Abstract
According to Article 15 of the GDPR, data subjects have the right to access personal data handled by data controllers and their processors. This raises demand for a dedicated technical service implementation in order to create valid, complete, and legally compliant responses to such requests.
In this paper, we provide both a Data Request Model and a Response Data Model for answering such requests on a technical level. While outlining the overall process of handling such a request, we showcase a set of requirements that needs to be fulfilled, and we discuss a set of issues commonly arising in such an Article 15 service implementation.
The contribution of M. Jensen was partly funded by the Swedish Foundation for Strategic Research (SSF SURPRISE) project.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alizadeh, F., et al.: GDPR-reality check on the right to access data: claiming and investigating personally identifiable data from companies. In: Proceedings of Mensch Und Computer 2019, pp. 811–814 (2019)
Angulo, J., et al.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, Seoul, CHI 2015 Extended Abstracts, Republic of Korea, 18–23 April 2015, Begole, B. et al. (ed.), pp. 1803–1808. ACM (2015). https://doi.org/10.1145/2702613.2732701
ARTICLE 29 DATA PROTECTION WORKING PARTY 16/EN WP 242 rev.01 Guidelines on the right to data portability Adopted on 13 December 2016 As last Revised and adopted on 5 April 2017
Barrett, C.: Emerging trends from the first year of EU GDPR enforcement. Scitech Lawyer 16(3), 22–35 (2020)
Basin, David, Debois, Søren., Hildebrandt, Thomas: On purpose and by necessity: compliance under the GDPR. In: Meiklejohn, Sarah, Sako, Kazue (eds.) FC 2018. LNCS, vol. 10957, pp. 20–37. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_2
Blue, J., Furey, E.: A novel approach for protecting legacy authentication databases in consideration of GDPR. In: 2018 International Symposium on Networks, Computers and Communications (ISNCC), pp. 1–6. IEEE (2018)
Bozdag, E.: Data portability under GDPR: technical challenges. In: Available at SSRN 3111866 (2018)
Bray, T., et al.: The javascript object notation (json) data interchange format (2014)
Braz, C., Robert, J.M.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th Conference on l’Interaction Homme-Machine, pp. 199–203 (2006)
Brodin, M.: A framework for GDPR compliance for small-and medium-sized enterprises. Eur. J. Secur. Res. 4(2), 243–264 (2019)
Bufalieri, L., et al.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83. IEEE (2020)
Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_18
Callas, J., et al.: Open PGP message format. Technical Report, RFC 2440, November 1998
De Hert, P., et al.: The right to data portability in the GDPR: towards user-centric interoperability of digital services. Comput. Law Secur. Rev. 34(2), 193–203 (2018)
Di Martino, M., et al.: Personal information leakage by abusing the {GDPR} right of access. In: Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019) (2019)
Vanberg, A.D., Ünver, M.B.: The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo? Eur. J. Law Technol. 8(1), 1–22 (2017)
Endorsement of GDPR WP29 guidelines by the EDPB. https://edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_de. Accessed 24 Apr 21
European Commission. European data strategy - Making the EU a role model for a society empowered by data (2022). https://ec.europa.eu/info/strategy/priorities-2019-2024/Europe-fit-digital-age/european-data-strategy_en
Ferrara, P., Spoto, F.: Static analysis for GDPR compliance. In: ITASEC (2018)
Foster, I.D., et al.: Security by any other name: On the effectiveness of provider based email security. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 450–464 (2015)
Gjermundrød, H., Dionysiou, I., Costa, K.: privacyTracker: a privacy-by-design GDPR-compliant framework with verifiable data traceability controls. In: Casteleyn, S., Dolog, P., Pautasso, C. (eds.) ICWE 2016. LNCS, vol. 9881, pp. 3–15. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46963-8_1
Greze, B.: The extra-territorial enforcement of the GDPR: a genuine issue and the quest for alternatives. Int. Data Priv. Law 9(2), 109–128 (2019)
Guamán, D.S., Del Alamo, J.M., Caiza, J.C.: GDPR compliance assessment for cross-border personal data transfers in android apps. IEEE Access 9, 15961–15982 (2021)
Hansen, M.: Exploring a Universal Model for Data Requests per Article 15 of the GDPR. MA thesis. Kiel University of Applied Sciences, Germany (2021)
Herkenhöner, R., et al.: Towards automated processing of the right of access in inter-organizational web service compositions. In: 2010 6th World Congress on Services, pp. 645–652. IEEE (2010)
Huth, D.: A pattern catalog for GDPR compliant data protection. In: PoEM Doctoral Consortium, pp. 34–40 (2017)
Zulkarnain, S., Idrus, S., et al.: A review on authentication methods. Aust. J. Basic Appl. Sci. 7(5), 95–107 (2013)
Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this?’ In: Privacy and Identity Management. Facing up to Next Steps - 11th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, Karlstad, Sweden, August 21-26, 2016, Revised Selected Papers. Lehmann, A., et al. (ed.) vol. 498. IFIP Advances in Information and Communication Technology, pp. 164–181 (2016). https://doi.org/10.1007/978-3-319-55783-0_12
Martin, Y.S., Kung, A.: Methods and tools for GDPR compliance through privacy and data protection engineering. In: 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 108–111. IEEE (2018)
Ogriseg, C.: GDPR and personal data protection in the employment context. Labour Law Issues 3(2), 1–24 (2017)
Pandit, H.J., O’Sullivan, D., Lewis, D.: GDPR data interoperability model. In: The 23rd EURAS Annual Standardisation Conference, Dublin, Ireland (2018)
Pavur, J., Knerr, C.: Gdparrrrr: using privacy laws to steal identities. In: arXiv preprint arXiv:1912.00731 (2019)
Pearson, S., Casassa-Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. Computer 44(9), 60–68 (2011)
Powell, A., et al.: Understanding and explaining automated decisions. In: Available at SSRN 3309779 (2019)
Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Proj. Manage. 7(3), 19–34 (2019)
Presthus, W., Sørum, H., Andersen, L.R.: GDPR compliance in Norwegian Companies. In: Norsk konferanse for organisasjoners bruk at IT, vol. 26, no. 1 (2018)
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act). COM/2020/767 final
Quermann, N., Degeling, M.: Data sharing in mobile apps—user privacy expectations in Europe. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 107–119. IEEE (2020)
Ramsdell, B., Turner, S.: Secure/multipurpose internet mail extensions (S/MIME) version 3.1 message specification. Technical Report, RFC 3851, July 2004
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5, pp. 1–88 (2016)
Shafranovich, Y.: Common format and MIME type for comma-separated values (CSV) files (2005)
Velásquez, I., Caro, A., Rodríguez, A.: Authentication schemes and methods: a systematic literature review. Inf. Softw. Technol. 94, 30–37 (2018)
Wachter, S., Mittelstadt, B., Russell, C.: Counterfactual explanations without opening the black box: automated decisions and the GDPR. Harv. JL Tech. 31, 841 (2017)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Hansen, M., Jensen, M. (2022). A Generic Data Model for Implementing Right of Access Requests. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-07315-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07314-4
Online ISBN: 978-3-031-07315-1
eBook Packages: Computer ScienceComputer Science (R0)