Each week in July and August, our focus will be on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.
This week’s topic: Data Subject Rights
In several recent decisions, the Litigation Chamber of the Belgian Data Protection Authority (“DPA”) provided guidance on how to deal with data subject rights under the GDPR.
The most important “lessons learned” are summarized below.
1. General remarks
- Reply to data subject request must be unambiguous and clear. Exact reasons for the refusal to comply with a data subject request should be clearly and transparently communicated.
- Also a refusal / impossibility to comply with a request must be communicated within 1 month after receiving the request.
- Proof of identity cannot be systematically requested from every person submitting a data subject request. It can only be asked if there are reasonable doubts about the identity of the person making the request.
- Technical incapacity to comply with well-founded data subject request is not a proper justification for not complying with the request.
- Data subjects do not need to expressly label their requests under the GDPR. The data controller needs to assess whether a request is sufficiently clear to be identified as a GDPR data subject request.
- Whenever multiple (independent) data controllers process the same personal data following consent given to one of them, the data controller that received a data subject request must take all appropriate measures to also inform the other date controllers hereof and to ensure that all of them comply with the request (and inform the data subject of any problems in this respect).
2. Right of access to personal data
- Data access requests can be denied if short retention periods cause the relevant data to no longer be available.
- When replying in “different phases” to broad/unspecified access request: at least the general information listed in articles 15.1(a)-(h) and 15.2 GDPR should be provided within 1 month.
- Article 15.3 GDPR does not require an original version or entire copy of the document containing personal data (e.g. an internal audit report) to be made available to the data subject. The right to obtain a copy of his/her personal data, does not imply that the data subject has the right to obtain a copy the full, original document containing these data, as this could infringe the rights and freedoms of others.
- The fact that the data subject would already be aware of the data of which a copy is requested, does not justify a refusal to comply with such a request.
3. Right to object
- A right to object to direct marketing messages (whether in electronic or paper format) is unconditional. It must be immediately complied with and the direct marketing data processing must immediately cease without any further investigation.
- The right to object to direct marketing messages must be expressly, clearly and separately brought to the attention of data subjects (in particular in each and every direct marketing message). It is not sufficient to only mention it in a privacy statement.
- Making an effective right to object readily available is an essential element of the “balancing of legitimate interests” test under article 6.1(f) GDPR.
4. Right to deletion of data (‘right to be forgotten’)
- Right to data deletion is not an absolute right, the data does not have to be deleted if processing is based on the presence of a legitimate interest.
- A fair balance must be struck between the public's right of access to information, on the one hand, and the rights of the person concerned, on the other hand.