EDPB publishes guidelines on DSARs

On 18 January 2022, the European Data Protection Board (EDPB) published its draft Guidelines on the right of access (the Guidelines). The Guidelines cover the various aspects of the right of access and clarify how the right of access has to be implemented in different situations. Among others, the Guidelines provide guidance on the scope of the right of access, the information an organisation has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of six (6) weeks, i.e. until 11 March 2022.

Below we will discuss the highlights of the Guidelines in more detail.


The EDPB states that the overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the data processed. Moreover, the right of access is seen as a doorway for the individual to exercise other rights, such as the right to erasure or rectification. 

The right of access thereby includes three (3) components for data subjects:

  • a confirmation as to whether personal data is processed by the organisation or not;
  • access to the personal data processed by the organisation; and 
  • access to more information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

Under Art. 15 (3) GDPR, the organisation shall be obliged to provide a free (first) copy of the personal data which the processing relates to. The EDPB further clarifies that Art. 15 (1) GDPR comprises complete information on all data and cannot be understood as granting only a summary of the data. Organisations that process large quantities of information relating to data subjects may request the data subject to specify the information or processing to which the request relates before the information is delivered, however, this is considered as an exceptional situation according to the EDPB. Nonetheless, such organisations shall provide all information in case the data subject confirms its wish. 


Each data subject request for access shall be assessed individually by the organisation. In order to ensure the security of processing, organisations should verify the identity of the data subject but should not ask for additional personal data for this purpose unless necessary. Organisations are advised to implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data which can often be based on information included in the account (such as login and password). Requesting copies of ID cards should generally not be considered an appropriate way of authentication (the case-law of the Litigation Chamber of the Data Protection Authority recently confirmed its case-law in this respect, namely that the systematic requesting of a copy or scan of the data subject's identity card is disproportionate) and such information shall in any case be limited to the information necessary to confirm the identity.

Access requests are not subject to a specific format. Even though the organisation should provide appropriate and user-friendly communication channels that can easily be used by the data subject, the data subject is free to choose to send the request to the contact point of the organisation. It should be noted that, in any case, the data subject cannot send requests to random addressees that are obviously not involved in handling matters concerning the exercise of the rights of data subjects.


The right of access includes all personal data concerning the data subject, whether provided by the data subject or not, including data that is derived from that personal data and data inferred from other data. However, a distinction shall be made between personal and non-personal data and it shall be noted that the right of access does not give data subjects the right to obtain complete access to records or company processes. In this regard, the recommendation of the French CNIL regarding the right of access of employees to their personal data and professional emails is also relevant.


Access requests shall be dealt with by organisations following a routine procedure taking into account the complexity of processing. Within one month of receipt, which can be extended by two further months when necessary, the organisation shall fulfil the request. In doing so, the organisation is obliged to search for personal data throughout its IT systems and non-IT filing systems.

The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, meaning that in case data consists of codes or other “raw data”, these may have to be explained to the data subject. 

The data can be sent by e-mail, provided that all necessary safeguards are applied. When the amount of data is very vast and difficult to comprehend all in one bulk, organisations should provide information in different layers to facilitate the data subject’s understanding of the data. The copy of the data should be provided in a permanent form, which could be in a commonly used electronic form, so that the data subject can easily download it. A transcript or a compiled form may be used as long as all the information is included and this does not alter or change the content of the information. 


Although there is no general reservation to proportionality with regard to the efforts an organisation has to take to comply with the data subject´s request, the GDPR does allow for certain limitations of the right of access, which have to be demonstrated by the organisation:

  • the copy shall not adversely affect the rights and freedoms of others (Art. 15 (4) GDPR): this limitation should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others;
  • organisations may reject requests that are manifestly unfounded or excessive, or to charge a reasonable fee for such requests (Art. 12 (5) GDPR): the application thereof is rather limited; and
  • national law may restrict the right of access as well. It may also exist in Member States’ national law as per Art. 23 GDPR and the derogations therein. In this respect, we refer to Guidelines 10/2020 on restrictions under Article 23 GDPR issued by the EDPB. Under Belgian law, the GDPR Implementation Act somewhat restricts the rights of data subjects. It is foreseen that intelligence agencies, the Coordination Unit for Threat Analysis and other specialised police forces can process personal data without being subject to transparency obligations towards data subjects. In addition, there are exemptions from several obligations when processing is done for journalistic purposes or for the purposes of academic, artistic or literary expression, such as the duty to inform the data subject and the requirement to give access to the data at the data subject’s request.


Lastly, the EDPB has provided practical flowcharts to interpret and assess requests for access, how to answer such requests and how to verify whether any limits or restrictions apply.

Lydian’s Information Governance & Data Protection (Privacy) team is there to assist you with the drafting of a policy or replying to a data subject access request. 

Voir aussi : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx )

[+ http://www.lydian.be]

Ms. Olivia Santantonio Ms. Olivia Santantonio
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
[email protected]

Click here to see the ad(s)

Derniers articles de Ms. Olivia Santantonio

Belgian B2C guarantee regime revised : new challenges for businesses

A little late given transposition deadlines, Belgium has finally adopted an Act transposing two Directives relating to the...

Read more

What are the copyright and trademark implications of NFTs?

NFTs and IP rights have certainly been a hot topic since the beginning of the year.

Read more

Explicit consent for processing health-related data by (re)insurers no longer needed in Belgium?

Yesterday, several press articles mentioned that the FPS Economy had prepared a preliminary draft law on the processing of...

Read more

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

Derniers articles de Mr. Bastiaan Bruyndonckx

Explicit consent for processing health-related data by (re)insurers no longer needed in Belgium?

Yesterday, several press articles mentioned that the FPS Economy had prepared a preliminary draft law on the processing of...

Read more

Règlementation sur les lanceurs d’alerte : état des lieux

D'ici demain, 17 décembre 2021, la Directive EU sur les lanceurs d'alerte n° 2019/1937 du 23 octobre 20...

Read more

The BDPA’s recommendation on processing of biometric data

On 6 December 2021, the Belgian Data Protection Authority (the BDPA) published a recommendation on the processing of ...

Read more

Court of Justice of the European Union allows Reverse Engineering to Correct Errors

Licensees are in certain cases permitted to decompile software code without infringing the Software Directive. In a judgem...

Read more

LexGO Network