Insurance Europe has published its response to a consultation conducted by the European Data Protection Board (EDPB) on its draft guidelines on the right of access. Insurance Europe welcomes the draft guidelines as they provide clarity on how to handle practical cases of data access requests and the obligations to which insurers must adhere.
Insurance Europe is, however, concerned that, in certain cases, the guidelines’ interpretation of the right of access would result in a more burdensome handling of data access requests without any clear benefits for data subjects.
For example, the guidelines’ recommendation to search backup systems, which may not be readily or easily accessible, would constitute a disproportionate burden. Back-up data is personal data stored solely for the purpose of restoring that data in the case of a data loss event and therefore should not be included in the scope of the right of access.
The EDPB also recommends that the controller should assume that the access request covers all personal data concerning the data subject, no matter the format in which it is processed, and that the information must be tailored to each request. For example, following an access request, the data controller should not just offer a list of third parties to which personal data has been communicated, but specify their activities, any sub-activities and leases.
Considering the high number of third parties that contribute to the pursuit of insurance activities, this information would be less usable for the data subject, due to the excess of details, and would also involve a disproportionate and excessive effort by the controller. It would, therefore, be advisable for the controller to be able to implement a layered approach. Controllers could, as a first step, provide access to the information in a general manner — similar to a privacy notice — and then ask the data subject whether more tailored information is required.