Paul Motion: Subject Access Requests – can they demand every document?
Paul Motion considers a recent advocate general’s opinion from the Court of Justice of the European Union.
Is a person who makes a subject access request entitled to copies of all documents such as emails?
This vexed question arises surprisingly often. Data controllers will regularly receive demands such as “all documents in which my name is mentioned”.
The basis of the subject access right is Article 15(3) of the GDPR [Regulation EU 2016/679]. This needs to be read along with Recital 63. The right is preserved in the post-Brexit UK GDPR.
Recital 63 states: “A data subject should have the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals in order to be aware of, and verify, the lawfulness of processing”.
Article 4(1) and 4(2) of the GDPR define “personal data” to mean any information relating to an identified or identifiable natural legal person, and “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, so pretty much covering every conceivable action including recording, structuring, retrieving, adapting or destruction.
Article 15 of the GDPR says that the data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and then 8 categories of information also need to be supplied such as the purpose of the processing, data sharing, storage periods etc.
For the purposes of this article, the crux is Article 15(3) which says: “The controller shall provide a copy of the personal data undergoing processing. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others”.
CRIF GmbH is an Austrian business consulting agency providing its clients with information on the creditworthiness of third parties. The data subject, FF, served a subject access request on CRIF to obtain inter alia information on his personal data that were undergoing processing. CRIF provided some of the information as an aggregate, first in a table broken down by name, date of birth, street, postal code and place. Secondly in a statement summarising the various corporate functions and powers of representation. No documents such as emails or extracts from databases were sent. FF was not happy and complained to the Austrian Data Protection Authority. He said that he should have been sent copies of all the documents including emails and database extracts that contained his personal data. The Austrian Data Protection Authority rejected the complaint. FF sued and the Austrian Federal Court referred the matter to the ECJ.
The issue for the court was whether sending FF his personal data in the form of a table and a summary statement complied with Article 15(3) or whether FF was entitled to obtain a copy of his personal data undergoing processing in a manner that was not devoid of context, but rather in the form of copies or extracts of actual correspondence, such as emails, or the contents of databases or similar documentation.
The AG’s opinion (which is not binding on the ECJ, but the court usually follows such opinions) noted that the right of access was necessary to enable the data subject to exercise other rights such as the right to rectification and the right to be forgotten. The rule conferring the right to obtain a copy of personal data was aimed at making explicit provision for the appropriate form that guarantees the data subject effective exercise of the subject rights. The aim of the GDPR is to ensure that the data subject is provided with his or her personal data in as accurate and comprehensible as form as possible to enable him to exercise those rights.
In view of this, the Advocate General felt that issuing a copy of a document that contains the data, or an extract from a database, does not always and in every case appear to be indispensable for achieving the objectives pursued by the legislature. It is only where issuing a copy of the actual document is indispensable for the purpose of making the processing fully intelligible that the data subject may obtain portions of documents or where appropriate entire documents or extracts from databases. In other words, if a summary of the personal data being processed and the purposes of the processing etc is sufficiently clear and intelligible, there is no right to obtain and no obligation to provide a copy of the actual documentation containing the personal data.
The Advocate General’s recommendation to the ECJ therefore is:
- Article 15(3) must be interpreted as meaning that “copy” means a faithful reproduction in intelligible form of the personal data requested by the data subject that enables the data subject effectively to exercise his or her right of access to his or her personal data. But the exact form of the “copy” is determined by the specific circumstances of each case and in particular the type of personal data in respect of which access is requested and the needs of the data subject.
- Article 15(3) does not confer a general right to obtain a partial or a full copy of the document that contains the personal data or, if the personal data are processed in a database, an extract from the database.
- Article 15(3) does not rule out, however, the data subject needing to be provided with portions of documents or even complete documents or extracts from databases, if that was necessary to render the processing fully intelligible to the data subject.
So, where does this leave us in advising clients?
As Scots lawyers would no doubt say, it is a case of “maybes aye, maybes naw”. The AG’s deconstruction of Article 15(3) is welcome and should assist data controllers facing erroneous demands for copies of every document in which the data subject happens to be mentioned. As with much data protection legislation, however, the decision is ultimately a judgement call for the data controller, which will require to form an considered, objective view and document the decision before the almost inevitable challenge from the data subject.
Paul Motion is a partner at BTO LLP