Right of Access by the Data Subject

The General Data Protection Regulation (the GDPR) provides data subjects with a range of rights in order to enable them to exercise control over their own personal data. These rights are commonly referred to as the “eight fundamental data subject rights” and encompass the right to rectification (Art. 16), the right to erasure (Art. 17), the right to restriction of processing (Art. 18), the right to be informed (Art. 19) the right to data portability (Art. 20), the right to object (Art. 21), the right to individual decision-making (Art. 21) and the right access (Art. 15).

The right to access is not a new right. The directive 95/46 and data protection laws of EU member states already provided data subjects with the possibility to exercise their right of access (e.g.: Art. 12 of the directive 95/46; § 19 of the former German Data Protection law; Art. 35(1) of the French Data Protection law) but data subjects have been more aware of this right since the entry into force of the GDPR and the publicity it enjoyed.

Right of Access: What Are We Talking About?

The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed (right to confirmation) and if it is the case, the right to get a copy of the personal data undergoing processing (right to obtain a copy). Furthermore, the controller shall provide the data subjects with additional information such as the purposes of the processing (Art. 15(1)(a) of the GDPR), the recipients of personal data concerned (Art. 15(1)(c) of the GDPR) or the retention period of personal data (Art. 15(1)(d) of the GDPR). Where a data subject exercises its right of access, the controller must respond the request without undue delay and at least within one month of receipt of the request, pursuant to Art. 12(2) of the GDPR. Taking into consideration the complexity of the request, the controller the delay can be extended by two other months (Art.12(3) of the GDPR).

It should be pointed out, that the right of access is an exclusive and specific right (DE: ein höchstpersönliches Recht) conferred to data subjects. As an inalienable and not transferrable right, it can therefore only be exercised by the data subject and not by a third person and is limited to the personal data processed and stored about the data subject.

The Right of Access: A Far-Reaching Right?

According to recital 63 of the GDPR, the right of access shall enable data subjects to be aware of the processing and to verify the lawfulness of the processing. The European Court of Justice (ECJ) also recalled that other rights directly flow from the right of access since it is necessary “to enable the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of his data by the data controller […] ”. But the question arises what is the extent of this right and what are the personal data concerned by this right?

Pursuant to Art. 4(1) of the GDPR, a personal data is any information relating to an identified or identifiable person. This includes personal data such as the name, date of birth, E-Mail Address or any features that could enable a person to be identified such as an account number or a social security number. It also encompasses sensitive data such as data concerning the health of the data subject (e.g. diagnoses, examination results, treatment or interventions provided ). In a decision of the Regional Court of Cologne dated 19 June 2019 , the court, after having recognized that the right of access was a comprehensive right (DE: ein umfassendes Recht) decided however to restrict its scope by asserting that, the right of access does not “refer to all internal processes of the defendant, such as notes, or to the fact that the person concerned can receive all exchanged correspondence, which is already known to the person concerned, reprinted and sent ” and by pointing that, that this right aims at enabling the data subject to assess the scope and content of the stored personal data and not to help him or her to simplify its accounting (DE: dient nicht der vereinfachten Buchführung des Betroffenen).

However, in a judgment dated 15 June 2021 , the German Federal Court (DE: Bundesverfassungsgericht) did not follow the approach of the Regional Court of Cologne and after having pointed out, that the notion of personal data should be interpreted broadly (DE: der Begriff ist weit zu verstehen), considered that the right of access can “potentially include all types of information, both objective and subjective, such as opinions or assessments, provided that the information relates to the data subject in question. In order to assess whether an information relates to a data subject, “it is sufficient that the information is linked to a specific person due to its content, purpose or effect ” (loose translation).

The broad interpretation of the scope of the right of access is however limited by Art. 15(4) of the GDPR, which states that “the right to obtain a copy shall not […] the rights and freedoms of others”. This means that when responding to an access request, the controller should take into consideration the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights. Furthermore, it should be pointed out, that the right of access can be exercised when a processing relates to a personal data (the notion of personal data has to be understood broadly) and only in this case. Thus, the right of access does not cover the processing of information that are not considered as personal data or personal information. In a judgement dated 20 December 2017, in a case related to written answers submitted by a candidate in a professional examination, the ECJ ruled, that answers of an examination candidate and the examiners’ comments had to be considered as “personal data”, but not the the examination questions, “which do not as such constitute the candidates’ personal data ”. In the same vein, the ECJ considered that a “legal analysis, […] although it may contain personal data, does not in itself constitute a personal data”. This approach has been followed by the German Federal Court, that concluded, that “data on commission payments to third parties ” could not be considered as personal data related to the policyholder and were therefore not covered by the right of access.

