News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Absent guidelines, many questions on facilitating DSARs Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

""

At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection authorities have published guidance (e.g., the CNIL in France and U.K. Information Commissioner’s Office, whose updated draft right of access guidance is in public consultation until Feb. 12), it is not certain that regulators in other EU countries will take a similar position. Even within one jurisdiction, i.e., in Germany, regulators’ interpretation of what constitutes a proper response to, for example, a data subject access request may differ from one supervisory authority to another.

Therefore, the European Data Protection Board’s guidelines on data subject rights, foreseen in its "Work Program" for 2019–20, will be very much welcome. The guidelines will focus on the rights of access, rectification, erasure, objection and restriction, as well as the limitations to these rights. The feedback gathered at the EDPB’s dedicated stakeholder workshop, held in November 2019, is expected to feed into future guidelines (see the summary of the feedback received in this EDPB post). In several months, the EDPB plans to make draft guidelines available for public consultation, giving stakeholders the opportunity to comment. Only after the analysis of the comments received, the EDPB will adopt final guidelines, likely in the second half of the year.

With respect to DSARs, controllers must implement processes to ensure they can respond to a request within one month of its receipt (unless an extension of up to two months is necessary). They need to document their handling of a DSAR carefully to prove compliance with the GDPR. In case of infringing data subject rights, controllers run the risk of fines of up to 20 million euros or 4% of their total worldwide annual turnover, whichever is greater.

The guidelines present an opportunity to clarify several major questions regarding DSARs. This article explores the following issues in more detail:

  • The scope of the right to receive a copy of personal data.
  • Adequate measures to verify a data subject’s identity, including where the only personal data held by the controller is technical data, such as online identifiers.

Some of these issues were also raised to a certain extent at the EDPB’s stakeholder workshop, which means that, in principle, they would be addressed in the guidelines.

Should a copy of all documents be provided? 

The right of access provided in Article 15 of the GDPR comprises several elements. In response to a DSAR, the controller must:

  • Confirm whether an individual’s personal data is being processed.
  • Grant access to the personal data.
  • Provide certain information about the processing.
  • Provide a copy of the personal data being processed.

The last element — providing a copy — triggers many important practical issues. A literal reading of the provision would imply the controller should provide a "copy" of all personal data being processed, such as copies of files, logs, emails or any other (excerpts of) documents containing personal data relating to the data subject.

Alternatively, it could be interpreted as an obligation to provide a "summary" of all personal data being processed in relation to the data subject. Providing a summary, however, cannot circumvent the obligation to produce all personal data being processed, as doing so would fall short of fulfilling the obligation under Article 15(3) of the GDPR.

While a summary may not constitute a copy of personal data, this interpretation seems to be more purpose-oriented. In addition, Article 12(1) of the GDPR, describing the modalities of communication by the controller and the data subject exercising their rights, requires the controller to communicate in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Providing a summary of the personal data could potentially fulfill these conditions more adequately than providing copies of logs or files.

DPAs across the EU adopt different approaches. For instance, the U.K. ICO deems controllers need to carry out reasonable searches for the information covered by the request. There is substantial case law in the U.K. regarding what documents should be provided to a data subject, including documents and emails.

On the other hand, in Germany, there is no uniform guidance to date. Local DPAs interpret Article 15(3) of the GDPR differently, with some viewing that a summary is sufficient, whereas others view that document production is appropriate.

At all times, the controller should carry out a careful case-by-case assessment of the DSAR. In some cases, the controller may conclude that providing a copy of personal data best addresses the DSAR; in others, a summary of the processing may suffice. Ostensibly, the upcoming guidelines will bring more clarity.

Data subject identity verification: What are 'reasonable measures'?

To ensure that a DSAR originates from the data subject concerned, according to Recital 64 of the GDPR, the controller should “use all reasonable measures to verify the identity of a data subject” before responding to it. This is particularly relevant in the online environment, where the controller and the data subject do not meet in person.

Examples of identity verification include asking the data subject:

  • To log in to the account associated with the data subject (if the individual holds an account with the controller).
  • To answer several questions that only the data subject should know the answer to (e.g., the date the account was created, if the individual holds an account with the controller).
  • To prove access to the email address with which the data subject registered with the controller (e.g., by presenting a unique identification code that the controller will generate and send to such address upon request).
  • To submit a copy of an ID document (with certain data obfuscated).
  • For a combination of some of the above options.

