Blog details

What data should a controller disclose under a data subject access request?

What data should a controller disclose under a data subject access request?

A recent decision from the Cologne Regional Court addresses whether individuals are entitled to receive emails and personal notes as part of a DSAR.

“I want access to all personal data you handle about me”. What should you do as the controller if you receive an email like this? According to GDPR, individuals have the right to obtain:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information, which largely corresponds to the information that you should provide in the privacy policy.

What does “personal data” means in terms of a DSAR? Even though this concept is clear for some data categories like contact data, for some others it may be tricky, especially when it comes to information that might affect other people’s rights and freedoms.

GDPR states that the right of access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, expert opinions vary as to the data that should be actually considered to affect third-parties. The Data Protection Act 2018 settle this criterion on the likelihood that another individual could be identified from the information disclosed. On a related note, Cologne Regional Court has recently reached a decision where they assert that the right of access does not include all internal processes, such as notes. Moreover, they claim that the data subject is not entitled to receive all exchanged correspondence. Legal evaluations or analyses are also not considered personal data in these terms. This means that information as ratings and private notes about employees’ performance or appraisals should not necessarily be disclosed under a DSAR.

We think this is an accurate criterion that properly solves the data subject access request plus protects the controller’s interests. However, although this is a binding decision from the Cologne Regional Court, it does not generally apply to other countries that are subject to the GDPR, so it remains to be seen if this rule becomes a standard.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Prev post
¿Qué datos deberían incluirse en la respuesta a un ejercicio del derecho de acceso?
May 31, 2019
Next post
Practical guidance on how to process mixed datasets
June 5, 2019

Leave a Comment