formulation of a new data subject request. This means that the data subjects must have the possibility to choose whether to access all layers at once or to access one or two of the layers, if they are satisfied with this.
147. The use of a layered approach will not be considered appropriate for all controllers or in all situations. It should only be used when it would be difficult for the data subject to comprehend the information if given in its entirety. In other words, the controller needs to be able to demonstrate that the use of layered approach adds value for the data subject in helping them understand the information provided. A layered approach would therefore only be considered appropriate when a controller processes a large quantity of personal data about the data subject making a request and where there would be apparent difficulties for the data subject to grasp or comprehend the information if it were to be provided all at once. The fact that it would require great effort and resources from the controller to provide the information under Art. 15 is not in itself an argument for using a layered approach.
5.2.5 Format
148. According to Art. 12(1) GDPR, information under Art.15 shall be provided in writing or by other means including, where appropriate, by electronic means. As regards access to the personal data undergoing
86 See footnote 82.
processing, Art. 15(3) states that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The GDPR does not specify what a commonly used electronic form is. Thus there are several conceivable formats that can be used. What is considered to be a commonly used electronic form will also vary over time.
149. What could be considered as a commonly used electronic form should be based on an objective assessment and not on what format the controller uses in its daily operations. In order to determine what format is to be considered as a commonly used format in the situation at hand, the controller will have to assess if there are specific formats generally used in the controller’s area of operation or in the given context. When there are no such formats generally used, open formats set in an international standard, such as ISO, should, in general, be considered as commonly used electronic formats. However, the EDPB does not exclude the possibility that other formats may also be considered to be commonly used within the meaning of Article 15(3). When assessing if a format is a commonly used electronic format, the EDPB considers that it is of importance how easily the individual can access information provided in the current format. In this regard it should be noted what information the controller has provided to the data subject about how to access a file which has been provided in a specific format, such as what programs or software that could be used, to make the format more accessible to the data subject. The data subject should, however, not be obliged to buy software in order to get access to the information.
150. When deciding upon the format in which the copy of the personal data and the information under Art. 15 should be provided, the controller needs to keep in mind that the format must enable the information to be presented in a way that is both intelligible and easily accessible. It is important that the data subject is provided with information in embodied, permanent form (text, electronic). Since the information should persist over time, information in writing, including by electronic means, is, in principle, preferable over other forms. The copy of the personal data could, when appropriate, be stored on an electronic storage device such as CD or USB.
151. It should be noted that for a controller to be able to consider that data subjects have been provided with a copy of personal data it is not enough to have provided them with access to their personal data. For the requirement to provide a copy of personal data to be fulfilled and in case the data are provided electronically/digitally, the data subjects need to be able to download their data in a commonly used electronic form.
152. It is the responsibility of the controller to decide upon the appropriate form in which the personal data will be provided. The controller can, although is not necessarily obliged to, provide the documents which contain personal data about the data subjects making the request, in their original form. The controller could, for example, on a case-by-case basis, provide access to a copy of the medium as such, given the need for transparency (for example, to verify the accuracy of the data held by the controller in the event of a request for access to the medical file or an audio recording whose transcript is disputed). However, the CJEU, in its interpretation of the right of access under the Directive 95/46/EC, stated that “for [the right of access] to be complied with, it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him”87. Unlike the directive,
87 CJEU, Joined Cases C-141/12 and 372/12, YS and Others, para. 60.
the GDPR expressly contains an obligation to provide the data subject with a copy of the personal data undergoing processing. This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents. 88 Such copy of the personal data could be provided through a compilation containing all personal data covered by the right of access as long as the compilation makes it possible for the data subject to be made aware and verify the lawfulness of the processing. Hence, there is no contradiction between the wording of the GDPR and the ruling by the CJEU regarding this matter. The word summary in the ruling should not be misinterpreted as meaning that the compilation would not encompass all data covered by the right of access, but is merely a way to present all that data without giving access to the underlying documents which contain the personal data. Since the compilation needs to contain a copy of the personal data, it should be stressed that it cannot be made in a way that somehow alters or changes the content of the information.
