What’s this about?
Two Advocate General Opinions were issued from the European Court of Justice (“the European Court”) not so long ago, essentially about the scope of access to recipients to whom personal data has been disclosed and obtaining copies of personal data following Subject Access Requests (“SARs”) under the EU General Data Protection Regulation (“EU GDPR”). Whilst these Advocate General Opinions will not be binding on the European Court they raise some interesting issues relating to SARs. This note takes a brief look at the issues.
What’s the legal and factual background?
Both EU GDPR and UK GDPR (along with the UK Data Protection Act 2018) allow individuals to make SARs to organizations (as data controllers) where they can seek to obtain information about the personal data held about them by organizations, subject to certain exceptions.
Under Article 15(1)(c) of GDPR:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: […] (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”;
and, under Article 15(3) of GDPR:
“The controller shall provide a copy of the personal data undergoing processing […]”.
Two separate cases are involved.
What was the first case about?
In the first of the two cases, in Finland, an individual who was an employee and also a customer of a bank made a SAR where the individual requested the bank (as data controller) to tell the individual the identity of the persons who had consulted the individual’s personal data in the context of an internal investigation. The bank refused to provide the individual with the names of the employees who had processed his personal data arguing that the right under GDPR Article 15 does not apply to log data of the bank’s data processing system recording which employees have had access to the computer system containing customer data and at what time.
Following this, the individual brought a complaint before the Finnish data protection authority (Tietosuojavaltuutetun toimisto) requesting that the bank be ordered to hand over the information concerned. The DPA rejected the complaint, following which the individual brought legal proceedings before the Administrative Court of Eastern Finland which referred a number of questions to the European Court for a legal interpretation of GDPR Article 15(1) including whether a data subject (i.e. an individual) has the right to know the identity of employees who have accessed the data subject’s personal data, where those employees were acting on the instructions of the data controller (here, the bank).
What was the second case about?
In the second case, in Austria, a business consulting agency provided, at the request of its clients, information on the creditworthiness of third parties – it was for that purpose that the agency processed the personal data of the individual in question. The individual made a SAR to the agency (as data controller) to obtain, amongst other things, information on the individual’s personal data that was being processed, and the individual requested in particular a copy of that data in a standard technical format.
Following that request, the agency provided some of the requested information as an aggregate that reproduced the stored personal data of the individual in question: first, in a table broken down by name, date of birth, street, postal code, and place; and, second, in a statement summarizing corporate functions and powers of representation. However, no other documents such as emails or extracts from databases were sent by the agency to the individual.
Following this, the individual filed a complaint with the Austrian DPA (the DSB) in which he claimed that the response to his request was incomplete and, in particular, that the agency should have sent him a copy of all the documents, including the emails and database extracts, that contained his personal data. The DSB rejected the complaint, following which the individual brought legal proceedings before the Austrian Federal Administrative Court which referred a number of questions to the European Court for a legal interpretation of GDPR Article 15(3) including about the scope of providing a “copy” of the personal data that was being processed.
What did the Advocates General say?
The Advocate General in the Finnish case said in his official Opinion that:
- GDPR Article 15(1) does not give a data subject the right to know, from among the information available to a data controller (where applicable, through records or log data), the identity of the employee or employees who, under the authority and on the instructions of the data controller, have consulted his or her personal data;
- Employees acting under the bank’s instructions could not be regarded as “recipients” of personal data either. The concept of “recipient” does not include employees of a legal person who, when using the latter’s computer system, consult the personal data of a client on behalf of its administrative bodies. Where those employees act under the direct authority of the controller, they do not, on that basis alone, acquire the status of “data recipients”;
- However, there may be situations in which an employee does not comply with the procedures established by a data controller and, on his or her own initiative, accesses the data of customers or other employees in an unlawful manner. In such a case, the dishonest employee would not have acted for and on behalf of the controller. To that extent, the dishonest employee could be described as a “recipient” to whom personal data of the data subject was “communicated” (figuratively speaking either by his or her own hand and thus unlawfully, or even as a data controller in his or her own right).
The Advocate General in the Austria case said in his official Opinion that:
- GDPR Article 15(3) (“The controller shall provide a copy of the personal data undergoing processing”) must be interpreted as meaning that the concept of “copy” referred to there must be understood as a “faithful reproduction in intelligible form” of the personal data requested by a data subject, in material and permanent form, that enables the data subject effectively to exercise his or her right of access to his or her personal data in full knowledge of all his or her personal data that undergo processing – including any further data that might be generated as a result of the processing, if those also undergo processing – in order to be able to verify their accuracy and to enable him or her to satisfy himself or herself as to the fairness and lawfulness of the processing so as to be able, where appropriate, to exercise further rights conferred on him or her by EU GDPR;
- The exact form of the “copy” is determined by the specific circumstances of each case and, in particular, the type of personal data in respect of which access is requested and the needs of the data subject;
- GDPR Article 15(3) does not confer on the data subject a general right to obtain a partial or full “copy” of the document that contains his or her personal data or, if the personal data are processed in a database, an extract from that database; and,
- GDPR Article 15(3) does not rule out, however, the data subject having to be provided with portions of documents, or entire documents or extracts from databases, if that were necessary to ensure that the personal data undergoing processing and in respect of which access is requested are fully intelligible.
What are the next steps?
The judges of the European Court must now make their rulings, which can be expected sometime in the not-too-distant future. The Opinions of Advocates General are not binding on the judges although generally-speaking the latter tend to follow the Opinions. The Opinions are not binding on UK courts, and nor are European Court judgments, although they may be taken into consideration by the courts and the UK DPA (the ICO) where relevant, at least for now.
What are the takeaways?
It seems that, depending on the given circumstances of a request, the type of personal data requested, and the needs of the individual making the SAR, the transmission of personal data to an individual making a SAR in the form of a table and a summary statement is allowed in principle.
If the Opinion in the Finnish case is followed by the judges, this should help an organization to resist SARs seeking the disclosure of the identity of employees who have accessed an individual’s personal data.
If the Opinion in the Austrian case is followed by the judges, this will be broadly in line with what the UK’s data protection regulator says in its official guidance:
“The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data. You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. While it is reasonable to supply a transcript if it exists, we do not expect controllers to create new information to respond to a SAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so”).
Organizations should check what the judges’ eventual rulings will say and, in light of this, organizations should consider reviewing their Subject Access Requests policy and procedures and revise them if need be.
We have written about Subject Access Requests here: https://www.corderycompliance.com/ico-sar-uk1/, here: https://www.corderycompliance.com/sars-under-gdpr/, here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, here: https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/, and here https://www.corderycompliance.com/uk-appeal-court-ruling-on-balancing-test-in-sars-2/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The Advocate Generals Opinions can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=268629&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1864501 and here https://curia.europa.eu/juris/document/document.jsf?text=&docid=268626&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1865770.
The ICO guidance is here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/how-should-we-supply-information-to-the-requester/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|