CIPL submits DSR “White Paper” to the EDPB as input for future Guidelines

16. July 2020

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper on Data Subject Rights (DSR) on July 8th, 2020, as input for the European Data Protection Board for future Guidelines on the subject.

The White Paper examines the effectiveness of the DSRs by keeping in mind the interpretation in the context of today’s data driven economy. It puts forth that the Guidelines should take into account new business models, data-driven processes and the data economy as well as the digitalisation of society.

In that aspect, the Paper offers suggestions for the EDPB to consider and reflect upon. Some few of the main subjects the Paper requests the Guidelines to touch on are:

  • Clarification of the requirements governing verification of the identity of individuals submitting DSR requests
  • Determination that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, additionally that extensions to the deadline may be justified in certain circumstances, e.g. where the controller receives an unusually high volume of DSR requests, etc.
  • Recognition that compelling interests of the organization, third-parties or society may limit DSR requests;
  • Limitations on excessive, unfounded or abusive requests from Data Subjects which are intended to disrupt the business;
  • Declaration of a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.

Furthermore, the White Paper highlights the necessity to change the level of a DPO’s responsibility in regards to DSRs, dividing it across different team rather than making the DPO solely responsible for the DSR requests.

In addition, the Paper demands the EDPB to establish a better harmonization of the application of the DSRs across the European Union, which comes from differences in Guidelines made by the different Data Protection Authorities (DPAs). The EDPB should have in its interest to establish common ground for the handling of DSRs and the related requests, as well as the handling of infringements in the matter by DPAs.

The Paper stems from the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019, and was drafted to visualize certain issues on the matter to the EDPB which have crystalized themselves in the two years since the application of the GDPR.