134. Even controllers that process a vast amount of data can choose to rely on manual routines for handling access requests. If the controller processes data in several different departments, the controller needs to collect the personal data from each department to be able to respond to the data subject request. Example: An administrator is appointed by the controller to handle the practical issues regarding access requests. When receiving a request the administrator sends an enquiry through e-mail to the different departments of the organisation asking them to collect personal data regarding the data subject. Representatives of each department give the administrator the personal data processed by their department. The administrator then sends all the personal data to the data subject together with the necessary supplementary information, for example and when appropriate, by e-mail. 135. Although manual processes for handling access requests could be regarded as appropriate, some controllers may benefit from using automated processes to handle data subject requests. This could for example be the case for controllers that receive a large number of requests. One way to provide the information under Art. 15 is by providing the data subject with self-service tools. This could facilitate an efficient and timely handling of data subjects’ requests of access and will also enable the controller to include the verification mechanism in the self-service tool. Example: A social media service has an automated process for handling access requests in place that enables the data subject to access their personal data from their user account. To retrieve the personal data the social media users can choose the option to “Download your personal data” when logged into their user account. This self-service option allows the users to download a file containing their personal data directly from the user account to their own computer. 136. The use of self-service tools should never limit the scope of personal data received. If not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs to be provided in a different manner. The controller may indeed encourage the data subject to use a self-service tool that the controller has set in place for handling access requests. However, it should be reminded that the controller must also handle access requests that are not sent through the established channel of communication67 .
5.2.3 Providing access in a ”concise, transparent, intelligible and easily accessible form using clear and plain language” 137. According to Art. 12(1) the controller shall take appropriate measures to provide access under Art. 15 in a concise, transparent, intelligible and easily accessible form, using clear and plain language. 138. The requirement that providing access to the data subject has to be done in a concise and transparent form means, that controllers should present the information efficiently and succinctly in order to be easily understood and captured by the data subject, especially if it is a child. The controller needs to take into account the quantity and complexity of the data when choosing means for providing access under Art. 15. Example: A social media provider processes a vast amount of information about a data subject. A large part of this personal data is information contained in hundreds of pages of log files where the data subject’s activities on the website are registered. If data subjects request access to their personal data, these log files are indeed covered by the right of access. The right of access may therefore be formally fulfilled if these hundreds of pages of log files were to be provided to the data subject. However,
67
See section 3.1.2.
42 Adopted - version for public consultation
