What matters
Controllers should understand when they have to disclose individual recipients of data, extra requirements for complex technical data, and explanations of automated decision-making, to know when they can rely on a privacy notice alone.
What matters next
Organizations can get ahead by updating privacy notices and processing records, auditing supply chains and getting a grip on automated decision-making within their business. An end-to-end privacy solution can help manage larger and more complex DSARs.
Handling data subject access requests (DSARs) is an ongoing compliance burden for many organizations. In this article, we consider the often-overlooked, but important aspect of the amount of information in addition to copies of their personal data which a controller may need to give to a data subject under Article 15 of the EU General Data Protection Regulation or its UK equivalent, the UK GDPR. This provision entitles the data subject to receive information about the purposes, categories of data, recipients, retention periods, additional rights, automated decision making and profiling, or categories of current and future recipient, and safeguards for international transfer.
Isn’t it all in the privacy notice?
Clued-up controllers will see that much of this information should already be in their organization’s privacy notice. If all the elements of Article 15 are comprehensively set out in it, the controller may simply include a copy of the notice in its response to satisfy its obligations.
But controllers should beware. Recent European court cases – which are still influential on the UK approach, as well as applying where controllers are dealing with EU GDPR-governed data – highlight that just sending through a copy of the privacy notice may not be enough. This will be particularly true for platforms with opaque and generic privacy notices, as X discovered in July 2024 when it was ordered by a Dutch court to respond to a DSAR with more than just a link to its website.
So, what extra information should controllers consider?
Getting the recipients right
One of the pieces of additional information that an individual is entitled to under a DSAR is the “recipients or categories of recipient to whom the personal data have been or will be disclosed.” Privacy notices will almost universally refer to categories (such as “affiliate companies” or “marketing partners”) rather than individual business recipients. Is this enough?
Case law in the EU and the UK tells us that the controller may choose to rely on categories when it comes to privacy notices. But for DSAR responses, the general rule established in the Austrian Post case is that individual recipients must be identified, unless the request is impossible, manifestly unfounded or excessive.
This will mean extra work tracking down the names of each company involved in the context of a DSAR, particularly for controllers with large or multinational operations, and especially if they do not maintain a comprehensive and up-to-date record of processing activities.
Protecting identities
When it comes to recipients, controllers also have to think about whether they need to identify individual people rather than organisations. The position in the UK is affected by Schedule 2, paragraph 16 of the Data Protection Act 2018, which requires controllers to think about whether disclosures about third parties is reasonable, together with the relevant circumstances.
By way of example, a recent UK High Court decision confirmed that following the case of Austrian Post, a data subject does have the right to know individual recipients, but they need not be disclosed where there is a risk of intimidation. However, this is an exception and not the rule, and the new standard position is that data subjects are entitled to know each individual recipient of their personal data.
A related CJEU case, Pankki, tells us that controllers must let a data subject know the dates and purposes of consultation operations by staff, but do not have to disclose individual staff member names unless this is essential to enable the requester to exercise their rights, and disclosure will not override the rights of staff members.
In practice this probably means that names will only be required where there is a likelihood of unlawful access by employees acting outside controller authority: but controllers under pressure to disclose must still carry out the required assessment.
Contextual information
As well as the “individual recipients” challenge, another area which is likely to mean going above and beyond the privacy notice is the requirement to provide contextual information to enable data subjects to understand how their personal data is being processed.
In May 2024, the CJEU confirmed in the Addiko Bank ruling that the right to a “copy” of personal data will include a full copy of documents containing personal data where “necessary to enable the data subject to verify their accuracy and completeness and to ensure their intelligibility”.
This means that additional context may be necessary where raw data is incomprehensible. The CJEU ruled in October 2023 that for medical records, data subjects will be at a loss without full accompanying documents and mere summaries or compilations may be misleading. The same logic will apply to other scenarios involving technical information of high relevance to a data subject.
It’s totally automatic
One area where DSAR responses will increasingly require fresh information is solely automated decision-making. Under Article 15, a controller must give data subjects on request information about the existence, underlying logic, significance and consequences of any solely automated decision-making which significantly affects them.
The first major case on this aspect of the GDPR was recently considered by the Advocate General who set our their view on what this information should contain. For the AG, while underlying technical information such as algorithms do not need to be disclosed, accompanying information must be “meaningful” (in other words, practically useful), concise, easily accessible, easy to understand, and in clear and plain language. As well as being given clear and contextualised information, the data subject must be able to understand the information on which the automated decision was based, how it related to the final decision, and the weighting given to that information.
The full CJEU ruling is awaited. Given the proliferation of AI-powered decision-making systems this is an aspect of DSARs which is likely to become ever more difficult to navigate.
Advice and best practice
What to do?
- Get ahead by ensuring that privacy notices are comprehensive, clear and easy to access.
- Requests for each corporate recipient of data may be difficult to track through supply chains. Check your records of processing activities and keep tabs on suppliers and their sub-processors. Can you compel them to comply with requests for information? For suppliers that are processors, you can do so by relying on contractual obligations provided for as a result of Article 28 GDPR.
- Where requests are for individual recipients, your starting point is probably to say no but decisions must be properly assessed and recorded.
- Significant, solely automated decision-making will come under increasing scrutiny and is likely to attract DSARs. Make sure your system supplier can fully explain what they are doing, so you can do the same.
Author: Alice Wallbank is a profesional support lawyer in privacy and data. Key contact: Sherif Malak is the head of Privacy and Data at Shoosmiths, where he leads over 20 dedicated privacy advisers. Adam Fox is a principal associate who advises clients on a wide range of commercial matters, with a particular focus on digital technologies and emerging business models, global privacy and data protection, and marketing laws and regulations.
If you need assistance with this or any aspect of dealing with a DSAR, Shoosmiths has an end-to-end DSAR solution, SmartSAR, which can help streamline the DSAR process while still ensuring the precision and efficiency required to comply with the various requirements of Article 15 of the GDPR or any similar legislation around the world.