Access and Portability
(Articles 15 & 20 and Recitals 63, 64 & 68 GDPR)
The Right of Access and the Right to Data Portability are closely related, but they are distinct rights. You should take care to ensure that individuals are informed of both rights, and that consequently there is no confusion about which right is being exercised.
Responding to access and portability requests
Individuals have the right to request access to their personal data, free of charge and in an accessible format. If you receive such a request, then you have to:
- Tell the individual if you are processing their personal data.
- Provide a copy of the personal data being processed, without undue delay and in any event within one month.
- Inform them about the processing (such as the purposes of the processing, categories of personal data concerned, recipients of their data, etc.).
Whilst an individual is entitled to access to any or all of their personal data, where a controller processes a large quantity of information concerning the individual, the controller should be able to request that the individual clarify the request, by specifying the information or processing activities which they want access to or information on. This should only be done where reasonably necessary to clarify a request, and not to delay in responding to it. Where a controller asks an individual to clarify their request, they should let them know as soon as possible. If the individual refuses to clarify the request, the controller must still endeavour to comply with the original request.
When the processing is based on consent or a contract, the individual can ask for a ‘portable’ copy of their personal data to be sent to them or directly to another organisation. This is known as the right to data portability. The data should be provided in a commonly used and machine-readable format.
The GDPR does not set out any particular method for making a valid access or portability request, therefore a request may be made by an individual in writing or verbally. Where a request is made verbally, it is recommended that controllers record the time and details of the request, so that they can ensure they comply with and do not misunderstand the request. Controllers may want to follow up with individuals in writing to confirm that they have correctly understood the request.
Similarly to the point regarding the format a request may take, where controllers have a particular contact point or member of staff designated for handling requests, contacting them will normally be the most efficient way for an individual to have their request responded to promptly, but it should not be considered mandatory.
Timelines for access or portability requests
Controllers who receive a valid access or portability request must respond to the request without undue delay and at the latest within one month of receiving the request. Controllers can extend the time to respond by a further two months if the request is complex or they have received a number of requests from the same individual, but they must still let the individual know within one month of receiving their request and explain to them why the extension is necessary.
Further, it is good practice for controllers to keep requesters regularly updated on the progress of their request, and giving them sufficient notice in advance of any potential delays or requests for clarification or proof of identity.
Limitations on access or portability requests
Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, a controller may, where appropriate, refuse to act on a request. This is, however, a high threshold to meet, and the controller must be able to prove that the request was manifestly unfounded or excessive, in particular taking into account whether the request is repetitive. There should be very few cases where a controller can justify a refusal of a request on this basis.
There is a general limitation on the exercise of the right of access under Article 15(4) GDPR, which states that the right to obtain a copy of the personal data undergoing processing should not negatively impact (‘adversely affect’) the rights and freedoms of others, such as privacy, trade secrets, or intellectual property rights. However, where a controller does have concerns about the impact of complying with a request, their response should not simply be a refusal to provide all information to the individual, but to endeavour to comply with the request insofar as possible whilst ensuring adequate protection for the rights and freedoms of others.
Whilst the rights of access and portability are fundamental data protection rights, they are not absolute ones, and are subject to a number of limited exceptions. If a controller considers that it is justified in withholding certain information in response to an access or portability request it must identify an exemption under the GDPR or the Data Protection Act 2018, provide an explanation as to why it applies, and demonstrate that reliance on the exemption is necessary and proportionate.