Risks for Not Answering an Access Request

Pursuant to Art.82(1) of the GDPR, the data subject may ask for compensation, where he or she has suffered material or non-material damage as a result of an infringement of the GDPR. In a decision dated 5 March 2020, the Labour Court of Düsseldorf allowed a compensation of 5000 EUR to a data subject considering that the copy of the personal data provided by the controller to the data subject was incomplete and was not provided on time. It argued that “due to the long months of delay […] the [data subject] was remained ignorant about the processing of his personal data” and that he therefore suffered an immaterial damage .
However, not all German Courts consider that a delay in reply to an access request opens the possibility for the data subject to claim damages. In its decision dated 01 July 2021, the Regional Court of Bonn considered that the sole fact that a controller did not reply on time to the data subject does not per se imply that the data subject must be granted damages . In order to trigger Art. 82(1) of the GDPR the data subject must prove that he or she has suffered an (immaterial) damage due to the late response of the controller. It should be noted, that the notion of “immaterial damage” in the meaning of Art. 82 of the GDPR is currently subject to intense debate and that the European Court of Justice has been requested from the Austrian Supreme Court to interpret this notion under Art. 82 of the GDPR .

Nonetheless, a controller may also be fined under Art. 83(5) of the GDPR, that provides that “where a controller infringes the data subjects rights such as the right of access, he can be subject for an administrative fine up to 20.000.000 EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year”. In 2020, the French Supervisory Authority imposed an administrative fine of 2.250.000 to a controller for having infringed several data protection provisions, including Art. 15 of the GDPR.

Sources:

1. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
3. CNIL, RGPD: quel bilan 6 mois après son entrée en application ?, 23 November 2018
4. Administrative court of appeal of Lüneburg, 26 June 2019, 11 LA 274/18, recitals 15 and 16.
5. ECJ, Peter Nowak v. Data Protection Commissioner, 20 December 2017, C-434/16, recital 57.
6. Recital 63 of the GDPR.
7. Landgericht Köln, 26. Zivilkammer, Urteil v. 19.06.2019, 26 S 13/18
8. Landgericht Köln, 26. Zivilkammer, Urteil v. 19.06.2019, 26 S 13/18, recital 39.
9. Landgericht Köln, 26. Zivilkammer, Urteil v. 19.06.2019, 26 S 13/18, recital 39 : „der Auskunftsanspruch bezieht sich aber nicht auf sämtliche internen Vorgänge der Beklagten, wie z.B. Vermerke, oder darauf, dass die betreffende Person sämtlichen gewechselten Schriftverkehr, der dem Betroffenen bereits bekannt ist, erneut ausgedruckt und übersendet erhalten kann“.
10. Landgericht Köln, 26. Zivilkammer, Urteil v. 19.06.2019, 26 S 13/18, recital 39.
11. Bundesgerichtshof, Urteil v. 15 Juni 2021, VI ZR 576/19.
12. Bundesgerichtshof, Urteil v. 15 Juni 2021, VI ZR 576/19, recital 22 : „[…] umfasst potenziell alle Arten von Informationen sowohl objektiver als auch subjektiver Natur in Form von Stellungnahmen oder Beurteilungen, unter der Voraussetzung, dass es sich um Informationen über die in Rede stehende Person handelt. Die letztgenannte Voraussetzung ist erfüllt, wenn die Informationen aufgrund ihres Inhalts, ihres Zwecks oder ihrer Auswirkung mit einer bestimmten Person verknüpft ist“.
13. ECJ, Peter Nowak v. Data Protection Commissioner, 20 December 2017, C-434/16, recital 58.
14. ECJ, YS v. Minister voor Immigratie, 17 July 2014, C-141/12, recital 39.
15. Bundesgerichtshof, Urteil v. 15 Juni 2021, VI ZR 576/19, recital 28.
16. Arbeitsgericht Düsseldorf, Urteil v. 3. März 2021, 9 Ca 6557/18
17. Arbeitsgericht Düsseldorf, Urteil v. 3. März 2021, 9 Ca 6557/18, recital 111.
18. Landgericht Bonn, Urteil v. 1. Juli 2021, 15 O 372/20, recital 33.
19. OGH, Entscheidung v. 14 April 2021, 6Ob120/21x