The #GDPR states that if an access request is submitted electronically, the response must also be electronic.
But then there is a separate rule that if the data is too sensitive for the means of transmission that have been established (e.g. unencrypted email), the data controller must still respect the security requirements in their response at the same time and maintain an appropriate security level for the data. Thus this could mean that they have to send a USB stick via postal service to the data subject.
But then at the same time, there is another rule that an initial request must be completed free of charge. So taking all that together, there are situations where data subjects will end up with gratis USB sticks.
This inspires the question: what kind of data is too sensitive for unencrypted transmission and what kind of data is not?
EDIT: If I were a data controller and for whatever reason I could not establish an appropriately secure channel, I might be tempted to offer data subjects these choices:
- provide it on optical media (it’s the subject’s problem if they no longer have a drive)
- demand a refundable deposit for the media and provide a postage-paid return envelope
- require the data subject to deliver their own media
- offer the option for the data subject to appear on site in person and copy the data, and return the media
- publicly post PDF docs that are AES-encrypted and snail-mail the password to them
I have no idea if those would be compliant. Likely the 4th bullet is, because it’s expressly stated that data controllers can require data subjects to collect their data in person so the data controller can get a signature proving that the data made it into the correct hands.
Sounds fun but: who still uses USB Sticks? Why would I want an unreasonable cheap one, that failes when I need it most anyway? Why extra trash?
If I need to transport data and an external 3.5" HDD is too much, a small M.2 SSD with USB-C is perfect. That “stick” could be multiple TB with amazing speed and safety.
Anything below 100 GB goes on the smartphone or rather it’s SD card anyway.
Nothing specifies that the controller must use a USB stick (the USB stick is just an example that the EDPB gives in their guidelines). So the media is the controller’s choice AFAIK, who is free to use whatever complies (which could be an SD card).
My local public libraries do. When I want to bring data to the library to insert directly into a printer, or into their PCs, the USB bus is the sole means (could be a drive of any physical size though).