DSAR: three questions answered by recent case law

Kris Somers (CIPP-E/CIPM)

The (vast) majority of privacy cases that end up on the desk of supervisory authorities start with a complaint by a data subject, more often than not following an (often badly managed) data subject access request (DSAR) pursuant to Article 15 GDPR. In the early days of GDPR compliance, a justified focus has been on the obligations of data controllers in relation to responding to such DSAR. Yet of late, more jurisprudence is transpiring that addresses the limits of the data subjects’ right of access to information – and consequently the right of data controllers, if not to outright refuse such access, at least qualify their response. Without any claim to exhaustiveness, this contribution aims to showcase three recent cases that (at least in part) address an equal number of frequently asked questions about DSAR.

What is considered “a copy” of personal data?

According to Article 15(3) GDPR, “the controller shall provide a copy of the personal data undergoing processing”. Much has been written about what precisely constitutes a “copy”. In its recently adopted?Guidelines 01/2022, the EDPB states that the notion of a copy has to be interpreted in a broad sense and includes the different kinds of access to personal data as long as it is complete (i.e. it includes all personal data requested) and possible for the data subject to keep. Thus, according to the EDPB, the requirement to provide a copy means “that the information on the personal data concerning the person who makes the request is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it”.

In a notable decision dated 4 May 2023 by the European Court of Justice, Case C-487/21 F.F. v ?sterreichische Datenschutzbeh?rde, a key judgment was made regarding the?notion of “copy” in relation to Article 15(3).

The case arose when an applicant sought access to personal data held by CRIF GmbH, a business consulting firm providing creditworthiness information. Although CRIF provided a summary of the applicant's personal data, they did not furnish copies of the actual documents, such as emails and database extracts, containing his information. The applicant filed a complaint with the Austrian Data Protection Authority (DPA), claiming CRIF's response was incomplete. After the DPA rejected the complaint, the applicant took legal action, leading the Austrian court to seek clarity on the definition of a "copy" in an access request context.

The Court ruled that the right of access encompasses a faithful reproduction of personal data, broadly defined, not necessarily the copy of the actual document itself. The term "copy" relates specifically to the processed personal data. However, under Article 15(3), in certain situations, the data subject might be entitled to copies or extracts of entire documents or databases containing personal information if it is vital for exercising rights under the GDPR.

Furthermore, the Court underscored the importance of balancing the data subject's right to complete access with the rights or freedoms of others. This balancing act must be executed without infringing on others' rights and without completely denying access to the data subject.

In summary, the judgment clarified that controllers are not universally obliged to provide full copies of documents or databases in response to an access request.

However, depending on the situation, supplying extracts or copies may be mandated. The ruling emphasizes a nuanced understanding of the right to access, considering both the data subject's rights and the potential impact on third parties.

What if an employee consults a data subject’s personal data without their employer’s instruction to do so? Is the employer then still required to assume responsibility as a data controller? And should he divulge the identity of the employee?

It happens more often than you would think: employees using the data access options they have at their disposal at work to perform some “private investigations”, quite unsanctioned by and unbeknownst to their employer. So what if a data subject suspects foul play and requests data access to the employer in such scenario?

In?its?ruling of June 22, 2023, the?European?Court of Justice?(CJEU)?emphasized that the right to access does not extend to providing information about the identity of?(other)?employees. This is only allowed if the information is essential for the applicant to exercise their right to access, provided the rights and freedoms of other employees are taken into account.

The text outlines a case where an ex-employee of a bank (who was also a customer) found that bank employees had accessed his customer information repeatedly over a two-month period.?He asked the bank to inform him about the identity of those who had accessed his data, the exact dates, and the purposes. The bank refused to disclose the identities, but it informed him that it had ordered an internal audit to investigate a potential conflict of interest.

The ex-employee disagreed with the bank's response and asked the Finnish Data Protection Authority to force the bank to provide the information. The authority refused, and the matter was taken to the East Finnish Administrative Court, which referred the matter to the Court of Justice.

The Court confirmed that GDPR applies even if the events occurred before its enactment. It held that the ex-employee has the right to information about the consultations, dates, and purposes, but not about the identity of the bank's employees. The mere fact that the data controller operates in the banking sector and that the person whose data were processed was both an employee and a customer does not influence the scope of the right to access under Article 15 of the GDPR.

In a similar case, the Belgian Data Protection Authority's Disputes Chamber rules on the request of three individuals who had requested information on who had accessed their national register data no less than 15 times on behalf of a public authority and why. They suspected that the access might have been for private purposes. The public authority refused to reveal the employee's identity due to data protection concerns for the employee.

The Disputes Chamber referred to the above CJEU ruling, emphasizing that one does not simply have the right to know the identity of employees who accessed personal data. It needs to be determined whether the employee processed the data under the authority and instructions of their employer.

If so, the individual does not have direct access to the employee's identity. Conversely, however, if the employee accessed the data for personal purposes, then they themselves become responsible for the processing. The employee's identity who acts in accordance with the employer's instructions is thus more protected than those who do not!

The Disputes Chamber concluded that the public authority must check if the employee consulted the data under their authority and instructions and assess the balance of rights and freedoms between the involved parties. The failure to do so was a breach of GDPR provisions.?

The text underscores the importance of a careful balancing act between the rights and freedoms of the person requesting information and those of employees.

Only when essential for the person to exercise their rights in accordance with the GDPR, and considering the rights and freedoms of the employees, can there be a right to information about the identity of (other) employees who have processed the data.

What if a data subject is clearly launching a DSAR in order to gather “ammo” against the data controller? Can the controller limit the information it shares?

The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier - but is not a condition - for the individual to exercise other rights such as the right to erasure or rectification.

But of course a data subject may launch a DSAR with ulterior motives quite apart from obtaining information on the processing of their personal data. What if, for instance, a customer of an insurance company would use its right of access to check whether?adjustments made to the insurance premiums were formally compliant with?applicable?insurance law?

Art. 12(5) GDPR enables controllers to override requests for the right of access that are manifestly unfounded or excessive. According to the EDPB, these concepts have to be interpreted narrowly, “as the principles of transparency and cost free data subjects rights must not be undermined”.

However, recent case law suggests there are limits to data subject’s entitlement to apply their right of access to embark on fact finding expeditions.

In relation to the insurance example cited above, the Higher Regional Court in Nuremberg concluded in March 2022 that the individual was not attempting to examine the lawfulness of the processing but rather to scrutinize if the alterations to the insurance premiums complied with German insurance regulations. Consequently, the Court deemed the request to be abusive, allowing reliance on Article 12(5)(b).

This ruling is particularly significant given a parallel development: a separate but related case has been referred to the CJEU. This referral is anticipated to establish the comprehensive precedent for controllers regarding this issue. Moreover, the question of purpose is set to be examined in an upcoming case at the CJEU, specifically referred from a German Court in the DKV Deutsche Krankenversicherung AG Case (C-672/22). Similar to the Nuremberg judgment, this pending case also involves the insurance sector. The CJEU is now tasked with determining whether a controller must comply with a GDPR access request that seeks to verify the legality of increases to a private health insurance premium.