Third party requests to exercise data subject rights: quick notes for controllers

An increasing number of third parties are offering services - typically, by way of a web site or an app - to facilitate data subjects in exercising their rights under the GDPR.

Controllers on the receiving end of communications from one or more of these providers might want to read this post in conjunction with our previous posts:

What are these services?

What these services offer varies from service to service but, typically, it consists of:

  • the service provider has a database of controllers

  • the service provider encourages data subjects to sign up to their service

  • the data subject provides some information about themselves to the service provider

  • the service provider contacts controllers (how these are selected varies), and asks, allegedly on behalf of the data subject, that the controller carries out certain actions, such as the right of access, or the right to erasure

But our organisation didn't consent to be part of this service?

If your organisation is a legal entity, and the service provider is using a generic email address (e.g. support@example.com), there's probably not a huge amount you can do, legally, about the presence of your organisation on their database.

If they are saying things which are inaccurate, or defamatory, then you may have grounds for some form of action.

If you are a sole trader or partnership, or if the service provider has listed you personally, or is using your personal (work) email address, then you have rights under the data protection framework, and you may be able to challenge how the service provider is processing your personal data. Normal GDPR rules apply - they need to have told you about what they are doing with your data when they collected it, they will need to have a lawful basis for processing it, and so on.

Do I have to handle these requests?

You should handle correspondence received via these third party services in line with your normal GDPR subject rights requests process. (You've got one, right?)

This might include:

  • can you identify a data subject from the request?

    • if you have reasonable doubts, do you need to ask for more information to confirm their identity?
  • can you verify that the person sending the request is that data subject, or is acting on behalf of the identified data subject?

    • are you confident that this is not an attempt at identity fraud?

    • the service provider might be purporting to act as an agent of, or an intermediary to, the data subject, so you might wish to verify that the person making the request is the data subject.

    • the service provider might be claiming to act as an agent of, or on behalf of, the data subject, so you might wish to verify that the service provider has the authority of the data subject to do so. The onus is on the provider to demonstrate that it has authority.

  • can you determine the scope of their request?

  • is the request manifestly unfounded or excessive?

  • can you give effect to their request? Is it sufficiently complex or numerous that you need extra time?

  • can you return the results of their request to the data subject, with an appropriate degree of security?

The EDPB's draft guidance on the right of access says:

Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. This may apply to ... other entities via online portals.

The email says I must open an attachment / click a link / create a profile - do I have to do that?

You should consult your organisation's information security policy, to determine if opening an attachment from an unknown third party, or clicking a link to access a third party site, is acceptable.

The same is true if the communication intimates that you "must" reply via their platform.

I am sceptical that, generally, this is a wise idea.

The GDPR requires you have to have appropriate technical and organisational security measures in place to safeguard your processing of personal data, in addition to whatever other security obligations you may have (e.g. if you are a telecommunications operator).

The EDPB's draft guidance, in the section on third party portals, says:

It should be recalled that making personal data available to someone who is not entitled to access it can amount to a personal data breach

A data subject cannot, in my view, compel you to create an account on a third party service to be able to access, or respond to, a subject rights request.

The ICO's guidance says:

if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond.

The GDPR does not require you to do something exactly the way a data subject wishes for it to be done.

However, you are still required to facilitate a data subject's exercise of their rights, and so you should see if you can find a way to identify the data subject, verify them, handle their request, respond to them, and so on.

Do I have to correspond via the platform?

Some of these services, in my experience, demand that you must only communicate with the data subject via their platform.

This is inconsistent with the GDPR. The EDPB says:

There is ... no obligation for the controller to provide the data under Art. 15 directly to the portal. If the controller, for example, establishes that the security measures are insufficient, it would be deemed appropriate to use another way for the disclosure of data to the data subject. Under such circumstances, when the controller has other procedures in place to deal with access requests in an efficient way, the controller can provide the requested information through these procedures.

If you reasonably doubt the validity of a request, or you have reasonable concerns about the use of the platform - for example, from a security or data protection compliance point of view - it would be sensible and lawful to contact the data subject, or return the requested information to them, via some other means, using contact details that you already hold for them.

If you have reasonable doubts or concerns, you are likely to have a lawful basis to process other contact information you hold for them.

I would be nervous about using details provided by one of these service providers, unless you can verify them independently.

After all, how do you know that the email address that the provider is proffering is actually the email address of the data subject, and not someone trying to commit identity fraud?

If you cannot contact the data subject in a different way, the ICO's guidance is:

In some cases you may be unable to contact the individual directly, for example if you do not have their address details or are otherwise not satisfied with the ID information provided. If this is the case, you should contact the third party portal to advise them that you will not respond to the request until they have met each of the above requirements, and provided evidence that the individual has agreed to the information being uploaded to the portal.

They appear to want me to pay to use their platform?!

Some of these services offer what they consider to be "value added services", to which a controller might wish to subscribe.

You cannot be forced to pay a third party to handle a subject rights requests, so be on the look out for "dark patterns" in correspondence from providers, trying to nudge you towards signing up and parting with money.

The ICO's guidance says:

When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.

Unless you think that that service is valuable, of course - in which case, I'd have thought your normal vendor selection and due diligence process should apply, including assessing their security, and their compliance with data protection law.

Can I regard a communication from one of these platforms as "manifestly unfounded or excessive" simply because it has come from one of these platforms?

That is unlikely to be appropriate.

But if a data subject is sending you the same or a very similar request every day, then that may well be excessive. You'd need to do a case-by-case assessment.

Can I get help with this kind of thing?

Yes, of course.

We have helped numerous organisations handle subject rights requests, including establishing processes to deal with requests from third party service providers, and dealing with complaints made to the ICO where someone is unhappy with an organisation's initial response.