Manage­ment of requests for infor­ma­ti­on under the GDPR

A cen­tral goal of the GDPR is to give data sub­jects con­trol over their per­so­nal data. Com­pa­nies must the­re­fo­re obser­ve and imple­ment a lar­ge num­ber of rights of data sub­jects in prac­ti­ce. The third chap­ter of the GDPR regu­la­tes the rights data sub­jects can assert against com­pa­nies, inclu­ding the cur­r­ent­ly par­ti­cu­lar­ly rele­vant right to infor­ma­ti­on (Arti­cle 15 GDPR). Com­pa­nies need to mana­ge the rights of data sub­jects in gene­ral, but also to respond to requests for infor­ma­ti­on in par­ti­cu­lar. If the rele­vant pro­ces­ses are not estab­lis­hed in the com­pa­ny and vio­la­ti­ons of the GDPR occur as a result, the­re is a risk of serious fines and, in par­ti­cu­lar, lawsuits for non-material damages.

The right to information

The infor­ma­ti­on is inten­ded to enab­le data sub­jects to obtain know­ledge of the pro­ces­sing of their per­so­nal data and, as a result, to review the law­ful­ness of the pro­ces­sing. Upon request by a data sub­ject, a com­pa­ny must pro­vi­de infor­ma­ti­on about the spe­ci­fic data pro­ces­sed and the exis­tent infor­ma­ti­on. In prac­ti­ce, the scope of infor­ma­ti­on can be very com­plex and chal­len­ging. This app­lies in par­ti­cu­lar becau­se the legal situa­ti­on has not been cla­ri­fied in the rele­vant degree of detail and the legal rulings on this issue (only in Ger­man) have so far been very incon­sis­tent. For gui­d­ance, the Euro­pean Data Pro­tec­tion Board (EDPB) has publis­hed gui­de­li­nes on the right of access (PDF), which also address prac­ti­cal imple­men­ta­ti­on issues.

What are the pen­al­ties for violations?

If com­pa­nies vio­la­te the GDPR becau­se they do not respond to requests for infor­ma­ti­on from data sub­jects wit­hin the legal­ly pre­scri­bed frame­work, they may be sub­ject to fines by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, among other things. For examp­le, the Dut­ch data pro­tec­tion super­vi­so­ry aut­ho­ri­ty recent­ly impo­sed a fine of EUR 525,000 on a media com­pa­ny becau­se the com­pa­ny had made respon­ses to requests for infor­ma­ti­on depen­dent on a copy of pro­of of identity.

Ano­t­her risk asso­cia­ted with not pro­per­ly respon­ding to requests for infor­ma­ti­on invol­ves claims for dama­ges for pain and suf­fe­ring by data sub­jects. Such claims are cur­r­ent­ly enjoy­ing gre­at popu­la­ri­ty, par­ti­cu­lar­ly in con­nec­tion with labour court dis­pu­tes. An examp­le of this is a ruling by the Sta­te Labour Court of Lower Sax­o­ny of 22 Octo­ber 2021 (Case 16 Sa 761/20) (only in Ger­man), in which the Court ruled that late and incom­ple­te infor­ma­ti­on gives rise to a claim for dama­ges for pain and suf­fe­ring in the amount of EUR 1,250. The Sta­te Labour Court of Berlin-Brandenburg ruled in favor of an employee by jud­ge­ment of 18 Novem­ber 2021 (Case 10 Sa 443/21) (only in Ger­man). The court even awar­ded dama­ges for pain and suf­fe­ring in the amount of EUR 2,000, sin­ce the data sub­ject had lost con­trol over his per­so­nal data. The amount of dama­ges awar­ded for pain and suf­fe­ring may not be very serious in spe­ci­fic cases, but prac­ti­cal obser­va­tions as well as the incre­a­sed public focus sug­gest that the num­ber of cor­re­spon­ding lawsuits – and thus also the amount of dama­ges for pain and suf­fe­ring – will incre­a­se con­si­der­ab­ly in the future.

Chal­len­ges in respon­ding to requests for information

Prac­ti­cal chal­len­ges of Arti­cle 15 GDPR exist in the fol­lowing are­as, among others:

  • Iden­ti­fi­ca­ti­on of the data sub­ject: Iden­ti­fi­ca­ti­on must not pre­sent an unac­cep­ta­ble bar­ri­er, but at the same time must ensu­re that per­so­nal data does not fall into the wrong hands. The recent fine against the mobi­le com­mu­ni­ca­ti­ons pro­vi­der 1&1 in the amount of EUR 900,000 (only in Ger­man), for unlaw­ful­ly han­ding over the tele­pho­ne num­ber of the data sub­ject to his ex-wife is an impres­si­ve examp­le of the chal­len­ges invol­ved in suf­fi­ci­ent­ly iden­ti­fy­ing data subjects.
  • Dead­lines: Requests for infor­ma­ti­on must be ans­we­red wit­hin one mon­th. Only in excep­tio­nal cases can an exten­si­on of the dead­line by a fur­ther two mon­ths be considered.
  • Scope of infor­ma­ti­on: The infor­ma­ti­on is to encom­pass, first of all, a con­fir­ma­ti­on of the pro­ces­sing and, in addi­ti­on, infor­ma­ti­on about the data. In princip­le, the data sub­ject has a com­pre­hen­si­ve right to information.
  • Can requests for infor­ma­ti­on be refu­sed becau­se of a hea­vy pro­ces­sing bur­den or on the grounds that they are exces­si­ve? The Sta­te Labour Court of  Sax­o­ny limi­ted requests for infor­ma­ti­on inso­far as they are not suf­fi­ci­ent­ly spe­ci­fic (§ 253(2)2 of the Ger­man Civil Pro­ce­du­re Code) (only in Ger­man) or pre­cise or if they con­sti­tu­te func­tio­n­al­ly inap­pro­pria­te or exces­si­ve requests for information.

The manage­ment of requests for infor­ma­ti­on in companies

In our expe­ri­ence, sui­ta­ble data pro­tec­tion pro­ces­ses are essen­ti­al for effec­ti­ve and sus­tainab­le imple­men­ta­ti­on of the right of access and the other rights of data sub­jects under the GDPR. Due to the com­ple­xi­ty of the issue, com­pa­nies should ide­al­ly start imple­men­ting data pro­tec­tion rights at the pro­cess level as a pre­ven­ti­ve mea­su­re and not wait until they recei­ve the first requests from data sub­jects. Ear­ly action can, in par­ti­cu­lar, ensu­re that the necessa­ry tech­ni­cal requi­re­ments are in place to imple­ment the rights of data sub­ject, such as the abi­li­ty to export or dele­te per­so­nal data from a sys­tem. In the short term, this is often not pos­si­ble and can lead, for examp­le, to the pro­vi­si­on of incom­ple­te infor­ma­ti­on and an asso­cia­ted vio­la­ti­on of the GDPR.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.