Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2022: Privacy Technologies and Policy pp 3–22Cite as

A Generic Data Model for Implementing Right of Access Requests

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13279))

Abstract

According to Article 15 of the GDPR, data subjects have the right to access personal data handled by data controllers and their processors. This raises demand for a dedicated technical service implementation in order to create valid, complete, and legally compliant responses to such requests.

In this paper, we provide both a Data Request Model and a Response Data Model for answering such requests on a technical level. While outlining the overall process of handling such a request, we showcase a set of requirements that needs to be fulfilled, and we discuss a set of issues commonly arising in such an Article 15 service implementation.

The contribution of M. Jensen was partly funded by the Swedish Foundation for Strategic Research (SSF SURPRISE) project.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alizadeh, F., et al.: GDPR-reality check on the right to access data: claiming and investigating personally identifiable data from companies. In: Proceedings of Mensch Und Computer 2019, pp. 811–814 (2019)

    Google Scholar 

  2. Angulo, J., et al.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, Seoul, CHI 2015 Extended Abstracts, Republic of Korea, 18–23 April 2015, Begole, B. et al. (ed.), pp. 1803–1808. ACM (2015). https://doi.org/10.1145/2702613.2732701

  3. ARTICLE 29 DATA PROTECTION WORKING PARTY 16/EN WP 242 rev.01 Guidelines on the right to data portability Adopted on 13 December 2016 As last Revised and adopted on 5 April 2017

    Google Scholar 

  4. Barrett, C.: Emerging trends from the first year of EU GDPR enforcement. Scitech Lawyer 16(3), 22–35 (2020)

    Google Scholar 

  5. Basin, David, Debois, Søren., Hildebrandt, Thomas: On purpose and by necessity: compliance under the GDPR. In: Meiklejohn, Sarah, Sako, Kazue (eds.) FC 2018. LNCS, vol. 10957, pp. 20–37. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_2

    Chapter  Google Scholar 

  6. Blue, J., Furey, E.: A novel approach for protecting legacy authentication databases in consideration of GDPR. In: 2018 International Symposium on Networks, Computers and Communications (ISNCC), pp. 1–6. IEEE (2018)

    Google Scholar 

  7. Bozdag, E.: Data portability under GDPR: technical challenges. In: Available at SSRN 3111866 (2018)

    Google Scholar 

  8. Bray, T., et al.: The javascript object notation (json) data interchange format (2014)

    Google Scholar 

  9. Braz, C., Robert, J.M.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th Conference on l’Interaction Homme-Machine, pp. 199–203 (2006)

    Google Scholar 

  10. Brodin, M.: A framework for GDPR compliance for small-and medium-sized enterprises. Eur. J. Secur. Res. 4(2), 243–264 (2019)

    Article  MathSciNet  Google Scholar 

  11. Bufalieri, L., et al.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83. IEEE (2020)

    Google Scholar 

  12. Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_18

    Chapter  Google Scholar 

  13. Callas, J., et al.: Open PGP message format. Technical Report, RFC 2440, November 1998

    Google Scholar 

  14. De Hert, P., et al.: The right to data portability in the GDPR: towards user-centric interoperability of digital services. Comput. Law Secur. Rev. 34(2), 193–203 (2018)

    Article  Google Scholar 

  15. Di Martino, M., et al.: Personal information leakage by abusing the {GDPR} right of access. In: Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019) (2019)

    Google Scholar 

  16. Vanberg, A.D., Ünver, M.B.: The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo? Eur. J. Law Technol. 8(1), 1–22 (2017)

    Google Scholar 

  17. Endorsement of GDPR WP29 guidelines by the EDPB. https://edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_de. Accessed 24 Apr 21

  18. European Commission. European data strategy - Making the EU a role model for a society empowered by data (2022). https://ec.europa.eu/info/strategy/priorities-2019-2024/Europe-fit-digital-age/european-data-strategy_en

  19. Ferrara, P., Spoto, F.: Static analysis for GDPR compliance. In: ITASEC (2018)

    Google Scholar 

  20. Foster, I.D., et al.: Security by any other name: On the effectiveness of provider based email security. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 450–464 (2015)

    Google Scholar 

  21. Gjermundrød, H., Dionysiou, I., Costa, K.: privacyTracker: a privacy-by-design GDPR-compliant framework with verifiable data traceability controls. In: Casteleyn, S., Dolog, P., Pautasso, C. (eds.) ICWE 2016. LNCS, vol. 9881, pp. 3–15. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46963-8_1

    Chapter  Google Scholar 

  22. Greze, B.: The extra-territorial enforcement of the GDPR: a genuine issue and the quest for alternatives. Int. Data Priv. Law 9(2), 109–128 (2019)

