According to a ruling of the Swiss Federal Supreme Court, the right to information is limited to embodied information. We explain whether or not this is also the case under the GDPR.
What was the Swiss Federal Supreme Court about?
In a highly abbreviated form, the proceedings were about the legality of an evidence order (Beweisverfügung) of the Zurich District Court. The witnesses named in the evidence order were to be heard about certain conversations. However, this taking of evidence was not intended to clarify any facts relevant to the decision. Rather, the taking of evidence was intended to fulfil the plaintiff's alleged claim for information under Article 8 of the Swiss Data Protection Act.
What information must be provided under Swiss data protection law?
According to the Swiss Federal Supreme Court, the right to information under data protection law does not cover a general right to know, through party and witness questioning, between whom, when or about what a personal conversation took place. Data that might be stored in the brain among a person's ordinary memories are not covered by the right to information.
What information must be provided under German data protection law?
The question now is what applies in Germany under Art. 15 GDPR. Would a German court come to a similar or different decision?
What applies according to Art. 15 GDPR?
Pursuant to Article 15(1) of the GDPR, the data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she has the right to obtain access to such personal data and further information. It is not clear from the catalogue according to Art. 15(1)(a) to (h) GDPR whether the information also includes information merely stored in memory. Article 15(1) of the GDPR is therefore of no help.
Is Art. 15 GDPR alone decisive?
The answer is clearly: No!
Art. 15 GDPR cannot be considered in isolation, but always in the overall context of the GDPR. Against this background, the material scope of application of the GDPR in Art. 2 GDPR must be considered. Accordingly, the GDPR only applies to the wholly or partly automated processing of personal data as well as to the non-automated processing of personal data stored or intended to be stored in a filing system.
Information in the human brain is not wholly or partly automated processing of personal data. It could be a non-automated processing of personal data. However, this would have to be or be stored in a file system. A conversation would therefore also have to be conducted for the purpose of making a note of the conversation afterwards. In this case, however, the right to information would only apply to the note in the file.
What are your recommendations for action?
The request for information rightly has limits. However, you should not underestimate the fundamentally broad scope of the right of access under Art. 15 GDPR. The right of access is one of the strongest (if not the strongest) data subject rights of the GDPR. Authorities and courts therefore tend to apply it in a very broad and data subject-friendly manner.
For this reason, you should take every request for information seriously and, if in doubt, seek expert advice from a lawyer specialising in data protection law. If you do not fulfil a request for information, do not fulfil it completely or even fulfil it incorrectly, proceedings before the supervisory authority will usually follow. Such proceedings are almost always expensive, unpleasant and time-consuming for data controllers. Furthermore, there is the risk of a considerable fine.
Source: Swiss Federal Supreme Court, Judgment of 26.11.2020, Case No. I ZR 169/19
We are at your disposal as advisors in the entire field of IT/IP and data protection law
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and specialist in information technology law
