The GDPR does make the "copy" bit fairly clear, so I would suppose that the subject could insist on that if they were not satisfied by having "access".
12(7) makes some mention of "Icons" and making the data " easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing " and that where they are electronic they should be machine readable - though this refers to transparency rather than SARs.
Nevertheless this does suggest that it is important to provide a meaningful explanation of the data.
However, I don't think it's your job to necessarily provide a paper annotated copy of all the data if you have provided an electronic version that explains the links between the various pieces of data. You could argue that annotating paper versions in verging into the "manifestly unfounded or excessive" as it is much easier and more effective to provide an electronic version. You could at that point rely on 12(5) to charge a fee or refuse.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 17 September 2019 15:00
To: [log in to unmask]
Subject: [data-protection] Copies - GDPR Art 15(3)
Subject Access Request.
1. We provide direct access to subject's entirely electronic records via a secure login.
Requester requires that we provide a copy. Seems to me we have no choice and cannot charge on the basis that it is an "additional copy" as so far we have only provided access - not "a copy". Does anyone disagree?
2. We make a full copy of subject's entirely electronic records and upload this to a third party file host (as processor) and provide direct access to that copy via a secure login. Requester requires that we provide a copy - as above
Have we now provided a copy to the requester or still only access ?
3. The record is very complex with many interlinked parts. When viewed by direct access (either in 1 or 2 above) the links between the parts is clear. However the system does not appear to allow direct printing in a way which shows these links. So we can print part A, which has a list of say 50 items. Print Part B with a list of 10 items. But on paper there is no way to see which items on A relate to which on B. You would have to manually annotate while looking at the screen equivalents. Poor design perhaps but it is what we have.
This is why requester wants "a copy". He wants all the data on paper in a meaningful form.
If we DO print and provide A and B (which we may need to if the answer to 1 or 2 is no) have we provided "a copy of the personal data undergoing processing" as required or do we need to do the annotations for the requester?
My initial view is that we do not - entirely unsatisfactory though that may be from a customer / subject perspective. My reasoning is that, given the scenario in Q2 above we could, rather than uploading to a host and proving access, burn the same data to a DVD and provide the viewer software, and we have then clearly provided a copy and subject will have no choice but to do the annotation himself if he wants it on paper.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|