A central goal of the GDPR is to give data subjects control over their personal data. Companies must therefore observe and implement a large number of rights of data subjects in practice. The third chapter of the GDPR regulates the rights data subjects can assert against companies, including the currently particularly relevant right to information (Article 15 GDPR). Companies need to manage the rights of data subjects in general, but also to respond to requests for information in particular. If the relevant processes are not established in the company and violations of the GDPR occur as a result, there is a risk of serious fines and, in particular, lawsuits for non-material damages.
The right to information
The information is intended to enable data subjects to obtain knowledge of the processing of their personal data and, as a result, to review the lawfulness of the processing. Upon request by a data subject, a company must provide information about the specific data processed and the existent information. In practice, the scope of information can be very complex and challenging. This applies in particular because the legal situation has not been clarified in the relevant degree of detail and the legal rulings on this issue (only in German) have so far been very inconsistent. For guidance, the European Data Protection Board (EDPB) has published guidelines on the right of access (PDF), which also address practical implementation issues.
What are the penalties for violations?
If companies violate the GDPR because they do not respond to requests for information from data subjects within the legally prescribed framework, they may be subject to fines by the data protection supervisory authorities, among other things. For example, the Dutch data protection supervisory authority recently imposed a fine of EUR 525,000 on a media company because the company had made responses to requests for information dependent on a copy of proof of identity.
Another risk associated with not properly responding to requests for information involves claims for damages for pain and suffering by data subjects. Such claims are currently enjoying great popularity, particularly in connection with labour court disputes. An example of this is a ruling by the State Labour Court of Lower Saxony of 22 October 2021 (Case 16 Sa 761/20) (only in German), in which the Court ruled that late and incomplete information gives rise to a claim for damages for pain and suffering in the amount of EUR 1,250. The State Labour Court of Berlin-Brandenburg ruled in favor of an employee by judgement of 18 November 2021 (Case 10 Sa 443/21) (only in German). The court even awarded damages for pain and suffering in the amount of EUR 2,000, since the data subject had lost control over his personal data. The amount of damages awarded for pain and suffering may not be very serious in specific cases, but practical observations as well as the increased public focus suggest that the number of corresponding lawsuits – and thus also the amount of damages for pain and suffering – will increase considerably in the future.
Challenges in responding to requests for information
Practical challenges of Article 15 GDPR exist in the following areas, among others:
- Identification of the data subject: Identification must not present an unacceptable barrier, but at the same time must ensure that personal data does not fall into the wrong hands. The recent fine against the mobile communications provider 1&1 in the amount of EUR 900,000 (only in German), for unlawfully handing over the telephone number of the data subject to his ex-wife is an impressive example of the challenges involved in sufficiently identifying data subjects.
- Deadlines: Requests for information must be answered within one month. Only in exceptional cases can an extension of the deadline by a further two months be considered.
- Scope of information: The information is to encompass, first of all, a confirmation of the processing and, in addition, information about the data. In principle, the data subject has a comprehensive right to information.
- Can requests for information be refused because of a heavy processing burden or on the grounds that they are excessive? The State Labour Court of Saxony limited requests for information insofar as they are not sufficiently specific (§ 253(2)2 of the German Civil Procedure Code) (only in German) or precise or if they constitute functionally inappropriate or excessive requests for information.
The management of requests for information in companies
In our experience, suitable data protection processes are essential for effective and sustainable implementation of the right of access and the other rights of data subjects under the GDPR. Due to the complexity of the issue, companies should ideally start implementing data protection rights at the process level as a preventive measure and not wait until they receive the first requests from data subjects. Early action can, in particular, ensure that the necessary technical requirements are in place to implement the rights of data subject, such as the ability to export or delete personal data from a system. In the short term, this is often not possible and can lead, for example, to the provision of incomplete information and an associated violation of the GDPR.back