Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests.
The Wording of Art. 15 para. 3 GDPR is Ambiguous
As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle with the requirement and the meaning of issuing a copy of the underlying processing as stipulated by Art. 15 para. 3 GDPR.
Not only does the wording of Art. 15 GDPR cause ambiguities, the way the wording is construed varies between scholars and the different supervisory authorities.
Provision of a Copy: Do we have to hand out entire Files…..?
Some understand Art. 15 para. 3 GDPR to mean that paper files, emails, and all other data – electronic and paper – that contain personal data need to be handed over to the data subject, meanwhile others understand the provision of a copy requirement to mean that the controllers need to merely provide a summary of the underlying processing activity.
Although this is highly disputed, we think it may make sense to put this requirement into the proper context: For example, if the data access request has been issued by an employee, the understanding of Art. 15 para. 3 GDPR as a right to inspect records or even a claim for surrender of all records could potentially mean that a Company must issue 35.000 pages or even more, if the employee has been working at the Company for several years. Furthermore, the Company would potentially face additional difficulties: if private use of emails has been tolerated, it is questionable whether the Company would even be able to issue the emails as – depending on the case – the Company may be barred by German law to review and redact the emails prior to issuing them.
The Company, however, would need to ensure that it reviews and redacts all files without undue delay and in any event within one month of receipt of the request – as this is the time frame in which an answer needs to be prepared – to ensure that it keeps its trade secrets, third party privacy rights, as well as third party confidential information under lock and key. This means that Companies pretty much need to have the information as well as the personnel readily available to review and redact all files to ensure that the one-month time period can be met.
Given that a Company is only in exceptional circumstances allowed to extend said time period by two more months, this could pose some serious issues on a lot of companies, if ,for example, a couple of access requests are issued by a couple of long-term employees, which could then mean that these requests could potentially hamstring a company, if Art. 15 para. 3 GDPR is construed to mean that files need to be handed over to the data subject upon request.
…. Or is it sufficient to provide a summary?
Alternatively though, Companies would face way less difficulties if Art. 15 para. 3 GDPR is construed to mean that instead of handing over files, folders and all other data, a summary of the personal data processed must be issued to the data subject. This could, for example, be an excerpt in which the controlling Company lists processing purpose, the categories of personal data, the recipients, the retention periods, and the sources of personal data if it was collected by third parties, and a catalogue of data subject rights.
This would not only facilitate the process of collecting all relevant data to draft a response to a data subject access request, it would also be less risky for controllers to answer such requests as they would not run the risk to accidentally miss the time line, or disclose third party information, or even trade secrets or other confidential information.
Even though the objective of Art 15 GDPR is transparency, it is questionable how transparent an answer to such an access request would be if the requestor receives 40.000 plus pages of an answer.
In an employment context, where large amounts of personal data are processed, such extensive answer could potentially be deemed to be non- transparent. And rightfully so: the average individual concerned will likely not be able to handle that many pages to understand the processing.
What do the Supervisory Authorities find?
A couple of German supervisory authorities already realized said issues and construe Art. 15 para. 3 GDPR on a case-by-case basis to mean that a controller is required to produce an excerpt that outlines the processing, instead of producing all records.
Nevertheless, the issue has not yet been settled and said finding has not been adopted by all supervisory authorities. Additionally, this is currently controversially discussed by legal scholars. This means that controllers faced with such issues may need to seek not only counselling, but also guidance from their competent supervisory authority.