Complying with Access Requests under the GDPR

So-called "data subjects", including consumers and employees of B2B business partners, have several rights under the EU Data Protection Regulation (GDPR). In practice, one of the most relevant of these is the right to access under Art. 15 GDPR. It entitles natural persons in the EU to request information from businesses acting as data controllers on how they use the personal information on the respective inquirer.

Who is entitled to the right to access?

Within the scope of the GDPR, a company is required to grant access requests to any individual whose personal information are collected, retained, used, or otherwise processed. This may include EU consumers as well as employees of EU business partners, irrespective of whether they already purchased goods or services (customers) or not (leads, vendors). Also, it does not make any difference if the collection of personal information is part of a non-chargeable service, e.g. in the context of registering free user accounts or subscribing to newsletters.

Data subjects may only request access from the data controller, i.e. the company “which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Art. 4(7) GDPR). Data processors, meaning vendors processing “personal data on behalf of the controller” (Art. 4 (8) GDPR), such as many SaaS, hosting, IT maintenance, cloud or accounting service providers, must not comply with such requests themselves, but may refer them to their respective B2B customers instead, which are primarily responsible under the GDPR.

What information is covered by the right to access?

Under Art. 15 GDPR, data controllers must provide the data subject with the following information upon request:

• the purposes of the processing (e.g. distribution of marketing e-mails, delivery of goods, details on how the personal information is used for rendering contractually agreed services);
• the categories of personal data concerned (e.g. name, e-mail, postal address, behavioral data when using an online service);
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries (e.g. marketing partners, categories of vendors with whom the data are shared);
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period (e.g. retention periods based on internal data retention policies);
• the existence of the right to request from the controller rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR) concerning the data subject or to object to such processing (Art. 21 GDPR);
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source (e.g. data collected from the internet, auto-enriched leads in CRM tools, information obtained from marketing partners);
• information on whether the data is subject to automated decision-making (Art. 22 GDPR), and, if applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition to this explanatory information, data subjects are entitled to obtain a copy of the personal information undergoing data processing pursuant to Art. 15(3) GDPR. According to recent rulings by German courts (OLG Köln, judgement of 26 July 2019 – 20 U 75/18), such copy is not restricted to master data, but comprises, amongst others, memos relating to communication with the inquirer.

Consequently, the data controller must gather all information on the respective inquirer from its databases (e.g. CRM, emails, mobile app data logging, order history, etc.) and provide him or her with a copy. It can be in the form as the data is available to the data controller without additional preparation, however, in case the request is made electronically, the information must be provided in a commonly used electronic form. Therefore, information processed through a software using its own data format, data controllers may have to convert it to more common file types like PDF.

What else should be taken into account when processing access requests?

The GDPR stipulates further requirements for data controllers in the context of complying with access requests by data subjects. These include:

• Data controllers must process access requests “without undue delay and in any event within one month of receipt of the request” (Art. 12(3) GDPR). This period may be extended up to 3 months, taking into account the complexity and number of the requests, however, data controllers must explain the reasons for the delay to the inquirer within one month.
• Processing access request must be granted free of charge, unless the request is manifestly unfounded or excessive (e.g. exercising the right to access on a weekly basis), or in case the inquirer requests further copies of all personal information concerning him or her. Whether the data controller is entitled to charge a reasonable fee or to refuse to act on the request should be assessed on a case-by-case basis.
• Unless otherwise requested by the data subject, the information must be provided in electronic form in case the request was filed electronically (e.g. via e-mail, or by using an “access request”-feature within a login area of a website or mobile app).
• Data controllers should verify the identity of the individual filing an access request before processing it in order to avoid unauthorized disclosure of personal information to third parties (e.g. by asking security questions on the telephone).
• Any communication following an access request must be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child” (Art. 12(1) GDPR).

How do access request management into practice?

Timely processing of access request can be burdensome and straining for personnel resources. Particularly where personal information on a data subject is spread among various departments or databases, gathering such data may require significant efforts. Some IT vendors like Microsoft provide information on how to process access requests concerning data processed with their products.

Companies are advised to implement standardized procedures on how to process access requests, including templates for responses and internal attribution of responsibilities. Depending on the amount of expected access requests and estimated costs, companies may consider checking the market for GDPR compliance software tools helping them to comply with GDPR requirements.