Can you request response to SAR by web form?

Question

When one makes a GDPR Subject Access Request (SAR), one can specify a particular form of response, for example by email. Also the data can be requested in a structured, commonly used and machine-readable format. If one requested the response be provided via a web form would the data controller be required to use that form, or could them deny to provide the data if this was the only method available?

The case I am considering stems from this question, where from a single web site visit it appears there are 389 entities handling security. If I was to make a SAR to each, processing the responses would take a long time, particularly if some provided responses that were incomplete or in a non-machine readable format, and I had to chase them. It would be much easier for me to set up a website that allows data controllers to upload files and associate them with portions of the request, validates that they can be read by a machine, and allows submission only when complete. I would send the requests from a no-reply email address.

Would requesting the response to a SAR in this form be valid, in that failure to complete a submission on the web form would allow one to seek to enforce one's rights through the courts? Assume the information requested is unambiguous, eg. "what data do you have, where did you get it, who have you given it to", and the SAR request includes all possible identifiers (in this case, IP address requests were made from, content of all cookies, uri's of all tracking images and browser User-Agent).

Answer 1

The GDPR is not as specific as you might like. I doubt that your strategy would work.

The GDPR does not explicitly allow you to choose in which format your requests will be answered. If the data controller chooses a different format or medium, I would assume they are compliant. All the GDPR says is this (Art 12(1)):

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.

For example, it would likely be perfectly compliant if they provide a response through physical mail. Electronic mail is common as a convenience to both parties. You as the data subject have no legal basis for forcing the data controller to interact with any website.

Furthermore, the GDPR does not give you a right to receive responses in a machine-readable format. In addition to your Art 15 right to access, you may have a separate Art 20 right to data portability. While generally similar – and usually handled by data controllers together – they have different conditions and cover different information. For example, information on the source and recipients of personal data is required under Art 15(1) letters (c) and (g), but that information will usually not be machine readable and is not in scope of Art 20. In any case, there are no commonly used machine-readable formats for responses to data subject requests, so that each controller could choose its own format (typically a JSON or XML file or a ZIP archive with a custom schema/structure) – but only for the copy of your data, not for the additional information mentioned in Art 15.

Sending data subject requests from a no-reply address could be an indication that you're not actually interested in the responses, which could indicate that your requests are “manifestly unfounded” and can therefore be rejected under Art 12(5). While I personally think that such a rejection would not be proper, you're setting up a hard to defend position that doesn't seem like a good faith attempt to exercise your data subject rights.