"The Spam Folder Ate Your Access Request" - New Datatilsynet Holding on Access and Transparency

The SPAM folder ate your access request - is not a good excuse for an Art 15 violation, says Datatilsynet Norway. In a detailed opinion, Datatilsynet also clarifies requirements for relying on the Art 14 exception for providing privacy disclosure and for proper drafting of privacy notices.

Key points:

Right of Access:

• Although controllers remain free to decide which specific communication channel should be used for submitting access requests, they must ensure that the communication channel they implement is easy to use and effective.
• If a controller decides to receive access requests via email, it must make sure that the email account it uses for this purpose implements state-of-the-art anti-spam protection which does not treat legitimate access requests as spam—and/or that it monitors the spam folder on a regular basis to identify the presence of possible legitimate access requests. Effective anti-spam solutions (e.g., CAPTCHA solutions) do exist and should be adequately considered by the controller, in accordance with its accountability obligations under the GDPR.

Mitigating factors to decrease a violation are:

• An issue (SPAM Folder) appears to have affected a single data subject who was eventually satisfied with the delayed reply it received
• No other complaints concerning the controller's compliance with Articles 12(2) and 15 GDPR; and
• After Datatilsynet’s inquiry, the company remediated the situation by crating a new email address to be used for sending access requests, which according to the company has enhanced filters for spam and phishing

Missing Privacy Disclosure:

The exceptions in Article 14(5) (for not providing a disclosure) should be interpreted and applied narrowly. Thus, any broad derogation from the information obligations laid down in Article 14 should be rejected.

Data Subject already has the info:

• To rely on the Article 14(5)(a) exception it is not enough to assume the individual already has the information; rather you have to be able to “demonstrate (and document) what information the data subject already has, how and when they received it”.
• In addition - this exception applies only with respect to the specific information that the data subject actually has. The controller must supplement that information to ensure that the data subject has a complete set of the information listed in Article 14(1) to (2) (eg. legal basis, recipients, information on international data transfers) - this refers to specifics, even if there is a notice that provided general information. For example - disclosing the actual recipient instead of saying "we don't disclosure unless obliged" or the actual mechanism for the relevant data transfer instead of "we only transfer outside the EU if you have been expressly informed and consented".

Disclosure is expressly laid down by union law:

• To fall under 14.5(c) it is not enough to have a law that allows obtaining information, the law needs to require this. (i.e. your legal basis for obtaining the information is 6(1)(c)).
• You also need to be able to demonstrate that this law provides appropriate measures to protect the data subjects’ (i.e., the shareholders’) legitimate interests and how you comply with such appropriate measures.
• Even when you rely on this - you should make it clear to data subjects that you obtain or disclose personal data in accordance with the law in question, unless there is a legal prohibition preventing you from doing so.

Privacy Notice drafting:

You can't use the formulation "we may process personal data if one of the following applies" followed by a listing of the various legal basis under Art 6 GDPR. You must clarifying the actual purpose and legal basis for the specific data processing activities.