    Google Scholar 

  23. Guamán, D.S., Del Alamo, J.M., Caiza, J.C.: GDPR compliance assessment for cross-border personal data transfers in android apps. IEEE Access 9, 15961–15982 (2021)

    Article  Google Scholar 

  24. Hansen, M.: Exploring a Universal Model for Data Requests per Article 15 of the GDPR. MA thesis. Kiel University of Applied Sciences, Germany (2021)

    Google Scholar 

  25. Herkenhöner, R., et al.: Towards automated processing of the right of access in inter-organizational web service compositions. In: 2010 6th World Congress on Services, pp. 645–652. IEEE (2010)

    Google Scholar 

  26. Huth, D.: A pattern catalog for GDPR compliant data protection. In: PoEM Doctoral Consortium, pp. 34–40 (2017)

    Google Scholar 

  27. Zulkarnain, S., Idrus, S., et al.: A review on authentication methods. Aust. J. Basic Appl. Sci. 7(5), 95–107 (2013)

    Google Scholar 

  28. Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this?’ In: Privacy and Identity Management. Facing up to Next Steps - 11th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, Karlstad, Sweden, August 21-26, 2016, Revised Selected Papers. Lehmann, A., et al. (ed.) vol. 498. IFIP Advances in Information and Communication Technology, pp. 164–181 (2016). https://doi.org/10.1007/978-3-319-55783-0_12

  29. Martin, Y.S., Kung, A.: Methods and tools for GDPR compliance through privacy and data protection engineering. In: 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 108–111. IEEE (2018)

    Google Scholar 

  30. Ogriseg, C.: GDPR and personal data protection in the employment context. Labour Law Issues 3(2), 1–24 (2017)

    Google Scholar 

  31. Pandit, H.J., O’Sullivan, D., Lewis, D.: GDPR data interoperability model. In: The 23rd EURAS Annual Standardisation Conference, Dublin, Ireland (2018)

    Google Scholar 

  32. Pavur, J., Knerr, C.: Gdparrrrr: using privacy laws to steal identities. In: arXiv preprint arXiv:1912.00731 (2019)

  33. Pearson, S., Casassa-Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. Computer 44(9), 60–68 (2011)

    Article  Google Scholar 

  34. Powell, A., et al.: Understanding and explaining automated decisions. In: Available at SSRN 3309779 (2019)

    Google Scholar 

  35. Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Proj. Manage. 7(3), 19–34 (2019)

    Google Scholar 

  36. Presthus, W., Sørum, H., Andersen, L.R.: GDPR compliance in Norwegian Companies. In: Norsk konferanse for organisasjoners bruk at IT, vol. 26, no. 1 (2018)

    Google Scholar 

  37. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act). COM/2020/767 final

    Google Scholar 

  38. Quermann, N., Degeling, M.: Data sharing in mobile apps—user privacy expectations in Europe. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 107–119. IEEE (2020)

    Google Scholar 

  39. Ramsdell, B., Turner, S.: Secure/multipurpose internet mail extensions (S/MIME) version 3.1 message specification. Technical Report, RFC 3851, July 2004

    Google Scholar 

  40. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5, pp. 1–88 (2016)

    Google Scholar 

  41. Shafranovich, Y.: Common format and MIME type for comma-separated values (CSV) files (2005)

    Google Scholar 

  42. Velásquez, I., Caro, A., Rodríguez, A.: Authentication schemes and methods: a systematic literature review. Inf. Softw. Technol. 94, 30–37 (2018)

    Article  Google Scholar 

  43. Wachter, S., Mittelstadt, B., Russell, C.: Counterfactual explanations without opening the black box: automated decisions and the GDPR. Harv. JL Tech. 31, 841 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Kiel University of Applied Sciences, Kiel, Germany

    Malte Hansen

  2. University of Oslo, Oslo, Norway

    Malte Hansen

  3. Karlstad University, Karlstad, Sweden

    Meiko Jensen

Authors
  1. Malte Hansen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meiko Jensen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Malte Hansen or Meiko Jensen .

Editor information

Editors and Affiliations

  1. Cardinal Stefan Wyszyński University in Warsaw, Warsaw, Poland

    Agnieszka Gryszczyńska

  2. Koźmiński University, Warsaw, Poland

    Przemysław Polański

  3. University of Oslo, Oslo, Norway

    Nils Gruschka

  4. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  5. ENISA, Athens, Greece

    Monika Adamczyk

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hansen, M., Jensen, M. (2022). A Generic Data Model for Implementing Right of Access Requests. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07315-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation