Questions and Recurring Problems from the Participant's Point of View

Data Subject Rights under the GDPR

On 4th of November 2019, the European Data Protection Board ("EDPB") organised a stakeholders’ event on the topic of Data Subjects Rights under the General Data Protection Regulation ("GDPR"). Representatives from, among others, individual companies, sector organisations, NGOs, law firms and academia were welcome.

Three sessions were held:

1. Right of access to personal data
2. Right to rectification and right to erasure
3. Right to restrict processing and right to object

Apart from the official short summary of the main issues raised with the EDPB and other stakeholders that you can access by clicking on the image on the right ??, shared by the European Data Protection Office (EDPO), the ???? lawyer Alessandro Rossini has kindly shared some points that, in his view, display the most frequent questions and recurring problems discussed by various parties during the event.

While some of the questions raised could already be answered with specific Articles and Recitals of the GDPR, and further interpretative attempts can be found in the numerous guidelines of the EDPB as well as Data Protection Authorities from EU Member States, there still seems to be a considerable number of questions without a clear answer from the outset. Have a look below:

Art. 15 GDPR: Right of Access, Data Subject Access Requests

Some of the following questions were raised with regard to the right of access and Data Subject Access Requests ("DSAR"):

• In which cases should personal data be provided in interoperable formats? In which cases is it recommended to provide a pdf with the requested data?
• If a data controller has set up a login system (see, Recital 63, 4th sentence of the GDPR), is it appropriate to require data subjects to use only this channel?
• It was found that some companies find it difficult to handle DSAR, while—on the other hand—it seems easy for data subjects to make such a request. What to do?
• In the event of repetitive DSARs, is there a time span that may or must elapse between two requests?
• How much efforts do data controllers have to invest to fulfil DSARs? Is there a reasonable limit?
• As Art. 15(1) lit. c GDPR requires data controllers to inform about “recipients or categories of recipient to whom the personal data have been or will be disclosed”, how specific must that be? Is it possible to name groups of recipients or is it necessary to inform about each individual recipient?
• In the case of a DSAR, should data controllers that are subject to relatively short retention periods “freeze” (i.e., retain) the relevant data to be able to respond to the request?

Artt. 16 and 17 GDPR: Right to Rectification and Erasure (‘right to be forgotton’)

• Some of the guidelines are too theoretical and should have a stronger practical relevance.
• It is necessary to give data subjects more clarity about their rights and the consequences of exercising them.
• Joint controllers pursuant to Art. 26 GDPR: How to handle requests for erasure? What happens if one of the joint controllers erases the data but the other does not? And how should data processors behave in such cases?
• Is it possible to “rectify” opinions? Does anything change if they represent the views of the data subject and other third parties?
• How to handle the data generated by the processing of raw data? At which point and to what extent does the right to erasure apply?
• What does “erasure” mean from a technical point of view? Is it sufficient to flag the data as “ready to delete”, for example by deleting a file’s entry in the Master File Table (MFT)? Can technical restrictions justify a refusal of the deletion right, e.g., for tape backups?
• What is the relationship between the right to erasure and the right to retain data under Art. 17(3) GDPR, e.g., for the establishment, exercise or defence of legal claims?
• Can minors request the erasure of their data or do their legal guardians have to make such a request?
• Marketing: Are there any “best practices” on erasure and opposition to receiving marketing communications? If a data subject asks to no longer receive communications and simultaneously requests the erasure of his or her data, how can data controllers keep track of his or her intention to object?

Artt. 18 and 21 GDPR: Right to Restriction of Processing, Right to Object

• The meaning of the word “object” (Art. 21 GDPR) does not seem clear to data subjects.
• The right to restriction of processing is little known and applied.
• Clarification is needed on the concept of legitimate interest under Art. 6(1), 1st sent., lit. f GDPR.
• Can a detailed description of the legitimate interests be considered “best practice” or a legal obligation of data controllers?
• Can security measures (e.g. CCTV) justify a restriction on data subjects’ right to object?
• Is it legitimate to keep a blacklist of email addresses from data subjects that have objected to their processing? What happens in the event of a potential data breach?
• Online advertising: In RTB (real time bidding) systems, how can data subjects exercise their rights if they do not know who is involved?
• If data subjects exercise their right to restriction of processing, are data controllers entitled to restrict access to certain services on the basis of a legitimate interest? 

General Remarks

• What type of personal data is suitable for the identification of data subjects? (Member States’ Legislation sometimes creates confusion.)
• Where data brokers may be involved, how should such persons be monitored?
• How can children exercise their rights?
• How should the different rights of data subjects interact with each other? (For example: A data subject simultaneously requests the erasure of, and access to, his or her personal data.)