Rights to transparency and access under the GDPR and D-DPA
As regular readers of our data protection articles will know, our aim is to give you a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Draft Data Protection Act (D-DPA), a draft revision of which is still subject to debate, and which is expected to partly enter into force later this year.
In the next few data protection articles we will be discussing the rights of data subjects, which include:
- The right to information and transparency
- The right of access
- The right of rectification
- The right to erasure – or ‘the right to be forgotten’
- The right to restriction
- The right to withdraw consent
- The right to lodge a complaint with a supervisory authority
- Rights relating to automated decision-making and profiling
- The right to data portability (GDPR only)
- The right to object
In this article, we are focusing on the right to information and transparency, and the right of access.
The right to information and transparency under the GDPR and D-DPA
Under the GDPR, controllers have to inform data subjects about an extensive list of topics, including the identity and contact details of the controller, and the purposes of the processing.
In addition, the GDPR specifically requires that the information is provided to the data subject in a concise, transparent, intelligible and easily accessible format, using clear and plain language (for more information, please read our newsletter on this topic).
The D-DPA includes similar information requirements, but the conditions are less detailed and the list of information to be provided is less extensive (for more information, please read our newsletter on this topic).
The right of access under the GDPR
Under the GDPR, the right of access grants data subjects the right to obtain confirmation from the controller as to whether or not their personal data is being processed.
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of – and can verify the lawfulness of – the processing.
Upon request, data subjects are entitled to access their personal data, and to receive details about the following:
- The purposes of the processing
- The categories of data that are being processed
- The recipients of the data (and if they are located in third countries, any safeguards, if applicable)
- The envisaged storage period (where it is possible to estimate this) or the criteria that will determine that period
- The data subject’s rights
- The existence of automated decision-making (including profiling), as well as the logic involved, the significance and the envisaged consequences of such processing for the data subject
- Any available information regarding the source of the data (in cases where data is not collected directly from the data subject)
The information must be provided to the data subject without delay, and within one month of receipt of the request at the latest. In the event that a request is complex, the compliance period can be extended by two months (in which case the controller must inform the data subject of the reason for the delay within one month of receiving the request).
Moreover, the information must be provided using reasonable means – for example, if the request was made electronically, the information should be provided in a commonly used electronic format.
The information should also be provided free of charge, although a reasonable fee can be charged if the request is unfounded or excessive.
Where requests are clearly unfounded or excessive (e.g. if they are repetitive), the controller can choose to refuse the request. In that event, the controller must inform the data subject of the reason(s) for refusal and must inform them of their right to complain to the supervisory authority.
The right of access under the D-DPA
The right of access under the D-DPA is similar to that under the GDPR. The data subject should have access to all necessary information in order to exercise their rights under the D-DPA.
The list of information to be provided is slightly different from the GDPR:
- There is an obligation to give information about the data controller(s), especially in cases where joint controllers exist.
- Information does not need to be provided about the data subject’s rights.
- In the case of automated decisions, there is no obligation to inform the data subject about the significance and envisaged consequences of such processing for them.
The right of access has to be granted free of charge and no data subject may waive their access right in advance.
In addition, the D-DPA stipulates that in cases where data is not processed by the controller but by a processor, the controller remains responsible for providing this information.
Finally, health data may only be communicated to the data subject with their consent, and by a healthcare professional designated by them.
Under certain circumstances – for instance if it is necessary to safeguard a third party’s overriding interest or when an access request is clearly unfounded or frivolous – the controller may refuse, restrict or postpone access to such information. In that event, the controller must inform the data subject of the reason(s) for this decision.
Comply with the highest right of access standards
The safest approach for organisations is to comply with the highest standards of both the GDPR and the D-DPA.
- Set up internal procedures and protocols for handling access requests from data subjects that comply with both the GDPR and the D-DPA. Such protocols should also cover procedures to verify the data subject’s identity.
Joanne ZaaijerAssociate Attorney at law
Joanne Zaaijer, attorney at law, is an associate in our Rotterdam office. She focusses on data protection and privacy law, telecommunications, life sciences, advertising and e-commerce.T: +31 20 578 52 55 M: +31 6 53 57 74 21 E: Joanne.Zaaijer@loyensloeff.com