Replying to a Data Subject Access Request

Under its "Article 4 - Definitions", the GDPR defines Personal Data as:

"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

So, the definition of Personal Data includes the concept of "Information" and not merely "identifiers" such as "name"; "email"; "social security number"; other...

Then GDPR' "Article 15 - Right of access by the data subject" defines what must be part of an answer to a Data Subject Access Request, namely:

• the purpose of Processing;
• Personal Data Categories;
• 3rd parties with which Personal Data is shared;
• Retention Periods;
• Applicability of the Rights to Rectification and/ or Erasure plus presenting a complaint towards the Supervisory Authorities;
• Mention or note pertaining to the source of gathered Personal Data if not directly from the Data Subject;
• Existence of Automated Processing (e.g. Profiling);
• Detailed information pertaining to International Data Transfers;

Now, in the case of companies where the Service Catalog is "linear" (not too extensive and/ or complex mirroring several "Service Lines"), all of this will (likely) have been mirrored on existing Privacy Policy or specific Privacy Notes, therefore it suffices to mention a Link to those in the reply.

However and where the Service Catalog is "complex" or it comprehends several distinct "scopes" (which imply the need to have distinct explanations towards these points), then the DPO should have (ready and in advance) "templates" with relevant information to be shared or linked to, according to the "scope" at hand.

Finally, one has the most relevant component that requires feedback consists of the Personal Data being processed by the Company.

GDPR (Article 15) reads that:

"(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form."

and (yet, that)

"(4) The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others."

Many have been the DPOs in panic when confronted with a DSAR that would (seemingly) imply including several emails or even internal documents/ reports which would amount to a very significant volume of information as well as required time investment in gathering it.

As we have seen previously, GDPR defines Personal Data, not as the mere "identifiers" (name; email; age; other) but "Information"; however, we also have Article 15 paragraph 4 which reminds us that complying with one Data Subject' Access Request must not happen at the expense of another Data Subject's Privacy.

As with regards to any "recent" Laws (in the sense that there has not yet elapsed enough time to define common ruling where disputes have taken place), one must start to add to individual interpretation the several court decisions that have been taking place and, out of Germany, we have already some that bring some light and "constrain" to the range of required feedback content.

One case, in particular, consists of the recent ruling out of Hessian Supervisory Authority in the sequence of those court decisions states the following:

"... the controller must always provide the data subject a copy of the personal data, even if the data subject does not explicitly request a copy. In principle, the controller must provide an explanation of the contents of the copies. A copy does not mean an actual copy in the literal sense but means “a summary of the personal data structured in a meaningful way”..."

Example

Let's imagine that an online store has sold some items to an individual and while doing so it became in possession of and:

• Contact Personal Data from a 3rd party while still at a "prospect" stage and by then it observed by GDPR Article 14 informing the Data Subject that it had got his/ her "Name" and "email" on Linkedin and having gathered Consent.
• Additional Personal Data upon the Data Subject's 1st visit to the Website/ online Store via an online form where the Data Subject had input it by him/ herself while having been explained the Purpose and Scope of Processing activities inherent to such services and having then gathered specific additional Consent.
• It shared "Name" and "Address" with a specific Logistics Partner in order to ensure the delivery of purchased goods to the Data Subject.
• There has been Profiling pertaining to the Data Subject's preferences also based on Consent and Invoices issued which derive from a Legal Obligation.
• There has been some Call Center support to the Data Subject while a Customer of the Online Shop which implied the exchange of emails with information with the Customer Care Department, which has as Lawful Base Legitimate Interest (both Corporate as well as Data Subject's).

The Data Subject now submits a DSAR... what must the reply comprehend?

For the sake of simplicity and above all GDPR Compliance, let's consider that the company has done a "proper" GDPR Compliance Project, therefore it has in place a Privacy Policy which details Personal Data Processing Purpose and Scope as per the several Services that comprehend the Service Catalog, meaning WHAT will be done with WHICH Personal Data under EACH Service and WHY; with WHICH 3rd Parties will WHICH Personal Data be Shared and WHY and the Retention Periods plus applicable Lawful Bases for Processing Personal Data; in this case the 1st part of the answer will be to direct the Data Subject to the content on the Privacy Policy and or potentially specific Privacy Notes plus the Cookies Policy.

Then we have the Personal Data being "handled" by the Company and here we have "identifiers" and "information". So besides the links to accurate information sources, the feedback should describe that:

• Contact Data consisting of name; customer number (internally generated univocal identifier); email address and home address (for the purpose of physical delivery of purchased products and which along with the name is shared with the Logistics Partners A; B and C depending on service availability and fairs).
• Profiling Data consisting of purchasing history over the last 6 months and website page/ content views over the last month.
• Invoices pertaining purchased products that will be maintained as per defined under establishment country Law for X years.
• Call Center support calls and internal interchanged emails pertaining to some customer complaints between Call Center Customer Support and CRO (Chief Revenue Officer) where the Data Subject's complaint was assessed as well as the potential grounds for having made such complaint. As a result, the Data Subject has been considered to be rightfully complaining.

There is no need to forward each Data Identifier nor the emails that have been internally exchanged; above all, if the involved email recipients are either Personal Data or may end up identifying the Natural Persons "behind them".

Now, this is just one simple example and not an "Apple Pie recipe" that applies every time; meaning there will be cases where more information or detailed Data Identifiers may have to be disclosed... some other cases may also imply sharing document or email excerpts... however, the fact is that the DPO must assess WHAT is being asked versus WHICH content needs to be part of the feedback and HOW much does the request fall into the established Legal Boundaries.