3 minute read
information is provided
visually impaired data subjects or other data subjects who may have difficulty in accessing or understanding information, the controller is expected to take measures facilitating the understanding of the information provided, including oral information when adequate72 . The controller should take special care to ensure that people with special needs, such as elderly people, children, visually impaired persons or persons with cognitive disabilities can exercise their rights, for instance by proactively providing easily accessible elements to facilitate exercise of these rights.
5.2.4 A vast amount of information necessitates specific requirements on how the information is provided
Advertisement
141. Regardless of the means used to provide access there may be a tension between the amount of information the controller needs to provide data subjects with and the requirement that it must be concise. One way of achieving both, and an example of an appropriate measure for certain controllers, when a vast amount of data is to be provided, is to use a layered approach. This approach can facilitate the data subjects’ understanding of the data. It should nevertheless be stressed that this approach can only be used under certain circumstances and needs to be carried out in a way that does not limit the right of access, as explained below. Furthermore, the use of a layered approach should not create an extra burden for the data subject. Hence, it would be best suited when access is provided in an online context. A layered approach is merely a way to present the information under Art. 15 in a manner which is also compliant with the requirements in Art. 12(1) and should not be confused with the possibility for the controllers to request that the data subject specifies the information or processing activities to which the request relates, as prescribed in Recital 6373 .
142. A layered approach in relation to the right of access means that a controller, under certain circumstances, can provide the personal data and the supplementary information required under Art. 15 in different layers. The first layer should include information about the processing and data subject’s rights according to Art. 15(1)(a)-(h) and 15(2) as well as a first part of the processed personal data. In a second layer, more personal data should be provided.
143. When deciding what information should be given in the different layers the controller should consider what information the data subject in general would consider as most relevant. In line with the fairness principle, the first layer should also contain information on the processing which has the most impact on the data subject and processing which could surprise them74 . The controllers need to be able to demonstrate accountability as to their reasoning of the above.
Example: A controller analyses big data sets to place customers in different segments depending on their online behaviour. In this situation, it can be assumed that the information that is the most important for the data subjects to obtain is information about what segment they have been put in. As a result, this information should be included in the first layer. The data in a raw format75 that has not yet been analysed or further processed, such as user activity on a website, is also personal data covered by the right of access, however, it could in some cases be sufficient to provide this information in another layer.
144. For the use of layered approach to be considered as an appropriate measure it is necessary that the data subject is informed at the outset that the information under Art. 15 is structured into different
72 See WP29 Guidelines on transparency - endorsed by the EDPB, para. 21. 73 See al s o s ection 2.3.1. 74 See WP29 Guidelines on transparency - endorsed by the EDPB, para. 36. 75 See footnote 71.
44
