Do I have to disclose documents with confidential internal correspondence, and comments from my staff as part of a GDPR data subject access request? The Court of The Hague says “Yes, you do.”

• The right of access is not automatically blocked in advance because the relevant documents may contain confidential (internal) correspondence, including, personal thoughts and/or advice entered for internal consultation or decision-making.
• You may restrict access to confidential documents if this is necessary for the protection of the rights and freedoms of others.
• To protect such rights, you may redact the documents before producing them.
• The right of access only relates to personal data about the individual and not to other information included in the relevant documents.
• To comply with the right of access you should give the individual access or a copy, in comprehensible form, of this data, in a form that enables the applicant to understand that data and to check that it is correct and was processed in accordance with applicable law, so that the individual can exercise the rights granted to him/her by data protection law.

Read the ruling.

[View source.]