The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. While the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner has published a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does a company have to respond to an access request that it receives from a third party that purports to be acting on behalf of a data subject?
Answer: Maybe.
In order for a third party to submit a data subject access request on behalf of an individual, they must be “entitled to act” on the individual’s behalf.[1] Some supervisory authorities have made clear that it is the responsibility of the third party to “provide evidence of this entitlement” sufficient to satisfy the controller that agency exists.
While the type of evidence that a third party should provide may differ depending upon the circumstances (e.g., the type of personal information at issue), and the jurisdiction, generally companies might expect “a written authority to make the request” or a “general power of attorney.” In situations in which ambiguity exists as to whether the data subject has authorized the third party to both submit the request, and to receive-back personal information, a controller may elect to “send the response directly to the individual rather than to the third party.”
[View source.]
