What’s this about?
The European Court has given a ruling concerning Subject Access Requests (“SARs”) under the EU General Data Protection Regulation (“EU GDPR”) where it has said that the right to obtain a “copy” of personal data essentially means that the individual making the request must be given a “faithful and intelligible reproduction” of all those data. This article briefly looks at the issues.
What’s the legal and factual background?
Both EU GDPR and UK GDPR (along with the UK Data Protection Act 2018) allow individuals to make SARs to organizations (as data controllers) where they can seek to obtain information about the personal data held about them by organisations, subject to certain exceptions.
Under Article 15(1)(c) of EU & UK GDPR:
- “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data […]”;
and, under Article 15(3) of EU & UK GDPR:
- “The controller shall provide a copy of the personal data undergoing processing. […] Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
In Austria, a business consulting agency provided, at the request of its clients, information on the creditworthiness of third parties – it was for that purpose that the agency processed the personal data of the individual in question. The individual made a SAR to the agency (as data controller) in order to obtain, amongst other things, information on the individual’s personal data that was being processed, and the individual requested in particular a “copy” of that data, in this case emails and database extracts containing his personal data, to be provided to the individual in a standard technical format.
Following that request, the agency provided some of the requested information as an aggregate that reproduced the stored personal data of the individual in question: first, in a table broken down by name, date of birth, street, postal code, and place; and, second, in a statement summarizing corporate functions and powers of representation. However, no other documents such as emails or extracts from databases were sent by the agency to the individual.
Following this, the individual filed a complaint with the Austrian Data Protection Authority, the Österreichische Datenschutzbehörde (the DSB) in which he claimed that the response to his request was incomplete and, in particular, that the agency should have sent him a copy of all the documents, including the emails and database extracts, that contained his personal data. The DSB rejected the complaint, following which the individual brought legal proceedings before the Austrian Federal Administrative Court which referred a number of questions to the European Court for a legal interpretation of GDPR Article 15(3) including about the scope of providing a “copy” of the personal data that was being processed.
What did the court rule?
The European Court ruled that:
- The right to obtain from the controller a “copy” of the personal data undergoing processing (pursuant to the first sentence of Article 15(3) of EU GDPR) means that the individual making the request must be given a “faithful and intelligible reproduction” of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, amongst others, those data, if the provision of such a “copy” is essential in order to enable the individual to exercise effectively the rights conferred on him or her by EU GDPR, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others;
- According to the European Court, although Article 15(3) of EU GDPR does not contain a definition of the term “copy”, account must be taken of the usual meaning of that term, which refers to the faithful reproduction or transcription of an original, meaning that “a purely general description of the data undergoing processing or a reference to categories of personal data does not correspond to that definition”;
- The European Court stated that the term “copy” does not relate to a document as such, but to the personal data which it contains and which must be complete. The “copy” must therefore contain all the personal data undergoing processing;
- The European Court stated that the data controller is obliged to take appropriate measures to provide the requesting individual with all the information referred to in Article 15 of EU GDPR, “in a concise, transparent, intelligible and easily accessible form, using plain and clear language, and that the information must be provided in writing or by other means, including, where appropriate, by electronic means […]”. Therefore, the “copy” of the personal data (undergoing processing) “must have all the characteristics necessary for the [individual making the request] to exercise his or her rights effectively and must, consequently, reproduce those data fully and faithfully”;
- According to the European Court, “[i]n order to ensure that the information provided is easy to understand […], “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, amongst others, the personal data undergoing processing may prove to be essential […] where the contextualisation of the data processed is necessary in order to ensure the data are intelligible. In particular, where personal data are generated from other data or where such data result from empty fields, that is to say, where there is an absence of information which provides information about the [individual making the request], the context in which the data are processed is an essential element in enabling the [individual making the request] to have transparent access and an intelligible presentation of those data”;
- The European Court also stated that, “[…] in the event of a conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that […] the result of those considerations should not be a refusal to provide all information to the [individual making the request]”; and,
- Finally, according to the European Court, the concept of “information” referred to in the third sentence of Article 15(3) of EU GDPR relates exclusively to personal data of which the data controller must provide a “copy” pursuant to the first sentence of that paragraph.
What are the takeaways?
Whilst the European Court has ruled that the SAR right to obtain from a data controller a “copy” of the personal data undergoing processing means that the individual making the request must be given a “faithful and intelligible reproduction” of all those data, and, that this right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, amongst others, those data, it is important to highlight that this particular part about the right to obtain copies of extracts from documents etc. seems to be subject to the proviso that this applies if the provision of such a “copy” is essential in order to enable the individual to exercise effectively the rights conferred on him or her by EU GDPR (also bearing in mind that account must be taken, in that regard, of the rights and freedoms of others). In which case, it seems that, when responding to a SAR, a data controller can make a determination as to whether providing a “copy” in the meaning given to this term in this ruling is essential in order to enable the individual making the request to exercise effectively the rights conferred on him or her by EU GDPR or not. Accordingly, if a data controller determines that providing a “copy” etc. is not essential (in the sense of the ruling), the provision of summaries about the personal data in question would still seem to be possible. Such a situation would likely mean that a data controller would need to be able to justify making such a determination – making such a determination may well be a delicate balancing-act, depending on the circumstances in question.
As a practical takeaway businesses will need to consider factoring into their internal Subject Access Request policy and procedures revised sections about supplying a “copy” of personal data in light of the European Court’s ruling.
Post-Brexit this ruling will not bind the UK. It may in any event not sit squarely with what the UK’s data protection regulator the ICO says in its official guidance about “copies”, as follows:
- “The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data. You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. While it is reasonable to supply a transcript if it exists, we do not expect controllers to create new information to respond to a SAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so”.
It should also be noted that guidance is just guidance and it is for the courts to make definitive interpretations about the law.
We have written about Subject Access Requests here: https://www.corderycompliance.com/ico-sar-uk1/, here: https://www.corderycompliance.com/sars-under-gdpr/, here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, here: https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/, and here https://www.corderycompliance.com/uk-appeal-court-ruling-on-balancing-test-in-sars-2/.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court judgment can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=273286&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4335913.
The ICO’s guidance can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/how-should-we-supply-information-to-the-requester/
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|