Manage­ment of requests for infor­ma­ti­on under the GDPR

A cen­tral goal of the GDPR is to give data sub­jects con­trol over their per­so­nal data. Com­pa­nies must the­r­e­fo­re obser­ve and imple­ment a lar­ge num­ber of rights of data sub­jects in prac­ti­ce. The third chap­ter of the GDPR regu­la­tes the rights data sub­jects can assert against com­pa­nies, inclu­ding the curr­ent­ly par­ti­cu­lar­ly rele­vant right to infor­ma­ti­on (Artic­le 15 GDPR). Com­pa­nies need to mana­ge the rights of data sub­jects in gene­ral, but also to respond to requests for infor­ma­ti­on in par­ti­cu­lar. If the rele­vant pro­ces­ses are not estab­lished in the com­pa­ny and vio­la­ti­ons of the GDPR occur as a result, the­re is a risk of serious fines and, in par­ti­cu­lar, lawsuits for non-material damages.

The right to information

The infor­ma­ti­on is inten­ded to enable data sub­jects to obtain know­ledge of the pro­ces­sing of their per­so­nal data and, as a result, to review the lawful­ness of the pro­ces­sing. Upon request by a data sub­ject, a com­pa­ny must pro­vi­de infor­ma­ti­on about the spe­ci­fic data pro­ces­sed and the exis­tent infor­ma­ti­on. In prac­ti­ce, the scope of infor­ma­ti­on can be very com­plex and chal­len­ging. This appli­es in par­ti­cu­lar becau­se the legal situa­ti­on has not been cla­ri­fied in the rele­vant degree of detail and the legal rulings on this issue (only in Ger­man) have so far been very incon­sis­tent. For gui­dance, the Euro­pean Data Pro­tec­tion Board (EDPB) has published gui­de­lines on the right of access (PDF), which also address prac­ti­cal imple­men­ta­ti­on issues.

What are the pen­al­ties for violations?

If com­pa­nies vio­la­te the GDPR becau­se they do not respond to requests for infor­ma­ti­on from data sub­jects within the legal­ly pre­scri­bed frame­work, they may be sub­ject to fines by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, among other things. For exam­p­le, the Dutch data pro­tec­tion super­vi­so­ry aut­ho­ri­ty recent­ly impo­sed a fine of EUR 525,000 on a media com­pa­ny becau­se the com­pa­ny had made respon­ses to requests for infor­ma­ti­on depen­dent on a copy of pro­of of identity.

Ano­ther risk asso­cia­ted with not pro­per­ly respon­ding to requests for infor­ma­ti­on invol­ves claims for dama­ges for pain and suf­fe­ring by data sub­jects. Such claims are curr­ent­ly enjoy­ing gre­at popu­la­ri­ty, par­ti­cu­lar­ly in con­nec­tion with labour court dis­pu­tes. An exam­p­le of this is a ruling by the Sta­te Labour Court of Lower Sax­o­ny of 22 Octo­ber 2021 (Case 16 Sa 761/20) (only in Ger­man), in which the Court ruled that late and incom­ple­te infor­ma­ti­on gives rise to a cla­im for dama­ges for pain and suf­fe­ring in the amount of EUR 1,250. The Sta­te Labour Court of Berlin-Brandenburg ruled in favor of an employee by jud­ge­ment of 18 Novem­ber 2021 (Case 10 Sa 443/21) (only in Ger­man). The court even award­ed dama­ges for pain and suf­fe­ring in the amount of EUR 2,000, sin­ce the data sub­ject had lost con­trol over his per­so­nal data. The amount of dama­ges award­ed for pain and suf­fe­ring may not be very serious in spe­ci­fic cases, but prac­ti­cal obser­va­tions as well as the increased public focus sug­gest that the num­ber of cor­re­spon­ding lawsuits – and thus also the amount of dama­ges for pain and suf­fe­ring – will increase con­sider­a­b­ly in the future.

Chal­lenges in respon­ding to requests for information

Prac­ti­cal chal­lenges of Artic­le 15 GDPR exist in the fol­lo­wing are­as, among others:

  • Iden­ti­fi­ca­ti­on of the data sub­ject: Iden­ti­fi­ca­ti­on must not pre­sent an unac­cep­ta­ble bar­ri­er, but at the same time must ensu­re that per­so­nal data does not fall into the wrong hands. The recent fine against the mobi­le com­mu­ni­ca­ti­ons pro­vi­der 1&1 in the amount of EUR 900,000 (only in Ger­man), for unlawful­ly han­ding over the tele­pho­ne num­ber of the data sub­ject to his ex-wife is an impres­si­ve exam­p­le of the chal­lenges invol­ved in suf­fi­ci­ent­ly iden­ti­fy­ing data subjects.
  • Dead­lines: Requests for infor­ma­ti­on must be ans­we­red within one month. Only in excep­tio­nal cases can an exten­si­on of the dead­line by a fur­ther two months be considered.
  • Scope of infor­ma­ti­on: The infor­ma­ti­on is to encom­pass, first of all, a con­fir­ma­ti­on of the pro­ces­sing and, in addi­ti­on, infor­ma­ti­on about the data. In prin­ci­ple, the data sub­ject has a com­pre­hen­si­ve right to information.
  • Can requests for infor­ma­ti­on be refu­sed becau­se of a hea­vy pro­ces­sing bur­den or on the grounds that they are exces­si­ve? The Sta­te Labour Court of  Sax­o­ny limi­t­ed requests for infor­ma­ti­on inso­far as they are not suf­fi­ci­ent­ly spe­ci­fic (§ 253(2)2 of the Ger­man Civil Pro­ce­du­re Code) (only in Ger­man) or pre­cise or if they con­sti­tu­te func­tion­al­ly inap­pro­pria­te or exces­si­ve requests for information.

The manage­ment of requests for infor­ma­ti­on in companies

In our expe­ri­ence, sui­ta­ble data pro­tec­tion pro­ces­ses are essen­ti­al for effec­ti­ve and sus­tainable imple­men­ta­ti­on of the right of access and the other rights of data sub­jects under the GDPR. Due to the com­ple­xi­ty of the issue, com­pa­nies should ide­al­ly start imple­men­ting data pro­tec­tion rights at the pro­cess level as a pre­ven­ti­ve mea­su­re and not wait until they recei­ve the first requests from data sub­jects. Ear­ly action can, in par­ti­cu­lar, ensu­re that the neces­sa­ry tech­ni­cal requi­re­ments are in place to imple­ment the rights of data sub­ject, such as the abili­ty to export or dele­te per­so­nal data from a sys­tem. In the short term, this is often not pos­si­ble and can lead, for exam­p­le, to the pro­vi­si­on of incom­ple­te infor­ma­ti­on and an asso­cia­ted vio­la­ti­on of the GDPR.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.