153. Notwithstanding the form in which the controller provides the personal data, e.g. by providing the actual documents containing the personal data or a compilation of the personal data, the information shall comply with the transparency requirements laid down in Art. 12 GDPR. Making some kind of compilation and/or extracting the data in a way that makes the information easy to comprehend could, in some cases, be a way to comply with these requirements. In other cases the information is better understood by providing a copy of the actual document containing the personal data. Hence which form is most suitable must be decided on a case by case basis.
154. In this context, it is important to remember that there is a distinction between the right to obtain access under Art. 15 GDPR and the right to receive a copy of administrative documents regulated under national law, the latter being a right to receive a copy of the actual document. This does not mean that the right of access under Art. 15 GDPR excludes the possibility to receive a copy of the document/media on which the personal data appear.
155. In some cases, the personal data itself sets the requirements in what format the personal data should be provided. For example, when the personal data constitutes handwritten information by the data subject, the data subject may need to be provided with a photocopy of that handwritten information, as the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g. scripture analysis. The same applies in general for audio recordings because the voice of the data subject itself is personal data. In some cases, however, access
88 Questions related to this topic are at issue in cases currently pending before the CJEU ( C-487/21 and C- 307/21).
can be given by providing a transcription of the conversation, for example, if agreed upon between the data subject and the controller.
156. It should be noted that the provisions on format requirements are different regarding the right of access and the right of data portability. Whilst the right of data portability under Art. 20 GDPR requires that the information is provided in a machine readable format, the right to information under Art. 15 does not. Hence, formats that are considered not to be appropriate when complying with a data portability request, for example pdf-files, could still be suitable when complying with an access request.
5.3 Timing for the provision of access
157. Art. 12(3) GDPR requires that the controller provides information to the data subject regarding action taken in respect of a request under Art. 15 without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests, provided that the data subject has been informed about the reasons for such delay within one month of the receipt of the request. This obligation to inform the data subject about the extension and its reasons should not be confused with the information that has to be given without delay and at the latest within one month when the controller does not take action on the request, as detailed by Art. 12(4) GDPR.
158. The controller shall react and, as a general rule, provide the information under Art. 15 without undue delay, which means that the information should be given as soon as possible. This means that, if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so. The EDPB also considers that the timing to answer the request in some situations must be adapted to the storage period in order to be able to provide access89.
159. The time limit starts when the controller has received an Art. 15 request, meaning when the request reaches the controller through one of its official channels.90 It is not necessary that the controller is in fact aware of the request. However, when the controller needs to communicate with the data subject due to the uncertainty regarding the identity of the person making the request there may be a suspension in time until the controller has obtained the information needed from the data subject, provided the controller has asked for additional information without undue delay. The same applies for when a controller has asked a data subject to specify the processing operations to which the request relates, when the conditions set out in Recital 63 are met. 91.
89 See section 2.3.3
90 In some member states there is national law determining when a message is to be considered as received, taking into account weekends and national holidays.
91 See further section 2.3.1.
160. The time period to respond to an access request needs to be calculated in accordance with Regulation No 1182/7192.
161. If the last day of this time period falls on a weekend or a public holiday, the controller has until the next working day to respond.
162. Under certain circumstances the controller can extend the time to respond to a request of access by two further months if necessary, taking into account the complexity and number of the requests. It should be emphasised that this possibility is an exemption from the general rule and should not be overused. If controllers often find themselves forced to extend the time limit, it could be an indication of a need to further develop their general procedures to handle requests.
163. What constitutes a complex request varies depending upon the specific circumstances of each case. Some of the factors that could be considered relevant are for example:
• the amount of data processed by the controller,
• how the information is stored, especially when it is difficult to retrieve the information, for example when data are processed by different units of the organisation,
• the need to redact information when an exemption applies, for example information regarding other data subjects or that constitutes trade secrets, and
• when the information requires further work in order to be intelligible.
164. The mere fact that complying with the request would require a large effort does not make a request complex. Similarly, the fact that a big company receives a large number of requests would not automatically trigger an extension of the time limit. However, when a controller temporarily receives a large amount of requests, for example due to an extraordinary publicity regarding their activities, this could be regarded as a legitimate reason for prolonging the time of the response. Nevertheless, a controller, especially one who handles a large quantity of data, should have procedures and mechanisms in place in order to be able to handle requests within the time limit under normal circumstances.
