Right of access by the data subject

Right to information
Categories:

Control of personal data

The General Data Protection Regulation (GDPR) grants the persons concerned a number of rights so that they can exercise control over the Processing of their personal data and thus over their personal rights protected by fundamental rights. These rights are commonly referred to as the "eight fundamental rights of the data subject" and include the following rights:

 

  • The right to Correction (Article 16)
  • The right to Deletion (Article 17)
  • The right to restrict the Processing (Article 18),
  • The right to information (Article 19)
  • The right to data portability (Article 20)
  • The right to object (Article 21),
  • The right not to be subject to an automated processing Processing based decision (Article 22)
  • The right of access (Article 15).

The right of access is not an unknown right. Directive 95/46/EC and the data protection laws of the EU Member States provided for the affected person already has the opportunity to Right to information to be able to exercise their rights (cf: Art. 12 of Directive 95/46/EC; § 19 of the BDSG-old; Art. 35(1) of the French Data Protection Act). However, data subjects have only become more aware of this right since the General Data Protection Regulation (GDPR for short) came into force and the publicity it enjoys.

 

Right to information: What is it about?

 

The Right to information is enshrined in Art. 15 GDPR. It gives data subjects two rights if the relevant requirements are met. On the one hand Affected parties on request to the person responsible for the Processing responsible persons receive confirmation as to whether personal data about the data subject is being processed or not (right to confirmation). If this is the case, the data subject also has the right to receive a copy of the personal data currently being processed by the controller (right to receive a copy).

In addition, the Board of Processing Responsible persons provide the data subjects with additional information, e.g. about the purposes of the Processing (Art. 15 para. 1 lit. a GDPR), the recipients of the personal data concerned (Art. 15 para. 1 lit. c GDPR) or the retention period for personal data (Art. 15 para. 1 lit. d GDPR). If a affected Person her Right to information then the Responsible persons comply with the request without undue delay, but at least within one month of receipt of the request, in accordance with Art. 12 (3) of the GDPR. In view of the complexity of the request, the person responsible for the Processing Responsible persons extend the deadline by a further two months (Article 12 (3) of the GDPR).

It should be noted that the Right to information is a highly personal right granted to the persons concerned. As an inalienable and non-transferable right, it can therefore only be exercised by the data subject and not by a third party. It is limited exclusively to the personal data that is processed via the affected The personal data of other persons is therefore generally irrelevant.

 

The right to information: a far-reaching right?

 

According to Recital. 63 of the GDPR, the Right to information enable the persons concerned to face up to the Processing of their own data and to become aware of their legitimate Processing by the person responsible.

The European Court of Justice (ECJ) confirms this in its comments on the right to information, as, in its view, other rights arise directly from the right to information. Right to information because it is necessary "to enable the data subject, where appropriate, to be informed of the Processing Responsible for the Correction, Deletion or blocking of their data [...] ". However, the question of the scope of this right and which personal data is covered by this right remains unanswered.

Pursuant to Art. 4 (1) of the GDPR are personal data all information relating to an identified or identifiable person. This includes personal data such as the name, date of birth, e-mail address or other characteristics that could enable the identification of a person, such as an account, telephone or social security number. It also includes sensitive data such as data relating to the data subject's health (e.g. diagnoses, examination results, details of treatments, etc ). In a decision by the Regional Court of Cologne on June 19, 2019, the court, after having Right to information as a comprehensive right, but decided to limit its scope of application by stating that the Right to information " to all internal transactions of the defendant, such as memoranda, or to the fact that the person concerned may have all correspondence already known to the person concerned reprinted and sent to him. ", and by pointing out that the purpose of this right is to protect the affected to enable the person to assess the scope and content of the personal data stored and not to help them simplify their accounting.

In a ruling dated June 15, 2021, the court followed the Federal Constitutional Court however, did not follow the approach of the Regional Court of Cologne and, after pointing out that the concept of personal data was to be understood broadly, took the view that the Right to information "potentially include all types of information, both objective and subjective, in the form of opinions or assessments", "provided that it is information about the person in question. In order to assess whether information relates to a affected person, it is sufficient if the information is linked to a specific person due to its content, purpose or effect".

