This recent decision looks at what needs to be provided to an individual as part of a response and whether a summary of the information is enough (spoiler alert: it isn’t!).
Background
According to the European General Data Protection Regulation (“GDPR”) which has effectively been transposed into UK law post-Brexit, individuals (including prospective, current or former employees) are entitled to receive a “copy” of documents relating to them as part of a data subject access request (”DSAR”). Compliance with DSARs can cause a significant amount of work for employers and as a result, they are often used by disgruntled employees at the early stages of litigation.
Last week, the Court of Justice of the European Union (“CJEU”) published its decision on what the exact obligations are when complying with DSARs and specifically, whether a summary of the information is sufficient.
The facts in this case
This case concerned a credit bureau, CRIF, which collected information about Austrian individuals in order to access their creditworthiness. The applicant submitted a DSAR to CRIF and asked to be sent a copy of the documents about him. In response, CRIF sent a list of the information processed about him in summary form. The applicant then complained to the Austrian data protection authority (“DPA”) saying that a mere summary was not sufficient.
The Austrian DPA rejected the compliant and the individual appealed. After an appeal to the Federal Administrative Court, the question was referred to the CJEU.
Decision
The CJEU held that the right to obtain a “copy” of personal data means that the individual must be given a “faithful and intelligible reproduction of all those data”. That means that individuals can obtain copies of extracts from documents or even the whole of those documents if that ensures compliance with their rights under GDPR, whilst ensuring that third party data is protected. A purely general description of the data being processed or a reference to categories of personal data does not satisfy the requirement of providing a copy.
The CJEU also noted that one of the objectives of the right to access is to enable the individual to ensure that the personal data relating to them is correct and that it is processed in a lawful manner.
Impact on employers
In practice, employers will need to provide copies of documents (redacting personal data of third parties where necessary) and if a “shortcut” means that the individual is unable to completely understand or interpret the information, then the approach may not be compliant with GDPR.
Employers should also be mindful of redacting third party data (for example relating to other employees), but where there is a conflict between complying with a DSAR and third party confidentiality, employers will need to strike a balance between the two. Wherever possible, the DSAR should be complied with in a way that does not infringe third party privacy, bearing in mind that this is not a sufficient reason to refuse a DSAR.
Although this European decision will not be legally binding in the UK, it may still be persuasive authority for the UK data protection regulator, the ICO.
If you have any questions about DSARs or data privacy more generally, please contact Deborah Margolis or Darren Isaacs.