In some cases, controllers consider that an email containing a DSAR received from the email account related to the data subject, corresponding to the one registered with the controller, suffices for identity verification. The identity verification procedure can vary depending on the nature of the record of personal data, as well as its importance, sensitivity and volume. For significantly important personal data (e.g., health or financial data), asking for a copy of an ID document may be appropriate. However, this is not the case for regular personal data.

In addition, when an individual submits a DSAR on behalf of someone else (e.g., a child), merely verifying their identity no longer suffices. In such a situation, the controller needs to verify the legal authority of the individual acting on the data subject’s behalf (e.g., through a power of attorney).

The interpretation of “all reasonable measures” for identity verification differs from one EU country to another. For example, the U.K. ICO recommends asking for additional information only if there are doubts about the identity of the person making the request. If this is the case, the controller should promptly respond to the data subject, requesting only additional information that is necessary to confirm the identity of the data subject. The ICO clarifies that the timeline for responding to the DSAR begins when the controller receives the additional information about the requestor’s identity.

In France, if the controller has reasonable doubts as to the identity of that person, it may request additional information, including a copy of an ID document bearing the signature of the holder. The French implementing decree of the data protection rules provides a possibility for both identity and postal address verification on the delivery of the DSAR response by registered mail — if the data subject requested a response in writing.

In Germany, the provision of an ID card copy is not permitted unless consent has been obtained from the ID cardholder.

What about online identifiers?

Certain businesses (e.g., website providers) process only online identifiers, such as cookie identifiers or IP addresses. Without other personal data regarding the data subject, the controller may struggle to verify with certainty the identity of the person where, for example, the DSAR is submitted through an email requesting access to all personal data related to an IP address or cookie identifiers, given that they may belong to a shared device, for example, in a household with several housemates. 

Article 11(1) of the GDPR is relevant here insofar as it states that where the controller processes online identifiers for a purpose that does not require it to identify the data subject, it is not obliged to process additional information to identify the data subject but it must be able to demonstrate that it is not in a position to identify them. Of course, the data subject may decide to provide additional information to the controller. If such information enables the controller to verify the identification of the data subject, the controller needs to accommodate the DSAR.

The notion of “all reasonable measures” for identity verification remains unclear in certain scenarios, including in relation to online data processing. It remains to be seen if the guidelines assist controllers in striking a balance between ensuring adequate identity verification to avoid sending a response to a DSAR to a false recipient and not collecting more personal data than is necessary.

While the GDPR sets uniform rules, their interpretation by DPAs still differs. The upcoming guidelines are, therefore, much awaited, bringing more clarity and consistency across the EU, in particular regarding DSARs. 

Photo by Brett Jordan on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Anna Ciesielska IAPP Member Contributor
Headshot Rosa Barcelo Nonmember Contributor
Tags
Europe
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment Xavier Le Hericy • Feb 4, 2020 
    The article appears to differentiate between "Grant access to the personal data." and "Provide a copy of the personal data being processed."  If such a difference exists, where does it appear in GDPR.  Article 15 is titled Right of access by the data subject, but the wording of the article simply states that the "controller shall provide a copy of the personal data undergoing processing."

There is a huge technical difference between providing a copy of the data (which can be done for example via email) and granting access to data stored in a system which would require granting of credentials, access controls, etc.  In my read of GDPR, providing a copy of the data is sufficient, there is no requirement to grant access to systems holding the data.

Maybe a moot point, but the differentiation between the two in the article was puzzling and worrisome.
  • comment Barry Cook • Feb 5, 2020 
    Great consultation document by the UK ICO concerning just these questions:

https://ico.org.uk/media/about-the-ico/consultations/2616442/right-of-access-draft-consultation-20191204.pdf
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
A view from Brussels: To be sovereign, or not to be
From another delay to the European Agency for Cybersecurity's European Cybersecurity Certification Scheme for Cloud Services, to the European Data Protection Board's strategy for 2024-2027, Parliament's adoption of the European Health Data Space, and ramped up enforcement of the Digital Services Act...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Operations Management
Recent Comments