Control of personal data
The General Data Protection Regulation (GDPR) grants data subjects a number of rights so that they can exercise control over the processing of their personal data and thus over their personal rights protected by fundamental rights. These rights are commonly referred to as the "eight fundamental rights of the data subject" and include the following rights:
- The right to rectification (Article 16)
- The right to erasure (Article 17)
- The right to restriction of processing (Article 18),
- The right to information (Article 19)
- The right to data portability (Article 20)
- The right to object (Article 21),
- The right not to be subject to a decision based solely on automated processing (Article 22)
- The right of access (Article 15).
The right of access is not an unknown right. Directive 95/46/EC and the data protection laws of the EU Member States already provided for the possibility for the data subject to exercise their right of access (cf: Art. 12 of Directive 95/46/EC; § 19 of the BDSG-old; Art. 35(1) of the French Data Protection Act). However, data subjects have only become more aware of this right since the General Data Protection Regulation (GDPR for short) came into force and the publicity it enjoys.
Right to information: What is it about?
The right of access is enshrined in Art. 15 GDPR. It gives data subjects two rights if the relevant requirements are met. Firstly, data subjects must receive confirmation from the controller upon request as to whether or not personal data relating to the data subject is being processed (right to confirmation). If this is the case, the data subject also has the right to receive a copy of the personal data currently being processed by the controller (right to receive a copy).
Furthermore, the controller must provide the data subject with additional information, e.g. on the purposes of the processing (Art. 15 para. 1 lit. a GDPR), the recipients of the personal data concerned (Art. 15 para. 1 lit. c GDPR) or the retention period for personal data (Art. 15 para. 1 lit. d GDPR). If a data subject exercises their right of access, the controller must comply with the request without undue delay, but at least within one month of receipt of the request, in accordance with Art. 12 para. 3 of the GDPR. However, in view of the complexity of the request, the controller may extend the deadline by a further two months (Article 12(3) of the GDPR).
It should be noted that the right of access is a highly personal right granted to the data subject. As an inalienable and non-transferable right, it can therefore only be exercised by the data subject and not by a third party. It is limited exclusively to the personal data that is processed and stored about the data subject; the personal data of others is therefore irrelevant.
The right to information: a far-reaching right?
According to Recital. 63 of the GDPR, the right of access is intended to enable data subjects to become aware of the processing of their own data and to be able to verify the lawfulness of such processing by the controller.
The European Court of Justice (ECJ) confirms this in its comments on the right of access, as, in its view, other rights arise directly from the right of access because it is necessary "to enable the data subject, where appropriate, to obtain from the controller the rectification, erasure or blocking of his data [...]". However, the question of the scope of this right and which personal data is covered by this right has not yet been conclusively answered.
According to Art. 4 para. 1 of the GDPR, personal data is any information relating to an identified or identifiable person. This includes personal data such as the name, date of birth, email address or other characteristics that could enable the identification of a person, such as an account, telephone or social security number. It also includes sensitive data such as data on the data subject's health (e.g. diagnoses, examination results, details of treatments, etc ). However, in a decision by the Regional Court of Cologne on 19 June 2019, the court, after recognizing the right of access as a comprehensive right, decided to limit its scope by stating that the right of access "does not apply to all internal processes of the defendant, such as notes, or to the fact that the person concerned can receive all correspondence already known to the person concerned, printed and sent again". ", pointing out that this right is intended to enable the data subject to assess the scope and content of the personal data stored, and not to help him to simplify his record-keeping.
However, in a ruling on June 15, 2021, the Federal Constitutional Court did not follow the approach of the Regional Court of Cologne and, after pointing out that the concept of personal data should be understood broadly, took the view that the right of access "can potentially cover all types of information, both objective and subjective, in the form of opinions or assessments", "provided that it is information about the person in question. In order to assess whether information relates to a data subject, it is sufficient if the information is linked to a specific person by its content, purpose or effect".
However, the broad interpretation of the scope of the right of access is limited by Article 15(4) of the GDPR, which states that "the right to obtain a copy shall not adversely affect the rights and freedoms of others". This means that the controller must take into account the rights of third parties, such as their data protection rights, trade secrets or intellectual property rights, when responding to a request for access to the data. It should also be noted that the right of access can only be exercised if the processing relates to personal data (although the term personal data is to be understood broadly). The right of access therefore does not extend to the processing of general information that is not considered personal data or personal information. In a judgment of December 20, 2017, the ECJ ruled in a case relating to the written answers of an examination candidate in a professional examination that the answers of an examination candidate and the comments of the examiners are to be regarded as "personal data", but not the examination questions, "which as such do not constitute personal data of the candidates". Similarly, the ECJ took the view that a "legal analysis, [...] although it may contain personal data, does not in itself constitute personal data". This approach was also followed by the German Federal Court of Justice, which concluded that "data on commission payments to third parties" cannot be regarded as personal data of the policyholder and are therefore not covered by the right of access.
Risks of not responding to an access request
Pursuant to Article 82 (1) GDPR, the data subject may claim compensation if they have suffered material or non-material damage as a result of a breach of the GDPR. In a decision dated March 5, 2020, the Düsseldorf Labor Court awarded a data subject compensation in the amount of EUR 5,000 because the copy of the personal data that the controller had provided to the data subject was incomplete and was not provided in a timely manner. The AG Düsseldorf argued that due to the months-long delay, the [data subject] remained "in the dark" about the processing of their personal data and that they therefore suffered non-material damage.
However, not all German courts are of the opinion that a late response to a data subject's request for information opens up the possibility of claiming damages. In its decision of July 1, 2021, the Regional Court of Bonn held that the mere fact that a controller has not responded to the data subject in a timely manner does not per se mean that the data subject must be awarded damages . In order to trigger the application of Art. 82 (1) GDPR, the data subject must prove that he or she has suffered (non-material) damage as a result of the controller's late response. It should be noted that the concept of "non-material damage" within the meaning of Art. 82 GDPR is currently the subject of intense debate and that the European Court of Justice has been asked by the Austrian Supreme Court to interpret this concept in accordance with Art. 82 of the General Data Protection Regulation .
Nevertheless, a controller can also be fined under Art. 83(5) of the GDPR: if a controller violates the rights of the data subject, e.g. the right of access, it can be fined up to EUR 20,000,000 or up to 4 % of the total worldwide annual turnover of the previous financial year. In 2020, the French supervisory authority imposed a fine of EUR 2,250,000 on a data controller for violating several data protection provisions, including Art. 15 of the General Data Protection Regulation.
Sources:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- CNIL (The French supervisory authority), RGPD: quel bilan 6 mois après son entrée en application?, November 23, 2018
- OVG Lüneburg, June 26, 2019, 11 LA 274/18, ErwG. 15 - 16.
- ECJ, Peter Nowak v. Data Protection Commissioner, December 20, 2017, C-434/16, Rec. 57.
- Recital. 63 of the GDPR.
- Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18.
- Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, Rec. 39.
- Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, ErwG. 39
- Regional Court of Cologne, 26th Civil Chamber, judgment of 19.06.2019, 26 S 13/18, Recital 42.
- Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19.
- Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19, Rec. 22.
- ECJ, Peter Nowak v. Data Protection Commissioner, December 20, 2017, C-434/16, Rec. 58.
- ECJ YS v. Minister voor Immigratie, July 17, 2014, C-141/12, Rec.39.
- Federal Court of Justice, judgment of June 15, 2021, VI ZR 576/19, Rec. 28.
- Düsseldorf Labor Court, judgment of March 3, 2021, 9 Ca 6557/18.
- Düsseldorf Labor Court, judgment of March 3, 2021, 9 Ca 6557/18, ErwG. 111.
- Regional Court of Bonn, judgment of July 1, 2021, 15 O 372/20, Rec. 33.
- Supreme Court, decision of April 14, 2021, 6Ob120/21x.
- CNIL, decision of November 18, 2020, no. SAN-2020-008.