On 4 November 2019, the European Data Protection Board (EDPB), the EU-wide data supervisory authority, held a stakeholders’ event on data subject rights under the GDPR. At the event, various stakeholders including e.g., corporates and NGOs, raised a number of issues including, for example:
- Overall confusion around the scope and applicability of data subject rights. Stakeholders noted some requests were too broad, in turn, making it difficult to identify which data subject right was being exercised (e.g., erasure, objection or access);
- Difficulties identifying data subjects, in particular children;
- How to reconcile compliance with Article 12 of the GDPR (the requirement for information to be provided to data subjects in a concise, intelligible and easily accessible manner) and Article 15 (the requirement to provide extensive information to data subjects on the processing of their personal data);
- Where technical data concerning a data subject is collected (e.g., clickstreams and page interactions), how this should be provided to data subjects in an accessible way;
- How controllers can delete personal data and, if requested, prove to data protection authorities that personal data has been deleted; and
- What is the burden of proof for compelling legitimate interest grounds in order to rebut the application of the right to object.
The wide-ranging concerns raised by stakeholders before the EDPB highlight the confusion organisations face in responding to data subject requests. Upcoming guidance to be developed and published by the EDPB will be welcomed in providing much needed clarity and a streamlined and best practice approach for organisations, who are receiving an influx of data subject requests since the entry into force of the GDPR.