Finnish Data Protection Authority: Log data are not covered by the right of access under Art. 15 GDPR
The Finnish Data Protection Authority (DPA) publishes on its website under the heading "FAQ" in English many interesting and practice-relevant answers to questions, around the understanding of the GDPR.
I found a nice question and answer from the authority about the right of access.
Question: Can a customer or patient be entitled to log data by virtue of the right of access?
Answer: According to the Data Protection Ombudsman’s established decision-making practice, user log data is related to the access management of a data subject’s personal data and does not concern the data subject themselves. Rather, user log data can concern, for example the employees who processed the individual’s data. Art. 15 GDPR provides for the data subject’s right of access to data concerning him or her.
“Since log data concerns access management and not the data subject on whose data it is accumulated, that individual is not entitled to log data by virtue of this right of access”.
This view of the DPA should be particularly interesting for companies in practice. In Germany, the same result can be achieved on the basis of Section 34 (1) no. 2 lit. b Federal Data Protection Act, if the conditions specified therein are met. These include, for example, that the provision of information would require a disproportionate effort and that processing for other purposes is precluded by appropriate technical and organizational measures.
The Finnish DPA seems to exclude log data, which is created when accessing personal data, from the scope of the right of access per se.
Externer Datenschutzbeauftragter, CIPP/E, CIPM, CIPT (IAPP) | Gerichtssachverst?ndiger für Datenschutz
2 年Austrian DPA (#Datenschutzbeh?rde) says cell phone data is not personal data and therefore customer is not entitled to location and certain traffic data by virtue of this right of access”. Source: https://noyb.eu/en/cell-phone-data-not-personal-noyb-appeals-federal-administrative-court;
| #DrPrivacy | FSU Law Grad | Data Privacy Advocate | Global Cybersecurity & Compliance Leader | Mentor | Educator | Research Fellow | Privacy Expert GDPR, CCPA, LGPD, and HIPAA |
3 年Dr. Carlo Piltz thanks for sharing and this is interesting point the DPA has taken as it relates to article 15. At the center here is the mechanism to access that data. Would this still hold true if that log data contain sensitive customer or patient data. Definitely one to follow.
Chief Privacy Officer, Data Protection Officer as-a-service, Independent Legal Scholar on DSA, DMA, Data Act; Author "Applying the GDPR"; Policy Advisor for Data Regulation
3 年Uhmmm
Functionaris voor gegevensbescherming bij NHL Stenden Hogeschool en de Vereniging Hogescholen | FG en zelfstandige privacy officer/FG
3 年Trudy Rehorst-Leenen
Local Security Officer AXA-Partners CEE (Local CISO) / Partner at GDPR-pro.cz
3 年Very Interesting. There are different types of log files. But because Subject have the right to know who/when/why accessed his/her personal data, log files (unless Controller is maintaining some special metadata system on accesses) seems to be the only way, how to provide answer. So this seems to mean that Controller does not have to provide log files itself and is only required to provide the output from log analysis. I would be interested to see decision on logfiles, which contains lots of identifiers, e.g. Delivery log in mail system, proxy log with accesses of users to URLs etc. Here I guess this decision is mostly irrelevant.