3 minute read
Annex – Flowchart
Step 1: How to interpret and assess the request?
Does the request concern personal data?
Advertisement
YES NO NO access request
Is it a GDPR request?
YES
Is it an Art. 15 request?
YES NO
NO Request on a different legal basis
Request on a different data subject right
Does the request relate to the requesting person?
YES NO Authorisation check (in case of a request by a third party)
YES
Identity check, in case of doubts
NO
What is the scope of the request?
Verify the scope of the request in line with section 4 of the Guidelines (if a large quantity of information is processed/request is imprecise ask the data subject to further specify the request).
No access
58
Step 2: How to answer the request (1)?
Step 2: How to answer the request (2)?
Step 2: How to answer the request (3)?
3 main components of the right of access (structure of Art. 15)
Confirmation whether or not personal data are being processed Access to the personal data Additional information on purposes, recipients etc. (Art. 15(1)(a) – h))
Take appropriate measures
Art. 12(1): concise, transparent, intelligible, easily accessible Art. 12(2): facilitate the excercise of the right of access
Choose between different means Provide a copy, if not agreed otherwise (Art. 15(3)) Use a layered approach if appropriate (most relevant in onlinecontext) Timing – without undue delay, in any event within one month (extension by two further months in exceptional cases) (Art. 12 (3))
How can the controller retrieve all data about the data subject?
Define search criteria – based on what the data subject has provided, other information that the controller holds about the data subject and the factors on which data is structured (e.g. customer number, IPaddresses, professional title, family relations etc.). Identify any technical functions that may be available to retrieve data. Search through all relevant IT or non-IT filing systems. Compile, extract or otherwise collect data that relates to the data subject in a way that fully mirrors the processing, i.e. that includes all personal data regarding the data subject, and enables the data subject to be aware of and verify the lawfulness of the processing. The retrieving of the information could be done case-by-case or, when relevant, by the use of a privacy by design tool already implemented by the controller.
59
Step 3: Checking limits and restrictions (1)
Article 15 (4): Would rights or freedoms of others be affected by answering the access request?
Would right or freedoms of others be affected by answering the access request?
YES Balancing
Is there a negative impact on the rights or freedoms (assessment of likeliness and severity of risks to other individuals)? Do the rights and freedoms of others prevail over the rights of the data subject?
NO NO YES
Provide information to the data subject. Can the conflict be resolved by reconciliation, e.g. redacting certain information?
YES NO
Provide information to the data subject in adjusted form. Do not provide information to the data subject in so far as rights and freedoms of others would be affected and prevail.
Step 3: Checking limits and restrictions (2)
Art. 12(5): Is the request manifestly unfounded?
YES
Very limited scope for relying on this ground.
NO
Is the request excessive?
due to the repetitive character due to other reasons for excessiveness (abusive requests)
Cases in which data subjects make a request for the right of access with the only intent of causing damage or harm to the controller.
NO
Provide information to the data subject for free
YES Charge a reasonable fee, or
Refuse to act
Charge a reasonable fee, or
Refuse to act
60
