EU data protection supervisory authorities advocate a broad right to information


The European Data Protection Board (EDPB), also known as the European Data Protection Board, has published a first version of its guidelines on the right to information under Art. 15 GDPR. The EDPB is the most important body of the European data protection supervisory authorities. It consists of representatives of the data protection authorities of all EU member states and the European Data Protection Supervisor, who is responsible for data protection in the EU institutions and bodies.

In the 60-page document, which the EDPB had already decided at its meeting on January 18, 2022 and which has now been published, the data protection supervisory authorities deal with numerous issues, some of which are extremely controversial in practice. In addition to the form of transmission of the respective information to the data subject, the EDPB also addresses the formal requirements for requests for information and makes specifications in relation to the identification of the data subject. The EDPB also addresses the question of when a request for information can be regarded as manifestly unfounded or excessive and can therefore be rejected. In practice, the unfoundedness of requests for information is quite often used to defend against requests for information and has often been the subject of court decisions, particularly in employment law.

Overall, it is not surprising that the authorities advocate a broad interpretation of the right to information, while the possibilities for the person responsible to reject the request for information are to be interpreted narrowly. This is good for those affected, but poses great challenges for companies and other responsible parties.

In this respect, it is gratifying that at the present time it is only a draft with which the EDPB is calling on associations and interest groups in particular to submit statements as part of a public consultation process – the guidelines are therefore not set in stone. In addition, it must be taken into account that the guidelines and opinions of the data protection supervisory authorities are always recommendations, which, however, are not binding. The EDPB recently made this clear once again in a statement. The guidelines cannot therefore bring the desired legal certainty – they are, however, a significant impetus for further debate and an important point of reference for dealing with requests for information.

In order to master the challenges associated with a request for information, those responsible should familiarize themselves early on with the questions that arise in this case and design the necessary processes for answering the request actively and preventively. In addition to determining who is responsible, this primarily concerns the establishment of processes for checking the request and the identity of the data subject, as well as the identification of the data processing systems relevant to the request in question. It is also advisable to use a practical exercise to check the process that has been set up and to try it out in an emergency.

More from iX Magazine


More from iX Magazine

More from iX Magazine


(fo)

To home page



Source link -64