Paris, 27th janv. 2014

Personal data : Net improvement of AFCDP Right of Access Index

On the occasion of Data Privacy Day, the French Data Privacy Officer Association publishes its Index of the right of access 2014, significantly improved.

AFCDP 2014 Access Right Index

Under the French Data Protection law, each data subject has a right of access on his personal data. The AFCDP publishes its annual measure of the effectiveness of that right. The answers that can be expected have steadily improved : 41% of organizations solicited have made a reply complying with the law. This indicator shows a clear progress when compared to previous surveys (from 18% in 2010, to 20% and 30% from the previous years).

The Data Privacy Day is an initiative of the Council of Europe with the support of the European Commission, who solemnly proclaimed the 28th of January of each year “Data Privacy Day”. In 2009 USA and Canada joined the initiative, with one goal : raising the public’s awareness of their rights to promote the protection of their personal data and the respect of the fundamental rights and freedoms of natural persons, and in particular the right to privacy.

In this context, the French DPO Association unveiled in January 2010 its first « AFCDPs index of the right of access ». The association publishes today the fourth edition of the Index, in partnership with the Paris High School ISEP.

This index is based on the work completed by the participants of the European Master’s Degree in « Management and Personal Data Protection » delivered by ISEP since seven years. Into their course work, the students have many projects underway, one of which is to exercise their rights of access.

The promotion 2012-2013 has therefore requested 224 private and public sector bodies.

In conformance with the so-called « Informatique et Libertés » law (Article 39), any natural person providing proof of identity is entitled to ask the data controller of personal data in order to know if he detains information on her, and where applicable, to be provided with the relevant material.

The students exercised their right of access on the spot and by post (or email) nearby organisms with which they felt likely the fact that these are holders of personal data relating to them and covering daily life of citizens in all their aspects : employment/training, housing, banking and insurance, trade, health care, information and communication society, public administrations...

If that Index does not pretend to be representative of all companies, however it corresponds to the organizations which had more frequent contact with the public. In its nature, the sample is reasonably comparable from one year to the other (same sectors of activity) and the method implemented is the same.

57% of the tested entities replied within two months :

On the 224 contacted organisations, 72% reacted, that indicates a marked increase compared with the previous year and a return to levels experienced in the first few index.

But « react » does not mean to fulfill its legal obligations. In fact, to be valid, the reply must be received within two months.

Index AFCDP 2014 of the right of access : 57% of required entities replied within the two months allowed in the legal framework.

Only 1% of organizations that have been asked a few euros financial contribution (most often the amount is announced to cover postage cost, when the legislation clearly stipulates that the possibility to charge a fee is only to cover the expenses of reproduction).

More responses comply with the French Personal Data Protection Law :

However reply within the two months required doesn’t mean that the reply complies with the law. The ISEP Master degree participants have determined the level of compliance of the responses.

In their opinion, 41% of required organizations made a reply complying with the law. (in blue on the above diagram).

This indicator shows a clear progress with respect to the previous years (coming from 18% in 2010).

The « specificities » of the Index 2014

The members of Masters’ ISEP 2012-2013 found that :

  • A requestor was threatened by the enterprise solicited … expressing a strong dissatisfaction to be disturbed and disregarding visibly the French data protection law !
  • A big bank is unable to find any data regarding… one of his loyal customer.
  • A magazine of the press consumer oriented wrongly interprets the request as referring to a subscription.
  • A very large international undertaking of the CAC40 index firms content itself with sending some copies, without any cover letter, but with an anonymous post-It involving the words : « These are ! »
  • A department store, unprepared to such exercises, put in copy the applicant, who attended amused to the internal e-mail exchanges, and « multi-bounds » between the various services, which no one wanted hear the request.
  • Several hospitals have made the confusion with request of access to the medical file – paid access – … and rushed to enclose an invoice in sending !


  • A bank (The Crédit Agricole des Savoies) communicates the scoring and offered to reimburse the postal costs paid by the applicant.
  • The Secours Catholique was fully compliant in its answer and set out the procedure to be followed to take advantage of the Robinson list (avoiding receiving any marketing message).
  • Amazon Luxembourg addresses a recommended letter with acknowledgement of receipt announcing the sending of a crypted CD – that mail includes passwords to access to the file and read the records. The CD is also received in recommended letter with acknowledgement of receipt.

It was also observed that in Poland, in order to limit abusive requests, data subject can only sent one request every six months to the same data controller. Spain adopted the same principle, but with an interval of 12 months. In Belgium, the time limit for responding is 45 days, 40 in United-Kingdom, 15 in Italy and 4 weeks in Denmark (compared with two months in France). The Greece, the Spain and Sweden impose to the data controller the systematic communication of the origin of the data processed. The British and Italian data controllers may charge a fee even if no data has been found.

The ISEP class has also raised many interesting practices used by the tested organizations in order to verify the identity of the applicant : Apple requests informations that are considered to be known only by the data subject, for Amazon a form must be completed and returned. To be noted, in United-Kingdom, the Data Protection act does not foresees explicitly the need to verify the applicant’s identity.

Concerning the same subject matter of the applicant’s identity checks (It shall be avoided to deliver personal data to unauthorized third persons), the class considered usefully the question of the specific case of the requests made by a divorced parent. How a data controller can know if the applicant is a custodial or non-custodial parent ?

Among the reasons of negative judgment communicated by the « testers » there are : a total lack of understanding of the request ; a lack of verification of the applicant’s identity ; the data collection of irrelevant data ; the provision of personal data of others ; incomplete nor incomprehensible responses ; retention periods irrelevant regarding the purpose of the processing.

We have to note in addition at this stage the difficulty - too often - to find clear information on the organizations’ website how to exercise the right of access.

Many also are the organizations whose collaborators in charge of to process these requests and become startled or who admit to being incompetent for that.

We remind that in April 2009 the CNIL (French Data Protection Authority) imposed a fine of 7.000 € made available to the public inimical of an ISP who just replied partially to the requests of a customer interested in accessing to all of her personal data.

To know more : Bruno RASLE, Delegate General of the AFCDP, delegue.general@afcdp.net Mobile phone. +33 (0) 6 1234 0884

Thanks : Thanks to the students 2012-2013 of the Master Degree ISEP for their involvement. DPOs of the future, they will be committed to implement in their organizations the procedures to reach a reply effectively and securely to the requests of access of the data subjects.

We especially thank Claire Levallois-Barth, Doctor of law and teaching researcher at Télécom ParisTech, who led the research of the students regarding the right of access, Denis Beautier, responsible for the « Mastères Spécialisés » of ISEP for the considerable project support given, Flavia Caloprisco and Corentin Hellendorf for their help.

That Index was based on an original idea of Bruno Rasle, AFCDP’s Delegate General.

AFCDP 2014 Access Right Index

PDF - 159 ko