IAPP Updated CIPP-E Exam Questions and Answers by lisa

The right of access is one of the fundamental rights of data subjects under the GDPR. It allows data subjects to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and certain information about the processing. The controller must provide a copy of the personal data undergoing processing to the data subject, unless the data subject requests otherwise. The right of access is not absolute and may be subject to limitations, restrictions or exceptions, in accordance with the GDPR and the national laws of the member states.

The EDPB has issued draft guidelines on the right of access, which provide more detailed guidance on how to handle data subject access requests and what are the possible grounds for refusing to provide a copy of the personal data. According to the draft guidelines, the controller can refuse to provide a copy of the personal data in the following situations:

If the data subject access request was sent to an employee that is not involved in the processing of such requests. In this case, the controller must inform the data subject of the appropriate contact point for submitting the request and must not consider the request as received until it reaches the designated person or unit. This does not mean that the controller can ignore or delay the request, but rather that the controller must ensure that the request is forwarded to the responsible person or unit as soon as possible.

If there is such a large amount of data that the controller cannot identify the data subject of the request. In this case, the controller can ask the data subject to provide additional information to enable the identification of the data subject, such as a unique identifier, a reference number, a specific time period, a location or a context of the processing. The controller must not ask for more information than is necessary and must not use the information for any other purpose than verifying the identity of the data subject.

If the personal data was processed in the past but is no longer at the controller’s disposal at the time of the request. In this case, the controller must inform the data subject that the personal data are no longer available and explain the reasons why the personal data have been erased, anonymised, archived or otherwise disposed of. The controller must also provide the data subject with any relevant information about the retention period, the archiving policy, the anonymisation process or the disposal method of the personal data.

The controller cannot refuse to provide a copy of the personal data in the following situation:

If the controller is unable to use end-to-end encrypted emails for responding to such requests. In this case, the controller must still provide a copy of the personal data to the data subject, but must ensure that the communication is secure and that the personal data are protected from unauthorised or unlawful access, disclosure, alteration or destruction. The controller can use alternative means of communication, such as secure online platforms, password-protected files, encrypted devices or postal mail, depending on the preferences and circumstances of the data subject. The controller must also inform the data subject of the risks involved in the chosen communication method and obtain the data subject’s consent before sending the personal data.

References:

GDPR, Articles 12, 13, 14, 15, 23 and 34.

EDPB Guidelines 01/2022 on data subject rights - Right of access Version 2, pages 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 and 16.

According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.

In this scenario, Jack’s DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.

Option A is incorrect because the company’s headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.

Option C is incorrect because the company cannot agree to provide the information requested in Jack’s original DSAR within a period of 3 months, as this would violate the data subject’s right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.

Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject’s right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data are not collected from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

References:

Right of access

Territorial scope

 The “one-stop-shop” mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The “one-stop-shop” mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the “one-stop-shop” mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the “one-stop-shop” mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:

When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state;

When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state;

When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state;

When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. References: Art. 60 GDPR – Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)