However, the broad interpretation of the scope of the right of access is limited by Art. 15 (4) of the GDPR, which states that "the right to obtain a copy shall not adversely affect the rights and freedoms of others". This means that the person responsible for the Processing Responsible persons must take into account the rights of third parties, such as their data protection rights, trade secrets or intellectual property rights, when responding to a request for access to the data. Furthermore, it should be noted that the Right to information can only be exercised if a Processing on personal data (however, the term personal data is to be understood broadly). The Right to information therefore does not extend to the Processing of general information that is not intended as personal data or personal information. In a ruling on December 20, 2017, the ECJ ruled in a case relating to the written answers of an examination candidate in a professional examination that the answers of an examination candidate and the comments of the examiners are considered "personal data", but not the examination questions, "which as such do not constitute personal data of the candidates". In the same vein, the ECJ took the view that a "legal analysis, [...] although it personal data as such does not constitute personal data". This approach was also followed by the German Federal Court of Justice, which came to the conclusion that "data on commission payments to Third " not as personal data of the policyholder and are therefore not covered by the Right to information fall.

 

Risks of not responding to an access request

 

Pursuant to Article 82 (1) GDPR can use the affected person can claim compensation if he or she has been injured as a result of a breach of the GDPR has suffered material or immaterial damage. In a decision dated March 5, 2020, the Düsseldorf Labour Court awarded a data subject compensation in the amount of EUR 5,000, as the copy of the personal data that the person responsible for the Processing Responsible persons to the person concerned was incomplete and was not provided in good time. The AG Düsseldorf argued that due to the months-long delay, the [affected person] "in the dark" about the Processing of her personal data and that she therefore suffered non-material damage.

However, not all German courts are of the opinion that a delayed response to a request for information gives the data subject the opportunity to claim damages. In its decision of July 1, 2021, the Regional Court of Bonn held that the mere fact that a data subject was not available for the Processing controller has not responded to the data subject in a timely manner does not per se mean that the data subject must be granted compensation. In order to trigger the application of Art. 82 (1) GDPR, the affected person can prove that he or she has been deprived of his or her rights as a result of the Processing controller has suffered (non-material) damage. It should be noted that the concept of "non-material damage" within the meaning of Art. 82 GDPR is currently the subject of intense debate and that the European Court of Justice has been asked by the Austrian Supreme Court to interpret this concept in accordance with Art. 82 of the General Data Protection Regulation.

Nevertheless, the Processing The controller may also be fined pursuant to Art. 83 (5) of the General Data Protection Regulation: if a person responsible for the Processing the rights of the data subject, e.g. the right to data portability. Right to informationIf the company fails to comply with the above, it may be fined up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the previous financial year. In 2020, the French authorities imposed Supervisory authority against one for the Processing Responsible persons Fine in the amount of EUR 2,250,000 for violating several data protection provisions, including Art. 15 of the General Data Protection Regulation.

 

Sources:

  1. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the Processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data. Processing of personal data and the free movement of data.
  3. CNIL (The French Supervisory authority), RGPD: quel bilan 6 mois après son entrée en application?, November 23, 2018
  4. OVG Lüneburg, June 26, 2019, 11 LA 274/18, ErwG. 15 - 16.
  5. ECJ, Peter Nowak v. Data Protection Commissioner, December 20, 2017, C-434/16, Rec. 57.
  6. RecG. 63 of the GDPR.
  7. Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18.
  8. Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, Rec. 39.
  9. Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, ErwG. 39
  10. Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, Recital 42.
  11. Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19.
  12. Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19, Rec. 22.
  13. ECJ, Peter Nowak v. Data Protection Commissioner, December 20, 2017, C-434/16, Rec. 58.
  14. ECJ YS v. Minister voor Immigratie, July 17, 2014, C-141/12, Rec.39.
  15. Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19, Rec. 28.
  16. Düsseldorf Labor Court, judgment of March 3, 2021, 9 Ca 6557/18.
  17. Düsseldorf Labor Court, judgment of March 3, 2021, 9 Ca 6557/18, ErwG. 111.
  18. Regional Court of Bonn, judgment of July 1, 2021, 15 O 372/20, Rec. 33.
  19. Supreme Court, decision of April 14, 2021, 6Ob120/21x.
  20. CNIL, decision of November 18, 2020, no. SAN-2020-008.
Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts