When must controllers respond to DSARs with more than just a copy of personal data? Is it enough to point to a privacy notice to satisfy the extra GDPR requirements? UK and EU courts are increasingly saying that it's not enough.
Handling data subject access requests (DSARs) is an ongoing compliance burden for many organisations. In this series, we consider how different strategies can cut the task down to size. We have looked at reducing the burden through data protection by design, when it’s possible to say no to a DSAR, and problems linked to the use of private devices and private accounts by staff.
The next important, but often-overlooked, aspect is the amount of information in addition to copies of their personal data which a controller may need to give to a data subject under Article 15 of the EU General Data Protection Regulation or its UK equivalent, the UK GDPR. This provision entitles the data subject to receive information about the purposes, categories of data, recipients, retention periods, additional rights, automated decision making and profiling, or categories of current and future recipient, and safeguards for international transfer.
Isn’t it all in the privacy notice?
Clued-up controllers will see that much of this information should already be in their organisation’s privacy notice. If all the elements of Article 15 are comprehensively set out in it, the controller may simply include a copy of the notice in its response to satisfy its obligations.
But controllers should beware. Recent European court cases - which are still influential on the UK approach, as well as applying where controllers are dealing with EU GDPR-governed data – highlight that just sending through a copy of the privacy notice may not be enough. This will be particularly true for platforms with opaque and generic privacy notices, as X discovered in July 2024 when it was ordered by a Dutch court to respond to a DSAR with more than just a link to its website.
So, what extra information should controllers consider?
Getting the recipients right
One of the pieces of additional information that an individual is entitled to under a DSAR is the ‘recipients or categories of recipient to whom the personal data have been or will be disclosed’. Privacy notices will almost universally refer to categories (such as “affiliate companies” or “marketing partners”) rather than individual business recipients. Is this enough?
Case law in the EU and the UK tells us that the controller may choose to rely on categories when it comes to privacy notices. But for DSAR responses, the general rule established in the Austrian Post case is that individual recipients must be identified, unless the request is impossible, manifestly unfounded or excessive.
This will mean extra work tracking down the names of each company involved in the context of a DSAR, particularly for controllers with large or multinational operations, and especially if they do not maintain a comprehensive and up to date record of processing activities.
Protecting identities
When it comes to recipients, controllers also have to think about whether they need to identify individual people rather than organisations. The position in the UK is affected by Schedule 2, paragraph 16 of the Data Protection Act 2018 which requires controllers to think about whether disclosures about third parties is reasonable, together with the relevant circumstances. By way of example, a recent UK High Court decision confirmed that following the case of Austrian Post, a data subject does have the right to know individual recipients, but they need not be disclosed where there is a risk of intimidation. However, this is an exception and not the rule, and the new standard position is that data subjects are entitled to know each individual recipient of their personal data.
A related CJEU case, Pankki, tells us that controllers must let a data subject know the dates and purposes of consultation operations by staff, but do not have to disclose individual staff member names unless this is essential to enable the requester to exercise their rights, and disclosure will not override the rights of staff members. In practice this probably means that names will only be required where there is a likelihood of unlawful access by employees acting outside controller authority: but controllers under pressure to disclose must still carry out the required assessment.
Contextual information
As well as the ‘individual recipients’ challenge, another area which is likely to mean going above and beyond the privacy notice is the requirement to provide contextual information to enable data subjects to understand how their personal data is being processed. In May 2024, the CJEU confirmed in the Addiko Bank ruling that the right to a “copy” of personal data will include a full copy of documents containing personal data where “necessary to enable the data subject to verify their accuracy and completeness and to ensure their intelligibility”.
This means that additional context may be necessary where raw data is incomprehensible. The CJEU ruled in October 2023 that for medical records, data subjects will be at a loss without full accompanying documents and mere summaries or compilations may be misleading. The same logic will apply to other scenarios involving technical information of high relevance to a data subject.
It’s totally automatic
One area where DSAR responses will increasingly require fresh information is solely automated decision-making. Under Article 15, a controller must give data subjects on request information about the existence, underlying logic, significance and consequences of any solely automated decision-making which significantly affects them.
The first major case on this aspect of the GDPR was recently considered by the Advocate General who set our their view on what this information should contain. For the AG, while underlying technical information such as algorithms do not need to be disclosed, accompanying information must be “meaningful” (i.e. practically useful), concise, easily accessible, easy to understand, and in clear and plain language. As well as being given clear and contextualised information, the data subject must be able to understand the information on which the automated decision was based, how it related to the final decision, and the weighting given to that information.
The full CJEU ruling is awaited. Given the proliferation of AI-powered decision-making systems this is an aspect of DSARs which is likely to become ever more difficult to navigate.
What to do?
- Get ahead by ensuring that privacy notices are comprehensive, clear and easy to access.
- Requests for each corporate recipient of data may be difficult to track through supply chains. Check your records of processing activities and keep tabs on suppliers and their sub-processors. Can you compel them to comply with requests for information? For suppliers that are processors, you can do so by relying on contractual obligations provided for as a result of Article 28 GDPR.
- Where requests are for individual recipients, your starting point is probably to say no but decisions must be properly assessed and recorded.
- Significant, solely automated decision-making will come under increasing scrutiny and is likely to attract DSARs. Make sure your system supplier can fully explain what they are doing, so you can do the same.
If you need assistance with this or any aspect of dealing with a DSAR, Shoosmiths has an end-to-end DSAR solution, SmartSAR, which can help streamline the DSAR process while still ensuring the precision and efficiency required to comply with the various requirements of Article 15 of the GDPR or any similar legislation around the world.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.