Data Protection Authority: "Where did you get my e-mail address"? - No request for full access under Art. 15 GDPR

The Danish Data Protection Authority (DPA) has made an interesting decision on responding to requests for access to personal data under Art. 15 GDPR (decision of 21.6.2021, PDF).

Facts

The complainant had received a newsletter from the company concerned (Pixojet). On the same day, he asked Pixojet to tell him where Pixojet had obtained his e-mail address. Pixojet informed him that he had subscribed to Pixojet's newsletter and that Pixojet could delete his subscription. However, the complainant assumed that he had never signed up for the newsletter and then asked for information about when he subscribed to the newsletter and from what source.?

Pixojet did not answer this directly. Only after asking again where Pixojet got its information did a customer service agent reply that he was not sure, but that it looked like the complainant had registered manually.

The complainant further assumed that he had never signed up for the newsletter. He assumed that there had been a breach of the GDPR. Both, how the data reached Pixojet /possibly via a third party source) and regarding Pixojet's response to his request for access to data according to Art. 15 GDPR.

Decision

The Danish Data Protection Authority first refers in general to the right of access under Art. 15 GDPR.

According to Art. 15(1)(g) of the GDPR, the data subject has the right to obtain all available information about the source of the personal data if it has not been collected from the data subject.?

The DPA has understood the complaint in such a way that the data subject is of the opinion that Pixojet has not provided him with information in accordance with the requirements of Art. 15 GDPR.?

However, the supervisory authority does not see it that way and assumes that no violation has occurred. Reason: the questions of the data subject already did not constitute a request for information according to Art. 15 GDPR.

According to its reasoning, the Danish data protection authority sees no reason to object to the company's assessment that the complainant's inquiries are not to be understood as a request for unrestricted information pursuant to Art. 15 GDPR.

The DPA thus assumes that the questions of the data subject outlined above do not constitute an exercise of the full right of access to personal data pursuant to Art. 15 GDPR. Thus, of course, not all obligations of Art. 15 GDPR apply to the company.

From the reasoning: “The Danish Data Protection Agency has thereby placed emphasis on the wording of the complainant’s inquiries, which states that he were interested in knowing specifically where Pixojet had his e-mail address”.

The DPA thus probably assumes only a very limited exercise of the right of access; specifically with regard to the origin of the data. The Danish Data Protection Authority then notes that Pixojet informed the complainant that the information about him probably came from a manual entry in Pixojet's newsletter on the company's website.

Conclusion

The decision is relevant in practice under two aspects.?

On the one hand, a specific demand from data subjects does not directly trigger the full obligation cascade of Art. 15 GDPR. It is, of course, questionable at what point a full exercise can be assumed, probably quite certainly when a person makes it clear that he or she is requesting comprehensive information pursuant to Art. 15 GDPR.

On the other hand, the obligation to provide information under Art. 15(1)(g) GDPR is fulfilled if the company provides information about the origin of the data in accordance with its level of knowledge. This does not include any further obligation to clarify or investigate.