In a recent noteworthy ECJ case, a business consulting agency (the “Agency”) specializing in creditworthiness assessments, was confronted with a data subject’s access request from an individual seeking information concerning their personal data. This individual insisted on obtaining all documents - specifically emails and database extracts - containing their personal data and asked for this to be delivered in a 'standard technical format'.

The Agency elected to provide only a summarized list of the individual's personal data under processing. Unhappy with this approach, the individual lodged a complaint with the Austrian Data Protection Authority. He argued that he should have been provided with copies of all documents containing his personal data, as opposed to a mere summary.

Following the rejection of the individual's complaint, the case was brought in front of the Federal Administrative Court in Austria which then referred several questions to the ECJ.

The first outstanding question was whether the obligation to give access is fulfilled where the controller provides the personal data through a summary table or whether the said obligation also requires the provision of the medium where these are reproduced (e.g.,  document extracts entire documents, extracts from databases, etc…).

The second outstanding question related to the interpretation of the concept of ‘information’ as referred in Article 15(3) GDPR.

To answer these questions, the ECJ indicates the following :

• The right to ask for a ‘copy’ of the personal data undergoing processing is to be interpreted as a requirement to provide the data subject with a faithful and intelligible reproduction of all those data (as per article 15(3) GDPR) which means that the data subject has the right to obtain a faithful reproduction of his or her personal data that are subject to operations that can be classified as processing carried out by the controller. This does not mean however that the data subject must systematically be provided with copies of extracts from documents or even entire documents or extracts from databases which contain those data. The provision of such copies of documents, of extracts and of databases is required only to the extent that such provision is essential in order to enable data subjects to effectively exercise their rights under the GDPR. Providing a copy constitutes the exception rather than the rule. Additionally, the ECJ is clear on that fact that consideration must be given to the rights and freedoms of others when a broader communication is contemplated which means  that a balance needs to be found between all the rights in question.

• The 'information' that must be communicated to the data subject as referred to in article 15.3 is limited to the data subject's personal data undergoing processing.

What does it mean in practice if you are controller ? Our recommended approach

When a decision is made to grant a data subject's access request, particularly in the case of an employee, a comprehensive material scope assessment becomes essential. This evaluation is in addition to the more traditional assessment of the data subject request response (e.g., verification of the data subject's identity, identification of the personal data concerned by the request, etc..) . It serves to determine the modalities of communication and the extent of data and copies to be provided to the data subject making the request.

Such thorough assessment of the scope and means becomes essential. Particularly, in France, where the CNIL guidelines to answer employee's request may introduce confusion as it tends to emphasize the provision of copies. However, it is crucial to remember that this should be an exception rather than the default position.

It is crucial that the above assessment is documented and further detailed in a Data Request Access Management policy to ensure that the management of the data subject's request complies with the GDPR¹.

The ECJ provides here useful guidelines for controllers dealing with data subjects requests of access. It is particularly relevant in the context of employment relationship where this request is often used by leavers' employees in case of litigation with their former employer. However, the ECJ's decision may not provide sufficient guidance. It would be beneficial for authorities or the European Data Protection Board (EDPB) to offer more comprehensive instructions. Particularly, it's crucial to deter potential misuse of Article 15 data subject requests, ensuring they don't become expedient tools for discovery rather than instruments of privacy protection.

References

1 A key element when responding to a data subject access request is to answer in a timely manner in accordance with the deadlines set forth in the GDPR.