layers and provided with a description of what personal data and information that will be contained in the different layers. In this way it will be easier for the data subject to decide what layers they want to access. The description should objectively reflect all the categories of personal data that are actually processed by the controller. It also needs to be clear how the data subject can get access to the different layers. Access to the different layers shall not entail any disproportionate effort for the data subject and shall not be made conditional to the formulation of a new data subject request. This means that the data subjects must have the possibility to choose whether to access all layers at once or if they would be satisfied with only accessing one or two of the layers. Example: A data subject makes an access request to a video streaming service. The request is made through an option that is available when data subjects have logged into their account. The data subject is presented with two options, appearing as buttons on the webpage. Option one is to download part 1 of the personal data and the supplementary information. This contains, for example a recent streaming history, account information and payment information. Option two is to download part 2 of the personal data that contains technical log files about the data subjects activities and historical information on the account. In this case, the controller, has made it possible for data subjects to exercise their right in a way that does not create an extra burden for the data subject. Situation 1: In cases where the data subject only chooses the button to download part 1 of the personal data, the controller is obliged only to provide part 1 of the data. Situation 2: In cases where the data subject chooses the buttons for both part 1 and part 2 of the data, the controller cannot communicate only part 1 of the data and ask for a new confirmation before communication of part 2 of the data. Instead both parts of the data must be provided to the data subject as it follows from the request made. 145. The use of a layered approach will not be considered appropriate for all controllers or in all situations. It should only be used when it would be difficult for the data subject to comprehend the information if given in its entirety. In other words, the controller needs to be able to demonstrate that the use of layered approach adds value for the data subject in helping them understand the information provided. A layered approach would therefore only be considered appropriate when a controller processes a vast amount of personal data about the data subject making a request and where there would be apparent difficulties for the data subject to grasp or comprehend the information if it were to be provided all at once. The fact that it would require great effort and resources from t he controller to provide the information under Art. 15 is not in itself an argument for using a layered approach.
5.2.5 Format 146. According to Art. 12(1), information under Art.15 shall be provided in writing, or by other means, including, where appropriate, by electronic means. As regards access to the personal data undergoing processing, Art. 15(3) states that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The GDPR does not specify what a commonly used electronic form is. Thus there are several conceivable formats that can be used. What is considered to be a commonly used electronic form will also vary over time. 147. What could be considered as a commonly used electronic form should be based upon the reasonable expectations of the data subjects and not upon what format the controller uses in its daily operations. The data subject should not be obliged to buy specific software in order to get access to the information. 45 Adopted - version for public consultation
