Following our two-part series which considered the impact of European decisions on the scope of data subject access requests (DSARs) [read Part 1 and Part 2], a further opinion has been released by the AG that limits the scope of DSARs.
This opinion (in the case of Österreichische Datenschutzbehörde and CRIF - Case C-487/21) concerns whether the data subject is entitled to a "copy" of the document which contains their personal data, or if it is sufficient to provide an extract.
This decision could have large practical impacts on how data controllers respond to DSARs both in the EU (where it is directly applicable) and in the UK (where it will be persuasive).
What is a "copy"?
Article 15(3) of the GDPR provides that in response to a DSAR:
"The controller shall provide a copy of the personal data undergoing processing."
In this case, the data controller provided the personal data in a summary form by reproducing the personal data in a table / list but without providing the email or extract from the database from which the personal data came. This lead to a complaint that the response was incomplete since Article 15(3) entitled the data subject to a copy of the documents which contained his personal data.
In considering Article 15(3), the AG was asked to determine whether the provision of the personal data in the form of the decontextualised table / summary statement satisfied the requirements, or if there was a right to obtain a copy of the personal data in the form of copies of the documents / databases.
As a starting point, the GDPR does not contain a definition of "copy". The AG determined that taking the ordinary meaning of this word in everyday language that the datasubject was entitled to a faithful reproduction of their personal data in an intelligible form which allows the data subject to have full knowledge of the data being processed in order to allow them to verify the accuracy / lawfulness of the processing and exercise the other rights conferred by the GDPR.
The AG however caveated this position:
"…it is not excluded that, in certain cases, in order to guarantee the person concerned that the information sent to him is perfectly understandable, it is necessary to provide to this person passages of documents, even complete documents or extracts from databases. However, this is inevitably on a case-by-case basis, depending the nature of the data that is the subject of the request and demand itself, that it is appropriate to appreciate the need to provide documents or extracts in order to guarantee the intelligibility of the information sent." (translated)
For the data subject to fully understand the processing of their personal data, it may therefore be necessary to provide a copy of the document. This is however not a general right and remains subject to the requirement to not infringe the rights and freedoms of others (including trade secrets, IP and personal data of third parties).
Lastly, the AG emphasised that the objective of a DSAR is to enable the data subject to understand how their data is being processed, verify the accuracy/lawfulness, and exercise their other rights in relation to their personal data. Data controllers should be providing the personal data in a way which enables this objective to be met. This could be satisfied by a faithful reproduction of the data. Providing a copy document containing the data would not be essential to meeting the objective of DSARs – unless the provision of the document is required to provide full intelligibility of the personal data.
Where does this leave data controllers?
- The starting position is that the right of access does not entitle a data subject to copies of documents which contain their personal data.
- However this should be considered on a case by case basis to ensure that the provision of the wider document is not required to enable the data subject to understand how their personal data is being processed and exercise their rights.
- The AG's opinion does not provide examples of when this decontextulised approach would not satsify the requirement of Article 15(3).
We have seen responses to DSARs both by extracting the personal data and providing in a table (the narrow approach), and providing redacted copies of documents (the wide approach). The AG's opinion confirms that this narrow approach is in compliance with the GDPR, however in some circumstances may not be approriate.
Typically, we see data subjects raise complaints about the scope of redactions or the narrow approach being adopted when seeking further information to bring a claim against the data controller (such as in the context of an employment grievance). The AG's indication that the provision of the wider document is driven by the data subject seeking to verify their privacy rights may assist data controllers to resist excessive requests for documents that are intended for other purposes.
In combination with the AG's opinion last year that DSARs may be abusive if the purpose is to seek disclosure for the purposes of litigation (read our previous article on litigation and data subject access requests here), this emphasis that the provision of a copy of a document is to be judged against the privacy objective of DSARs hints that the European approach is moving towards reducing the use for collateral litigation purposes.
For further insight on data subject access requests and how WBD can assist with these, please visit the WBD Clarity page.
This article is part of Womble Bond Dickinson’s Growing Global series. For more insights, click here to visit our Growing Global hub.