6 LIMITS AND RESTRICTIONS OF THE RIGHT OF ACCESS
6.1 General remarks
165. The right of access is subject to the limits that result from Art. 15(4) GDPR (rights and freedoms of others) and Art. 12 (5) GDPR (manifestly unfounded or excessive requests). Furthermore, Union or Member State law may restrict the right of access in accordance with Art. 23 GDPR. Derogations
92 Regulation (EEC, EURATOM) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.
regarding the processing of personal data for scientific, historical research or statistical purposes or archiving purposes in the public interest can be based on Art. 89(2) and Art. 89(3) GDPR accordingly and derogations for processing carried out for journalistic purposes or the purpose of academic, artistic or literary expression can be based on Art. 85(2) GDPR.
166. It is important to note that, apart from the above mentioned limits, derogations and possible restrictions, the GDPR does not allow any further exemptions or derogations to the right of access. That means inter alia that the right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subjects request under Art. 15 GDPR93. Furthermore, it is not permitted to limit or restrict the right of access in a contract between the controller and the data subject.
167. According to Recital 63, the right of access is granted to data subjects in order to be aware of, and verify, the lawfulness of the processing. The right of access enables, inter alia, the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of personal data94. However, data subjects are not obliged to give reasons or to justify their request. As long as the requirements of Art. 15 GDPR are met the purposes behind the request should be regarded as irrelevant95.
6.2 Article 15 (4) GDPR
168. According to Art. 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Explanations about this limitation are given in the fifth and sixth sentences of Recital 63. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. When interpreting Art. 15(4) GDPR special caution has to be taken not to unjustifiably widen the restrictions laid down in Art. 23 GDPR, which are permissible only under strict conditions.
169. Art. 15(4) GDPR applies to the right to obtain a copy of the data, which is the main modality of giving access to the data processed (second component of the right of access). It is also applicable, and rights and freedoms of others shall be taken into account, if access to the personal data is exceptionally granted by other means than a copy. For example, there is no difference justified whether trade secrets are affected by providing a copy or by granting on site access to the data subject. Art. 15(4) GDPR is not applicable to the additional information on the processing as stated in Art. 15(1) lit. a.-h. GDPR.
170. According to Recital 63, conflicting rights and freedoms include trade secrets or intellectual property and in particular the copyright protecting the software. These explicitly mentioned rights and freedoms should be regarded merely as examples, as, in principle, any right or freedom based on Union or
93 Where the controller processes a large quantity of information concerning the data subject, as mentioned in recital 63 GDPR, the controller may request the data subject to specify the information or processing activities to which the request relates. See also section 2.3.1.
94 CJEU, Joined Cases C-141/12 and C-372/12, YS and Others.
95 This is without prejudice to any applicable national law that comply with the requirements posed by Art. 23 GDPR, see Chapter 6.4.
Member State law may be considered to invoke the limitation of Art. 15(4) GDPR96. Thus, the right to the protection of personal data (Art. 8 European Charter of Fundamental Rights) can also be considered as an affected right in terms of Art. 15(4) GDPR. Regarding the right to obtain a copy, the right to data protection of others is a typical case where the limitation needs to be assessed. Furthermore, the right to confidentiality of correspondence has to be taken into account, for example with regard to private e-mail-correspondence in the employment context97. It is important to note that not every interest amounts to “rights and freedoms” pursuant to Art. 15(4) GDPR. For example, the economic interests of a company not to disclose personal data do not reach the threshold for the recourse to the excemption in Art. 15(4) as long as there are no trade secrets, intellectual property or other protected rights affected.
171. “Others” means any other person or entity apart from the data subject who is exercising their right of access. Hence, the rights and freedoms of the controller or processor (in keeping trade secrets and intellectual property confidential for example) might be considered. If the EU legislator wanted to exclude controllers or processors rights and freedoms, it would have used the term “third party”, which is defined in Art. 4(10) GDPR.
172. The general concern that rights and freedoms of others might be affected by complying with the request for access, is not enough to rely on Art. 15 (4) GDPR. The controller must be able to demonstrate that in the concrete situation, rights or freedoms of others would, in fact, be impacted.
