Blog details

Data subject right of access: Guidelines by the EDPB

Data subject right of access: Guidelines by the EDPB

The EDPB recently released guidelines on data subject right of access in the context of the GDPR.


The right of access aims to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data. This is expected to add greater ease to the process of data subjects exercising their rights to erasure and rectification, although it is not a condition to them exercising those rights. The data subject right of access is enshrined in both the GDPR (Article 15), as well as the Charter of Fundamental Rights of the EU. Under the GDPR, this right consists of three components. This includes confirmation of whether or not an individual’s personal data is being processed, access to it, and information about the processing of this personal data. Essentially, this summarizes a data subject’s ability to question, access, and verify any personal data being held by a controller. The EDPB has released its official guidelines on data subject right of access.


Data subject right of access includes the right of confirmation as to whether or not data is being processed, access to the personal data being processed as well as information on the processing of the data.


The right of access can only be exercised regarding personal data which falls within the material and territorial scope of the GDPR. Therefore, an integral part of the assessment carried out by the controller, is the differentiation between personal data and other data, identifying the scope of the data which the data subject is entitled access to. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person”. The CJEU ruled that the right of access covers personal data contained in minutes, like “name, date of birth, nationality, gender, ethnicity, religion and language of the applicant“ “and, where relevant, the data in the legal analysis contained in the minute”. This right of access can be exercised exclusively by the data subject (and in select cases by an authorized person or proxy). It is also important to note that at times personal data may include data relating to another individual at the same time, however this does not automatically mean that personal data of another individual can and should be shared by a controller. The controller must ensure compliance with Article 15(4) of the GDPR which states “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” 

Access requests must be handled within the required time frame, but may be extended by two months if necessary depending on the complexity and number of requests.


Under Article 12 of the GDPR, a controller is required to take action, and provide information on action taken regarding the access request to the data subject without undue delay, and within one month of receipt of the request. This deadline can be extended by a controller by a maximum of two months, depending on the number of requests received and the complexity of the requests. However, in the event the initial one month deadline needs to be extended, the data subject must be informed of the extension, and the reason why it is necessary without delay, and within the one month period after the request was received. The EDPB maintains however, that access requests should be handled without undue delay, meaning the information should be given as soon as possible. This time limit starts when the controller has received an access request. However in cases where the controller needs to communicate with the data subject in order to confirm the identity of the person making the request, there may be a suspension in time, with the time limit starting when the controller has obtained all the information needed from the data subject, provided that the controller has requested the information without undue delay. 


The EDPB has outlined how access should be provided, depending on the amount of data and the complexity of the processing.


According to the EDPB, unless explicitly stated otherwise, requests should be understood as referring to all personal data concerning the data subject. A controller may ask the data subject to specify the request if the controller processes a very large amount of data. Otherwise, the controller will have to search for personal data throughout all IT systems, as well as all non-IT filing systems based on a search criteria that mirrors the structure of the stored information. For example, the controller would search for information relating to a specific data subject name or customer number. Communication relating to the processing must be provided in a concise, intelligible, transparent and easily accessible form, making use of clear and clean language. This data, particularly if it contains “raw data” has to be explained in a manner which would make sense to the data subject. Generally speaking this data must be sent in a permanent form such as written text, and can be sent via email. The EDPB suggests taking a layered approach to presenting the information in cases where the amount of data is vast, in order to facilitate the data subject’s understanding of the data presented. In this case all layers should be provided at the same time if the data subject requests it. 


The EDPB, in this recent release of its official guidelines on data subject right of access, has provided several specific examples of scenarios, and how they each should be handled, to enable data controllers to understand their role and responsibilities in fulfilling access requests, and maintaining compliance. For more information, including visual flow charts demonstrating when and how access requests should be handled, controllers may refer to the guidelines

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
VIII IAB Spain Digital Advertising Regulation Summit Overview
February 8, 2022
Next post
Stop using Google Analytics: CNIL gives formal notice to website managers.
February 15, 2022

Leave a Comment