DATA PROTECTION
EDPB publishes finalised guidelines 1/2022 on right of access.
The European Data Protection Board ('EDPB') announced, on 17 April 2023, the publication, on the same date, of the final version of the updated Guidelines 01/2022 on data subject rights - Right of access, following public consultation.
The guidelines analyse various aspects of the right of access and provide more precise guidance on how the right of access has to be implemented in different situations. More specifically, the guidelines provide clarity on the scope of the right of access, the information that controllers must provide to data subjects, the format of the access request, the main modalities for providing access, and the notion of 'manifestly unfounded or excessive requests'.
Furthermore, the guidelines clarify when controllers may continue to process data for the purpose of fulfilling their obligation to answer a request, noting that such processing will be based on Article 6(1)(c), in combination with Article 15, of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and its duration has to comply with the requirements of Article 12(3) of the GDPR. Importantly, the guidelines point out that the application of the above legal basis is limited to processing of the data identified to be necessary for answering the request and is not to be used as a justification for general extensions of retention periods.
The guidelines analyse various aspects of the right of access and provide more precise guidance on how the right of access has to be implemented in different situations. More specifically, the guidelines provide clarity on the scope of the right of access, the information that controllers must provide to data subjects, the format of the access request, the main modalities for providing access, and the notion of 'manifestly unfounded or excessive requests'.
Furthermore, the guidelines clarify when controllers may continue to process data for the purpose of fulfilling their obligation to answer a request, noting that such processing will be based on Article 6(1)(c), in combination with Article 15, of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and its duration has to comply with the requirements of Article 12(3) of the GDPR. Importantly, the guidelines point out that the application of the above legal basis is limited to processing of the data identified to be necessary for answering the request and is not to be used as a justification for general extensions of retention periods.