173. With regard to Recital 4 GDPR and the rationale behind Art. 52(1) of the European Charter of Fundamental Rights, the right to protection of personal data is not an absolute right98. Hence also the exercise of the right of access has to be balanced against other fundamental rights in accordance with the principle of proportionality. When the Art. 15(4) GDPR assessment proves that complying with the request has adverse (negative) effects on other participants’ rights and freedoms (step 1), the interests of all participants need to be weighed taking into account the specific circumstances of the case and in particular the likelihood and severity of the risks present in the communication of the data. The controller should try to reconcile the conflicting rights (step 2), for example through the implementation of appropriate measures mitigating the risk to the rights and freedoms of others. As emphasised in Recital 63, protecting the rights and freedoms of others by virtue of Art. 15(4) GDPR should not result in a refusal to provide all information to the data subject. This means, for example, where the limitation applies, that information concerning others has to be rendered illegible as far as possible instead of refusing to provide a copy of the personal data. However, if it is impossible to find
96 The weight or priority of the conflicting rights and freedoms is not a question of the definition of the terms “rights and freedoms“. However, balancing of such interests is part of a second step of the assessment, whether Art. 15(4) is applicable. See para. 173 below.
97 ECHR, Bărbulescu v. Romania, no 61496/08, para. 80, 5 September 2017.
98 See, for example, also CJEU, Joined cases C-92/09 and C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen [GC], 9 November 2010, para. 48.
a solution of reconciliation of the relevant rights, the controller has to decide in a next step which of the conflicting rights and freedoms prevails (step 3).
174. If controllers refuse to act on a request for the right of access in whole or in part under Art. 15(4) GDPR, they have to inform the data subject of the reasons without delay and at the latest within one month (Art. 12(4) GDPR). The explanatory statement has to refer to the concrete circumstances in order to allow the data subjects to assess whether they want to take action against the refusal. It must include information about the possibility of lodging a complaint with a supervisory authority (Art. 77 GDPR) and seeking judicial remedy (Art. 79 GDPR).
6.3 Article 12(5) GDPR
175. Art. 12(5) GDPR enables controllers to override requests for the right of access that are manifestly unfounded or excessive. These concepts have to be interpreted narrowly, as the principles of transparency and cost free data subjects rights must not be undermined.
176. Controllers must be able to demonstrate to the individual why they consider that the request is manifestly unfounded or excessive and, if asked, explain the reasons to the competent supervisory authority. Each request should be considered on a case by case basis in the context in which it is made in order to decide if it is manifestly unfounded or excessive.
6.3.1 What does manifestly unfounded mean?
177. A request for the right of access is manifestly unfounded, if the requirements of Art. 15 GDPR are clearly and obviously not met when applying an objective approach. However, as explained especially
99 The extent of the information provided to individuals will be heavily context dependent, taking into account the nature of the controller and the nature of the breach of the terms of service. In some cases, it may only be possible for the controller to provide basic information in response to an access request to which Art. 15(4) applies.
in section 3 above, there are only very few prerequisites for requests for the right of access. Therefore, the EDPB emphasises that there is only very limited scope for relying on the “manifestly unfounded” alternative of Art. 12(5) GDPR in terms of requests for the right of access.
178. Furthermore, it is important to recall that prior to invoking the restriction, controllers must carefully analyse the content and scope of the request. For example, a request should not be regarded as manifestly unfounded if the request is related to the processing of personal data not subject to the GDPR (in this case, the request should not be dealt with as an Art. 15-request at all).
179. Other cases in which the applicability of Art. 12(5) GDPR is questionable are requests related to information or processing activities that are clearly and obviously not subject to the processing activities of the controller.
180. A controller should not presume that a request is manifestly unfounded because the data subject has previously submitted requests which have been manifestly unfounded or excessive or if it includes unobjective or improper language.
6.3.2 What does excessive mean?
181. There is no definition of the term “excessive” in the GDPR. On the one hand, the wording “in particular because of their repetitive character” in Art. 12(5) GDPR allows for the conclusion that the main scenario for application of this limb with regard to Art. 15 GDPR is linked to the quantity of requests of a data subject for the right of access. On the other hand, the aforementioned phrasing shows that other reasons that might cause excessiveness are not excluded a priori.
