European General Data Protection Regulation: What you need to know
Legal aspects are not always nice or exciting, but certainly helpful and necessary, especially when it comes to data protection.
The European General Data Protection Regulation (EU-GDPR) will become mandatory as of May, 2018. Just like the “old” German Federal Data Protection Act, it stipulates a right of access by the data subject (Art. 15 EU-GDPR). “But you need to be aware that, as regards the requirements and the scope of the disclosure, the regulations of EU-GDPR exceed those of the Federal Data Protection Act,” says Rainer Berndt, legal expert at EASY SOFTWARE AG.
Scope of the right of access according to Art. 15 EU-GDPR
What does the basic situation look like? According to Art. 15 Par. 1 EU-GDPR, data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and additional information on how they are processed.
“The right of access thus consists of two steps. In the first instance, data subjects can demand a confirmation from the controller to find out whether any personal information relating to them is being processed at all”, Berndt explains. In practical terms, this means:
- a) If no personal data relating to an applicant are being processed, the applicant is to be advised of this.
- b) If personal data relating to an applicant are being processed, then the applicant is generally entitled to access these data.
Rainer Berndt explains: “However, the general regulation requires additional action. According to Art. 15 Par. 1 EU-GDPR, the controller is also obligated to provide information regarding:
- the purpose of the processing,
- the categories of personal data being processed (new),
- the categories of recipients to whom the personal data have been or will be disclosed,
- where possible, the envisaged time limits for erasure, or at least the criteria for the determination of the time limit (new),
- the rights to rectification, erasure, or restriction of processing, and a right to object to the data processing according to Art. 21 EU-GDPR (new),
- the right of appeal to the regulating authority (new),
- the source of the data insofar as they were not collected from the data subject in person,
- the use of automated decision making, if applicable, including profiling (applied business logic, scope, intended effects of the procedure).”
Please note also that, where personal data are transferred to a third country, data subjects have the right, according to Art. 15 Par. 2 EU-GDPR, to be informed of the appropriate safeguards pursuant to Art. 46 EU-GDPR (such as agreed standard data protection clauses).
Method, frequency and cost of data access
Some other aspects need to be taken into account as well:
According to Art. 15 Par. 3 EU-GDPR, the controller must provide a copy of the personal data undergoing processing to the data subject.
According to Art. 12 Par. 5 EU-GDPR, the controller must generally provide this information free of charge. However, for any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs in accordance with Art. 15 Par. 3 EU-GDPR. Moreover, where requests from a data subject are manifestly unfounded or excessive, the controller may either charge a reasonable fee, or refuse to act on the request, according to Art. 12 Par. 5 EU-GDPR. “However, the controller bears the burden of demonstrating why a request is considered unfounded by way of exception. Art. 12 Par. 4 EU-GDPR stipulates that the data subject must be informed of the reasons for not taking action,” according to Berndt. In any event, data subjects are entitled to exercising their right of access to personal data at reasonable intervals (recital no. 63 of EU-GDPR).
Form and time frame of data access
The General Regulation also clearly specifies the modalities and time frame for data access: According to Art. 12 Par. 3 EU-GDPR , the controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months in complicated cases (e. g. with high system complexity, missing interfaces, heterogeneously networked and distributed database systems). The controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
According to Art. 12 Par. 1 of the EU-GDPR, the information may be imparted in writing, electronically or, at the request of the data subject, orally. However, if the information is provided orally, the identity of the data subject must be proven by other means. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form according to Art. 15 Par. 3 EU-GDPR. Recital no. 63 of EU-GDPR says that, where possible, the controller should provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. “In any case, when providing data access, compliance with mandatory safety requirements must be ensured,” says EASY legal expert Berndt.
Exceptions to the right to data access
There are exceptions to every rule; the controller is not obliged to comply with an access request without fail, but may deny access in the case of unfounded or excessive requests. Where the controller’s business processes a large quantity of information concerning the data subject, the controller should be able to request that the data subject specify the information or processing activities to which the request relates, according to recital no. 63 of EU-GDPR . According to Art. 15 Par. 4 EU-GDPR, data access may also be denied by way of exception in cases where it would adversely affect the rights or freedoms of others.
In addition, the new (!) German Federal Data Protection Act that was recently passed and will become effective as of May, 2018, contains a few limitations and exceptions to the right of access as stipulated in Art. 15 EU-GDPR. To what extent a limitation of Art. 15 EU-GDPR through national legislation is permitted needs to be decided in specific individual cases, based on the existing primacy of application of EU-GDPR; at least, this applies to areas where Art. 15 EU-GDPR does not directly fall under one or more of the numerous opening clauses included in the General Data Protection Regulation.
What does this mean for your company?
“For controllers, taking organizational measures well in advance that will allow them to answer requests fast and completely is recommended. After all, Art. 12 Par. 1 and Art. 5 Par. 2 EU-GDPR stipulate that controllers need to take appropriate preparatory organizational measures in order to be able to provide data subjects with the requested information in due time and in a suitable form,” is Rainer Berndt’s advice.
Also, remember: If you use software from EASY to store personal data, among other things, and want to be optimally prepared for the time when EU-GDPR goes into effect, we will be happy to support you in taking the necessary steps. Rainer.Berndt@easy.de