|
|
Insurance Europe has published its response
to a consultation conducted by the European Data Protection Board
(EDPB) on its draft guidelines on the right of access.
Insurance Europe is, however, concerned
that, in certain cases, the guidelines’ interpretation of the right of
access would result in a more burdensome handling of data access
requests without any clear benefits for data subjects.
For
example, the guidelines’ recommendation to search backup systems, which
may not be readily or easily accessible, would constitute a
disproportionate burden. Back-up data is personal data stored solely for
the purpose of restoring that data in the case of a data loss event and
therefore should not be included in the scope of the right of access.
The EDPB also recommends that the controller should assume that the access request covers all personal data concerning the data subject, no matter the format in which it is processed, and that the information must be tailored to each request. For example, following an access request, the data controller should not just offer a list of third parties to which personal data has been communicated, but specify their activities, any sub-activities and leases.
Considering the high number of third parties that contribute to the pursuit of insurance activities, this information would be less usable for the data subject, due to the excess of details, and would also involve a disproportionate and excessive effort by the controller. It would, therefore, be advisable for the controller to be able to implement a layered approach. Controllers could, as a first step, provide access to the information in a general manner — similar to a privacy notice — and then ask the data subject whether more tailored information is required.