Can a controller disable the electronic exercise of data subject rights under Articles 15–22 GDPR?
ANSWER
Under Article 12(3) GDPR, the controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 GDPR, and any communication under Articles 15–22 and 34 relating to processing, in a concise, transparent, intelligible and easily accessible form, using clear and plain language — in particular where the information is addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, electronically. Where the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proven by other means.
According to the GDPR commentary by Dr Marlena Sakowska-Baryła:
"Under Article 12(3) GDPR, if the data subject submitted their request electronically, the controller should, where possible, also provide the information electronically, unless the data subject requests another form. It appears that the legislator deliberately made electronic form the default means of resolving data-related issues — this is quite convenient, as it leaves many different traces and in fact supports the principle of accountability. Under Article 12(1) GDPR, at the data subject's request, the controller may provide information orally, provided that the identity of the applicant is proven by other means. Certainty of identification is crucial in this case, especially for requests made under Article 15 GDPR. Obtaining a response sometimes requires checking additional information confirming the identity of the person whose data is to be disclosed, also where there are reasonable doubts as to the identity of the person making the request in a manner other than orally (in line with Recital 59, the controller should enable the individual to submit requests for the exercise of their rights electronically as well, especially where personal data are processed electronically)."
Therefore, a proposed solution excluding electronic (email) communication would narrow the possibilities for data subjects to exercise their rights. The legislator's intention was precisely that communication should take place electronically as one of the fastest and simplest forms. Arguments concerning the possible disclosure of data to unauthorized persons will not be sufficiently persuasive, since under Article 12(1) and (6) GDPR, the controller may request additional information to confirm identity and avoid mistakes.
