Requests for information / access requests under Art. 15 GDPR are among the less pleasant types of correspondence for companies. For many businesses, these inquiries are at best bothersome. For some, however, they are problematic because they have not or have insufficiently implemented the requirements of the GDPR. In such cases, information that needs to be disclosed can easily be overlooked. This includes emails and email addresses, as decided by the Dortmund Local Court (AG Dortmund) (Decision of May 20, 2021, file no. 404 C 1526/21).
Which information was missing from the provided disclosure?
The plaintiff asserted an out-of-court right of access. The defendant largely complied with this right of access. However, it neither fully provided the email correspondence with the plaintiff nor disclosed the plaintiff's email address. It was undisputed that the parties had communicated via a specific email address of the plaintiff.
The plaintiff filed an action for information. In the course of the proceedings, the defendant then submitted the email correspondence, including the email address. Although this effectively concluded the legal dispute on its merits, the defendant nevertheless had to bear the costs of the legal dispute. The defendant would have been found liable because the information provided out of court was incomplete. In this case, the defendant would also have had to bear the costs of the legal dispute.
What information must be disclosed in the context of the right of access under Art. 15 GDPR?
According to Art. 15 para. 1 p. 1 GDPR, the controller must first determine whether personal data concerning the data subject is processed at all. If this is the case, the controller must disclose various pieces of information to the data subject in accordance with Art. 15 para. 1 p. 2 lit. a) to h) GDPR and make available a copy of the personal data processed by the controller in accordance with Art. 15 para. 3 p. 1 GDPR.
The scope of the right of access covers all data relating to the data subject that is available to the controller at the time of providing the information. The data must be provided as it is held by the controller. The data copy must be complete. In particular, it must also extend to personal data that the data subject has already received, such as previous email correspondence between the controller and the data subject.
What must be considered when handling a data subject access request?
Please note the following in the event of an access request:
– If in doubt, immediately seek assistance from a lawyer specializing in data protection law. Breaches of the disclosure obligation can result in substantial fines.
– Ideally, comply with a deadline set by the data subject for providing the information. However, you must provide the information in accordance with Art. 12 para. 3 p. 1 alt. 2 GDPR no later than one month after receiving the access request. If you miss this deadline, a fine may be imposed on you under Art. 83 para. 5 lit. b) GDPR.
– Review your entire data inventory for personal data concerning the data subject. Your records of processing activities under Art. 30 GDPR will assist you in this.
– Warning, pitfall: You may only provide information to the data subject themselves. If, after receiving an access request, you have reasonable doubts about the identity of the data subject, you may request additional information necessary to confirm the identity of the data subject in accordance with Art. 12 para. 6 GDPR. However, you may not carry out identity verification without cause and in every instance. Otherwise, the supervisory authority could accuse you of evading the disclosure obligation through unjustified identity verification.
When faced with access requests, it is advisable not to act alone, but to seek legal assistance. We are happy to review an access request for you and recommend the appropriate course of action.
We are pleased to assist as consultants in the entire field of IT law and data protection law.
GoldbergUllrich Attorneys at Law 2021
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
