The #GDPR states that if an access request is submitted electronically, the response must also be electronic.
But then there is a separate rule that if the data is too sensitive for the means of transmission that have been established (e.g. unencrypted email), the data controller must still respect the security requirements in their response at the same time and maintain an appropriate security level for the data. Thus this could mean that they have to send a USB stick via postal service to the data subject.
But then at the same time, there is another rule that an initial request must be completed free of charge. So taking all that together, there are situations where data subjects will end up with gratis USB sticks.
This inspires the question: what kind of data is too sensitive for unencrypted transmission and what kind of data is not?
EDIT: If I were a data controller and for whatever reason I could not establish an appropriately secure channel, I might be tempted to offer data subjects these choices:
- provide it on optical media (it’s the subject’s problem if they no longer have a drive)
- demand a refundable deposit for the media and provide a postage-paid return envelope
- require the data subject to deliver their own media
- offer the option for the data subject to appear on site in person and copy the data, and return the media
- publicly post PDF docs that are AES-encrypted and snail-mail the password to them
I have no idea if those would be compliant. Likely the 4th bullet is, because it’s expressly stated that data controllers can require data subjects to collect their data in person so the data controller can get a signature proving that the data made it into the correct hands.