By launching a brief ethnographic study, we wanted to explain the experiences of exercising the right of access to personal data in Spain. First, by locating the required information about organizations and their data controllers, and second, by sending access requests to these organizations. The first wave of fieldwork took place a few years ago, when Eticas was participating in a larger European research project. The second was held in 2018 by the Eticas Foundation team and collaborators.
Access rights in Spain, 2014
As part of this process, we attempted to locate data controllers in 30 organizations and subsequently sent 21 access requests to a wide range of controllers in both the public and private sectors.
The details of the data controller were usually found on the official websites of the organizations. If not, it was often necessary to contact organizations by phone. When we spoke to staff on the phone there was a lack of experience with data protection and access rights. These conversations were difficult due to the systematic suspicion of the respondents, who seemed skeptical that we wanted to access our personal data simply because we were curious.
In the case of CCTV systems, mandatory signalling should have meant that we could locate the data controller without talking to any staff member in person. But irregularities were found in the signaling due to poor location and invisibility, no signaling, or signaling without data controller details. Only 2 out of 5 sites were found to have signage that was in good compliance with Spanish law.
When we did this fieldwork in 2014, we found that the general level of legal compliance and good practice performance when citizens were trying to exercise their access rights in Spain was low. Some organisations did not respond to our requests at all and only a minority of cases were considered to result in legally appropriate responses after a relatively simple and straightforward process.
In this respect, what would the situation be like 4 years later, and with the new European regulation on data protection already in force? To answer that question, we decided to put our access rights back into practice.
Access rights in Spain (2018) under GDPR
On this occasion, in order to carry out the fieldwork, we sought the contact of 34 data controllers, from which we were finally able to make 31 requests for access to personal data (91.18%), corresponding to both public and private sector companies and organisations. The 3 access requests that we were not able to carry out were, in two cases, because it was not possible to locate the contact details to carry out the request, and in another case, the form contained an error and did not allow the corresponding postal code to be entered, and therefore did not allow the request to be sent.
The level of compliance was quite uneven. Of the 31 requests for access that we were able to make, only 12 were answered optimally and directly (38.71%), that is, answers that provided correct information within the established time frame. On the other hand, 6 responses received requested slightly more information from the person concerned (19.35%) so that the request could be processed further: 2 asked to send a copy of the identity document; 1 even made a phone call to the person concerned asking what data this person wanted to receive information from (and for what reasons); and in 2 cases they asked for both, i.e. to send an identity document and specify what information they wanted to access.
Only in 1 case did we receive a reply which was a communication extending the legally established period of 30 days to 2 months to provide a response, arguing that it was a complex request to respond given the large amount of data they were managing. If 12 were answered directly, and 7 were answered but without providing at first the personal data requested, the requests sent of which we did not get any answer were a total of 9, which is almost 30% (29.03%). Moreover, in addition to these, in 1 case we received a response outside the period established by law.
By sector, the private sector in general responds better than the public sector. We considered 34 data controllers, of which 21 were private actors and 13 public actors. Of the most satisfactory responses, only 16.67% correspond to public sector entities, and the rest (83.3%) are private companies. On the contrary, of the cases of which we did not receive a response, 55.6% corresponded to public sector entities, and 44.4% to private entities.
As regards the option in the new European legislation to provide an electronic means by which to exercise the right of access (RGPD, recital 59), it is not considered an obligation in the LOPDGDD but one option among others. Thus, of the organizations incorporated in the study, 20 offer it (64.52% of entities), but 12 do not, that is, 38.71%. And by sector, those that do not offer it are mostly from the public sector, 66.67%, compared to 33.33% from private sector companies. As for those that do comply with this option considered by the law, 15 are private companies and 5 are public companies, with 75% and 25% respectively.
We have improved somewhat, yes: in accessing contact details where you can exercise your access rights, from 74% success rate in 2014 to 91.18%. And we have also improved in being able to access these contact details through online consultation (without having to visit the organisation in person or make a phone call), but we still see a rather low level of offering of access rights by electronic means, as almost 40% do not provide it (38.71%).
And there are still practices that are not very close to data protection, such as the one we reported on the telephone call, although in this case, due to less personal interaction, we have found only one. Finally, the public sector continues to lag behind the private sector in terms of good practices, but is improving, as it accounted for 90% of bad practices in 2014, and in 2018 it represents 55.6% of entities that do not offer any response. They also continue to lag behind, as we saw in the percentages, in offering an electronic way to exercise the right of access, compared to private entities.
You can read the complete report here.