182. Certainly, according to Art. 15(3) GDPR regarding the right to obtain a copy, a data subject may submit more than one request to a controller101. In the event of requests that could potentially be regarded as excessive, the assessment of “excessiveness” depends on the analysis carried out by the controller and the specifics of the sector in which it operates.
183. In case of subsequent requests, it has to be assessed whether the threshold of reasonable intervals (see Recital 63) has been exceeded or not. Controllers must take into account the particular circumstances of each case carefully.
184. For example, in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of land registers or central company registers. In the case of business associates, the frequency of contacts with the customer should be considered. Accordingly the “reasonable intervals” within which data subjects may again exercise their right of access are also different. The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access to their personal data without it being excessive. On the other
100 A different question is whether the authority which the access request was addressed to is entitled to transmit the request to the competent state authority.
101 According to the second sentence of Article 15(3), the controller may charge a reasonable fee for further copies requested.
hand, a second request by the same data subject could be considered to be repetitive in certain circumstances.
185. When deciding whether a reasonable interval has elapsed, controllers should consider the following in the light of the reasonable expectations of the data subject:
• how often the data is altered – is information unlikely to have changed between requests? If a data pool is obviously not subject to a processing other than storage and the data subject is aware of this, e.g. because of a previous request for the right of access, this might be an indication for an excessive request;
• the nature of the data – this could include whether it is particularly sensitive;
• the purposes of the processing – these could include whether the processing is likely to cause detriment (harm) to the requester if disclosed;
• whether the subsequent requests concern the same type of information or processing activities or different ones102.
102 If the subsequent request concerns the same type of information in scope AND time, this is not a question of excessiveness but a question of request for an additional copy, see section 2.2.2.2.
186. When it is possible to provide the information easily by electronic means or by remote access to a secure system, which means that complying with such requests actually doesn’t strain the controller, it is unlikely that subsequent requests can be regarded as excessive.
187. If a request overlaps with a previous request, the overlapping request can generally be regarded as excessive, if and insofar as it covers exactly the same information or processing activities and the previous request is not yet complied with by the controller without reaching the state of “undue delay” (see Art. 12(3) GDPR). In practice, as a consequence both requests could be combined.
188. The fact that it would take the controller a vast amount of time and effort to provide the information or the copy to the data subject cannot on its own render a request excessive103. A large number of processing activities typically implicates bigger efforts when complying with access requests. However, as stated above, under certain circumstances requests can be regarded as excessive due to other reasons than their repetitive character. In the view of the EDPB this encompasses particularly cases of abusively relying on Art. 15 GDPR, which means cases in which data subjects make an excessive use of the right of access with the only intent of causing damage or harm to the controller.
189. Against this background, a request should not be regarded as excessive on the ground that:
• no reasons are given by the data subject for the request or the controller regards the request as meaningless;
• improper or impolite language is used by the data subject;
• the data subject intends to use the data to file further claims against the controller.104
190. On the other hand, a request may be found excessive, for example, if:
103 No proportionality test, see above para. 166.
104 This is without prejudice to any applicable national law that comply with the requirements posed by Art. 23 GDPR, see Chapter 6.4.
• an individual makes a request, but at the same time offers to withdraw it in return for some form of benefit from the controller or
• the request is malicious in intent and is being used to harass the controller or its employees with no other purposes than to cause disruption, for example based on the fact that:
o the individual has explicitly stated, in the request itself or in other communications, that it intends to cause disruption and nothing else; or
o the individual systematically sends different requests to a controller as part of a campaign, e.g. once a week, with the intention and the effect of causing disruption105.
6.3.3 Consequences
191. In case of a manifestly unfounded or excessive request for the right of access controllers may, according to Art. 12(5) GDPR, either charge a reasonable fee (taking into account the administrative costs of providing information or communication or taking the action requested) or refuse to comply with the request.
192. The EDPB points out that controllers are – on the one hand – not generally obliged to charge a reasonable fee before refusing to act on a request. On the other hand, they aren´t completely free to choose between the two alternatives either. In fact, controllers have to make an adequate decision depending on the specific circumstances of the case. Whereas it is hardly imaginable that charging a reasonable fee is a suitable measure in case of manifestly unfounded requests, for excessive requests – in line with the principle of transparency – it will often be more appropriate to charge a fee as a compensation for the administrative costs the repetitive requests are causing.
193. Controllers must be able to demonstrate the manifestly unfounded or excessive character of a request (Art. 12(5) third sentence GDPR). Hence, it is recommended to ensure proper documentation of the underlying facts. In line with Art. 12(4) GDPR, if controllers refuse to act on an access request in whole or partly, they must inform the data subject without delay and at the latest within one month of receipt of the request of
• the reason why,
• the right to lodge a complaint with a supervisory authority,
• the possibility to seek a judicial remedy.
194. Before charging a reasonable fee based on Art. 12(5) GDPR, controllers should provide an indication of their plan to do so to the data subjects. The latter have to be enabled to decide whether they will withdraw the request to avoid being charged.
195. Unjustified rejections of requests of the right of access can be regarded as infringements of data subject rights pursuant to Art. 12 to 22 GDPR and can therefore be subject to the exercise of corrective powers by competent supervisory authorities, including administrative fines based on Art. 83(5)(b) GDPR. If data subjects consider there is an infringement of their data subject rights, they have the right to lodge a complaint based on Art. 77 GDPR.
105 “Systematically sending as part of a campaign” means that requests which could easily be combined to one are artificially split into not just a few but many single pieces by the data subject with the apparent intention to cause disruption.
6.4 Possible restrictions in Union or Member States law based on Article 23 GDPR and derogations
196. The scope of the obligations and rights provided for in Art. 15 GDPR may be restricted by way of legislative measures in Union or Member States law106.
197. Controllers, who plan to rely on a restriction based on national law must carefully check the requirements of the provision of the respective national legislation. Furthermore, it is important to note, that restrictions of the right of access in Member States (or Union) law which are based on Art. 23 GDPR must strictly fulfil the conditions laid down in this provision. The EDPB has issued the Guidelines 10/2020 on restrictions under Art. 23 GDPR with further explanations on this. In terms of the right of access, the EDPB recalls that controllers should lift the restrictions as soon as the circumstances that justify them no longer apply107.
198. Legislative measures which relate to restrictions under Art. 23 GDPR may also foresee that the exercise of a right is delayed in time, that a right is exercised partially or circumscribed to certain categories of data or that a right can be exercised indirectly through an independent supervisory authority108.
106 See for example sections 32 to 37 of the German Federal Data Protection Act (BDSG), sections 16 and 17 of the Norwegian Personal Data Act and chapter 5 of the Swedish Data Protection Act.
107 Paragraph 76 of the Guidelines 10/2020 on restrictions under Art. 23 GDPR, Version 2.0, adopted on 13 October 2021.
108 Paragraph 12 of the Guidelines 10/2020 on restrictions under Art. 23 GDPR, Version 2.0, adopted on 13 October 2021. Section 34 (3) of the German Federal data protection act for example states that if a public authority doesn´t provide information to a data subject complying with a request for the right of access because of certain restrictions, such information shall be provided to the federal supervisory authority at the request of the data subject, unless the responsible supreme federal authority (of the authority which was subject to the request) determines in the individual case that doing so would endanger the security of the Federation or a Land. The Italian DPCode provides for indirect access (through the authority) in case the access could impact with adverse consequence on a number of interests (e.g. Interest to contrast money laundering) see Art. 2-L of the Italian DPCode.
ANNEX – FLOWCHART
Step 1: How to interpret and assess the request?
Does the request relate to the requesting person? NO
YES
Step 2: How to answer the request (1)?
Step 2: How to answer the request (2)?
Step 2: How to answer the request (3)?
Step 3: Checking limits and restrictions (1)
YES
Step 3: Checking limits and restrictions (2)
YES
YES
Provide Do not provide
information information to
to the data the data
subject in subject in so far
adjusted as rights and
form. freedoms of
others would
be affected and
prevail.
YES