In 2023, the European Court of Justice (ECJ) clarified the limits of applicants’ right of access requests under Article 15 of the European Union’s General Data Protection Regulation (GDPR) in landmark decisions with far-reaching consequences for employers.
Quick Hits
- The ECJ ruled in two cases in 2023 that companies may be required to provide extracts of documents, entire documents, or even extracts from databases to applicants who request data under Article 15 of the GDPR.
- Employers have multiple starting points for responding to right-of-access requests, but the underlying legal considerations are in flux due to decisions of the ECJ.
For example, the right to a copy of data under Art. 15 para. 3 GDPR may mean that employers must provide applicants with extracts of documents, entire documents, or even extracts from databases. (ECJ cases C-487/21 (May 4, 2023) and C-307/22 (October 26, 2023)). Court decisions like these make it clear that employers will want to continue to pay particular attention to the right of access request under Art. 15 GDPR in 2024.
In the following, we would like to show what options employers have when dealing with such requests for information.
Deadlines
Employers may want to install fixed internal processes to ensure that right of access requests are responded to in a timely manner. Employers may also want to note that right of access requests under Art. 15 GDPR can also be made informally and can therefore potentially be submitted via various channels. Failure to comply with a deadline can already result in liability under Art. 82 GDPR, regarding the right to compensation and liability.
Right of access requests must be answered immediately in accordance with Art. 12 para. 3 GDPR, at the latest within one month of receipt. If the complexity and/or the number of right of access requests requires more time, the deadline can be extended once by two months. The employer must inform the applicant of the extension of the deadline and the reasons for the extension within one month of receipt of the right of access request.
Conflicting Rights and Freedoms of Other Persons
Before providing information, employers may want to check whether the information to be disclosed affects the rights and freedoms of third parties.
Right of access requests are restricted where they conflict with the rights and freedoms of third parties. Such rights include, in particular, copyrights, personal rights, data protection of third parties, or the protection of trade and business secrets.
If the rights and freedoms of third parties outweigh the right of the person submitting a right of access request, this will result in a restriction of the rights of access request. For example, where reasonable, information relating to third parties must be redacted.
Legally, these restrictions are based on Art. 15 para. 4 GDPR and Section 29 para. 1 Sentence 2 Var. 2 German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The standard from the Federal Data Protection Act is based on the opening clause of Art. 23, letter i, of the GDPR and is predominantly considered to be compliant with European law. In terms of content, it goes farther than Art. 15 para. 4 GDPR, as it not only takes into account the rights and freedoms of third parties, but also whether the nature of the information itself requires confidentiality. The latter is likely to be the case if the purpose of confidentiality is recognized by the legal system as worthy of protection.
In legal disputes, employers may want to present the conflicting rights of third parties to the court in detail, so that the court can weigh them up in the first place (and, potentially, render a decision in favor of the employer).
Confidentiality Obligations
Employers may also want to check whether legal provisions also require certain information to be kept confidential from the applicant. Insofar as these legal provisions subject the information to confidentiality, claims for information can regularly be restricted in that such information requiring confidentiality cannot be part of a right of access request.
Pursuant to Section 29 para. 1 Sentence 2 Var. 1 German Federal Data Protection Act (BDSG), right of access requests can be restricted if the information is subject to a statutory confidentiality obligation. Such confidentiality obligations include, for example, professional secrets.
Disproportionate Effort
Right of access requests must be answered. As a rule, it is generally not recommended that employers reject right of access requests on the basis of high or disproportionate effort required to process such requests.
Unlike Art. 14 GDPR, Art. 15 GDPR does not contain an exception for the case of disproportionate effort. The question of whether employers can successfully invoke the national provision of Section 275 para. 2 German Civil Code (Bürgerliches Gesetzbuch – BGB) to refuse right of access requests under European law in accordance with Art. 15 GDPR due to the disproportionate effort involved must in all likelihood be denied in view of the rulings of the courts.
Obviously Unfounded and Excessive Applications
In particular, employers may want to check whether persons have already submitted multiple requests in accordance with Art. 15 GDPR.