Individuals are increasingly making use of their right to access their personal data under applicable privacy laws in the EU.

It can be a challenge for companies to handle such requests, and in particular, if a request concerns a complex data set, there are a high number of requests, or the right is exercised for strategic reasons, such as in HR or legal disputes. The right of access is, however, not absolute, and its restrictions vary across Member States, adding further complexity to the matter. How to handle such requests and apply these restrictions is commonly set out in internal policies and procedures. We set out below the current landscape as well as a recent enforcement trend.

The Right of Access: A Wide Scope to Deliver Within a Tight Timing

The General Data Protection Regulation (GDPR) grants individuals the right to request access to, or obtain a copy of, the personal data that a company processes or otherwise holds about them. A request from an individual to exercise this right is commonly referred to as a “data subject access request” (DSAR). This right predates the GDPR and is one of the building blocks of privacy rights.

DSARs generally have a broad scope that proves challenging for companies as the access right entitles an individual to request:

  • confirmation as to whether personal data about them is processed or not;
  • access to the processed personal data. A wide variety of personal data may fall within this definition on a case-by-case basis, such as contact details, medical or purchase history, creditworthiness indicators, HR file, comment zones in the HR file, emails, pictures, CCTV footage (if any), and activity logs. It also encompasses personal data that is stored on paper files; and
  • access to information about the processing, such as the purpose(s) for which it is processed, the categories of personal data, the recipients, the duration of the processing, and which appropriate safeguards are applied when the data is transferred out of the EU.

DSARs should further be addressed within one month, although the deadline can be extended in certain cases. It is common for companies to have internal policies and procedures for dealing with requests from individuals about their rights more generally. The aim is to provide responsible employees with guidance about how to recognize a request, where to send it internally, and how the request should be responded to. However, the challenge is usually to gather personal data that are disseminated within several files and folders in the company’s IT system.

There are few prerequisites for filing an access request, as there are no form requirements, and a request does not need to be justified. A request can be submitted directly to a controller or to its processor, who should then forward the request to the controller (e.g., in the manner set out in the data processing agreement between them).

Data Access: Ulterior Motives at Play

While individuals generally use GDPR rights for legitimate purposes, there are instances where the right of access may be used for various strategic purposes, such as:

  • to obtain access to information that they intend to use for specific purposes (e.g., to initiate legal proceedings, to obtain negotiation leverage or a competitive advantage, or to reverse engineer and circumvent fraud prevention mechanisms). A common example of this trend is employees filing access requests to obtain confidential information held by their employers or to obtain such information as a result of a dismissal. This data can then be used as evidence in legal proceedings against the organization. For example, an employee who suspects wrongful termination may use this information to build a case; and
  • submitting a large number of requests or requesting a large volume of data to cause disruption to the concerned organization and leverage that result for further negotiations.

Access Denied: Boundaries Around the Right of Access

The GDPR provides for certain limitations to the right of access. In particular, organizations may deny a request where it is particularly excessive in volume or scope. They may also withhold certain types of information, e.g., personal data that is subject to legal privilege, contains a trade secret, is protected by intellectual property rights, or of which the disclosure would adversely affect the rights and freedoms of others.

Addressing DSARs thus requires analyzing the request to identify the interests at stake and any restrictions that should apply. Organizations should carefully review a request to identify the data in scope and assess whether to redact or render illegible parts of it (e.g., that may affect other individuals). Addressing a request can also be time-consuming, for instance, if the DSAR encompasses a mailbox that will require the redaction of the recipients or senders of emails. It is common practice to address these restrictions in the company’s policies and procedures.

In practice, tensions can arise on how these restrictions are implemented, especially when individuals seek access to data for tactical reasons.

Navigating the DSAR Maze: Local Deviations Add Complexity to Handling DSARs

The limits to the right of access are also subject to legal interpretation, which tends to vary from one jurisdiction to another. This complicates things further, as information that may be withheld may vary depending on national court case law and decisions from data protection authorities (DPAs). A few examples:

  • A court in the Netherlands has established that, subject to some restrictions, “internal notes that contain personal thoughts of employees and are exclusively intended for internal consultation” do not fall within scope of the right to access.[1]
  • A court in Denmark found that a gaming company was not required to provide anti-cheat information about their game in response to a DSAR.[2]
  • Courts in Germany have ruled that DSARs submitted with an aim that is clearly unrelated to data protection can be viewed as an abuse of GDPR rights.[3] The courts found that the right of access is limited to allowing individuals to verify the lawfulness of processing and that requesting personal data solely for non-data-protection-related purposes, e.g., checking premium adjustments, goes beyond the scope of the right.
  • Courts in France[4] and the French DPA[5] have clarified that DSARs relate to the access to personal data and not to documents (for instance, attachments to emails).
  • Meanwhile, guidance from the UK DPA (Information Commissioner’s Office) outlines the scope of exemptions in UK data protection law, including confidential references (whether given or received), e.g., an employee reference, and information for business management planning if responding to the request would prejudice the business activity, e.g., if senior management is planning an organizational reshuffle.[6]

Depending on a company’s footprint in the EU, it may be helpful to incorporate these local deviations into the company’s DSAR handling policies.

Regulatory Focus Area: You Will Be Held Accountable

The importance of appropriately addressing such DSARs is also reflected in the increased attention that EU regulators are paying to the handling of DSARs. The European Data Protection Board (the EDPB), a body comprising delegates from all national data protection authorities in the EU, has recently designated compliance with the DSAR obligations by controllers as the focus area for enforcement action in 2024.[7] In practice, companies may expect targeted questionnaires about their DSAR handling resources.

Organizations typically have mechanisms in place to ensure that access requests are addressed appropriately, which ideally includes how to assess the legitimacy of the request. The questionnaires could, for example, inquire about the internal policies or procedures in place, which team is responsible for managing and responding to requests, whether staff receive appropriate training on how to handle DSARs, and how the company deals with large numbers of DSARs. National DPAs will then gather data to be analyzed by the EDPB, with the possibility of follow-up measures.

Conclusion

It can be a challenge for companies to handle requests from individuals to exercise their right to access their personal data. In particular, the right of access is not absolute, and its restrictions vary across EU Member States, adding complexity to how they should be addressed. The process to address DSARs is typically set out in internal policies and procedures, both to ensure compliance with data protection law as well as to protect a company’s and other concerned individuals’ interests. This becomes even more imperative when individuals seek to exercise their rights for strategic reasons, such as in HR or legal disputes. Considering the current regulatory focus on appropriate DSAR handling, companies should consider checking whether they have the right process in place internally.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy issues and investigations in jurisdictions across the globe. For more information, please contact Yann Padova, Cédric Burton, Laura De Boel, or Laura Brodahl.

Hattie Watson and Karol Piwonski contributed to this post.


[1] Central Netherlands District Court, case no. UTR 18/3404 (June 15, 2020), available at: https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBMNE:2020:2222.

[2] Datatilsynet (Denmark), case number No. 2019-31-2071 (August, 29, 2022), available at: https://edpb.europa.eu/system/files/2023-02/dk_2022-08_decisionpublic_redacted.pdf.

[3] LG Kassel 5th Civil Chamber, ECLI:DE:LGKASSE:2022:0705.5O1954.21.00 (July 5, 2022), available at: https://www.rv.hessenrecht.hessen.de/bshe/document/LARE220003257; Hamm Higher Regional Court, ECLI:DE:OLGHAM:2023:0503.20U146.22.00 (May 3, 2023), available at: https://www.justiz.nrw.de/nrwe/olgs/hamm/j2023/20_U_146_22_Urteil_20230503.html.

[4] Conseil d’État, 10ème SSJS, 381223, Inédit au recueil Lebon (October 15, 2015), available at: https://www.legifrance.gouv.fr/ceta/id/CETATEXT000031321128/.

[5] CNIL, Employees’ right of access to their data and professional emails (January 5, 2022), available at: https://www.cnil.fr/fr/le-droit-dacces-des-salaries-leurs-donnees-et-aux-courriels-professionnels.

[6] ICO, What exemptions are there?, available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-other-exemptions-are-there/#:~:text=An%20exemption%20applies%20to%20personal,of%20the%20business%20or%20activity.

[7] EDPB picks topic for 2024 Coordinated Action (June 17, 2023), available at: https://edpb.europa.eu/news/news/2023/edpb-picks-topic-2024-coordinated-action_en.