GUIDELINES ON RIGHT OF ACCESS BY THE EUROPEAN DATA PROTECTION BOARD

Updated: Feb 11


The European Data Protection Board (EDPB) prepared “Guidelines on Right of Access”. The Guidelines clarify the extent of the right of access, the information that the controller is required to send to the data subject, the format of the access request, the primary modalities for providing access, and the concept of clearly unfounded or excessive request.

According to the Law Insider Dictionary right of access means “A data subject’s right to obtain from an Authority confirmation as to whether or not personal data concerning him or her are being processed, and whether that is the case, to access the personal data.[1]

The guidance is in harmony with Article 15 of the GDPR which consists of three components, describes data subjects’ right of access. The data subject reserves the right to receive the following from the relevant administrator: (a) Check if personal data has been processed. (b) Access to such personal data. (c) Specific information about the processing itself, including the purpose of the data processing, the categories of personal data and recipients, and the duration of the processing. In accordance with Article 15 of the GDPR, the administrator must also provide a copy of the personal data being processed[2].

The main concern of the right of access is that data subjects can have a ground where they can be informed of and check the processing’s legality and accuracy. On the other hand, the right of access facilitates the exercise of other GDPR rights for data subjects, such as the right to erasure or rectification. However, the right of access is not a requirement for exercising such rights.

Art. 4 GDPRS includes the definition of personal data. The definition covers the “personal data” extent of the term. The extent of personal data and the extent of the right to access are the same[3].

When the data subject exercises the right of access, there are two sets of obligations to be fulfilled by the data controller. The first obligation is to inform the data subject about whether or not her/his personal data have been processed. If the personal data is processed, according to the second obligation the data controller must inform the data subject about the following: “the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition, information about the rights of the data subject such as rectification, erasure or restriction of processing, the right to object, instructions on the right to lodge a complaint with the authorities, information about the origin of the data[4].

When the data subject exercises the right of access, the right includes all the personal data that is processed by the data controller, unless clearly expressed otherwise.

The limits and restrictions to the right of access are stated in the Guideline as “without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject’s request.[5]


REFERENCES:

· https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf

· https://gdpr-info.eu/issues/right-of-access

· https://www.lawinsider.com/dictionary/right-of-access



Authors:

Attn. Murat Gülgün

Hazal Kızılkaya, Legal Trainee


SOURCES: [1] https://www.lawinsider.com/dictionary/right-of-access [2] Guidelines o1/2022 on Data Subjects Rights- Right of Access, Version 1.0, pg. 2 [3] Guidelines o1/2022 on Data Subjects Rights- Right of Access, Version 1.0, pg. 3 [4] https://gdpr-info.eu/issues/right-of-access [5] Guidelines o1/2022 on Data Subjects Rights- Right of Access, Version 1.0, pg. 3