1

I shall use a real situation that happened to me, but this is just to demonstrate my point. I am definitely not going to do anything about it. This is a purely theoretical question, I am not interested in legal advice.

I made a GDPR Subject Access Request (SAR) of a data controller. To provide them with the data to identify myself they required me to use a web portal. This looked rather like a webmail interface, but only allowed communication to the data controller. To use this portal I had to create an account, which required accepting a conventionally long Terms and Conditions agreement. This was justified on security grounds. It is worth noting that I included a PGP public key with my initial SAR that would have allowed secure communication over email.

Can a data controller require the data subject to accept terms and conditions to identify themselves? Can a data subject require the data controller to accept terms and conditions to fulfil an SAR? Does the answer to the latter question depend on if the data controller has already made such a request?

Improve this question
4
  • 2
    The GDPR does not provide wiggle room for limiting the right to access through additional contracts. So this would probably depend on the contents of those ToS. Are they boring boilerplate of the form "Service grants User the right to use the Web Portal. User is forbidden from hacking the Service". Or would the ToS actually affect the rights of the data subject? Depending on jurisdiction, ToS are contracts of adhesion, so any terms that go beyond what can be reasonably expected would be unenforceable.
    – amon
    Commented Dec 12, 2023 at 17:59
  • @amon The thing is I do not know. I suspect I would struggle to be sure of the answer even if I had put the time in to try to read and understand the ToS. I suspect a company employee would be even more unwilling to put the effort in.
    – User65535
    Commented Dec 12, 2023 at 18:09
  • @amon what is meant by contracts of adhesion?
    – TylerDurden
    Commented Dec 25, 2023 at 17:37
  • 1
    @TylerDurden In some jurisdictions, "contracts of adhesion" refer to standard form contracts offered on a "take it or leave it" basis that won't be negotiated, e.g. "terms of service" contracts. Because there's no negotiation, some jurisdictions rule out one-sided or surprising terms in them. I'm not sure about the UK, but I know this applies to the German "Allgemeine Geschäftsbedingungen (AGB)" concept. Compare also the "contra proferentem" doctrine.
    – amon
    Commented Dec 27, 2023 at 14:27

1 Answer 1

Reset to default
2

They can't require you to agree to anything in exchange for completing the SAR. They are allowed to take reasonable steps to ensure that you really are the data subject, but it's hard to see how agreeing to such terms would be necessary.

I have been in this situation before, and the UK ICO confirmed that they need to fulfil the SARv without forcing me to agree to unrelated terms. That includes using third party "secure" email systems and the like.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .