The European Data Protection and Privacy Authority EDSA has adopted the March 28, 2023 Final version of the guidelines on the right to information published. The previous version was dated January 18, 2022 and was open for public consultation. A delta view can be found here.
The relevant changes do not concern a conceptual issue that runs through, but rather individual points:
The guidance includes a helpful new Example 5 related to. Request for information in the labor process. In this case, the employer cannot assume that a request for information means all data, which is why the employer may first request a specification of the request for information:
Example 5In an employment relationship, in case of a generally formulated request for access, it is not per se clear that the employee wants to receive all user-login data, data on access to a workplace, data on settlements in the canteen, data on salary payments, etc.. A request for specification made by the employer could for example lead to the clarification, that the employee’s interest is to understand or verify to whom his performance assessment has been passed on. Without request for specification, the employee would receive a large quantity of information, without having an interest in most of the data. At the same time, the employer would need to give information on the different contexts of processing which could concern the employee in order to allow the employee to specify the request sensibly.
One clarification concerns the case that a request for information is refers to data that are intended for deletion – in this case, the data controller may process the relevant data for a longer period of time in order to clarify the obligation to provide information, on the basis of Art. 6(1)(c) DSGVO, i.e. to fulfill a legal obligation.
Deleted the earlier statement with reference to a previous information based on a sectoral regulationHere, the controller would have to check whether the later request for information under the GDPR has already been fulfilled. However, this deletion cannot mean that an earlier request for information – to use this unattractive expression – would not be relevant, e.g. when checking whether a request for information is unfounded or excessive.
Also recorded was the Case law of the ECJaccording to which the right to information includes, if possible, the individual recipients (not only categories). If the data subject does not limit the request for information in this respect, all recipients must therefore be named in principle – in other words, the data subject does not have to expressly request this. The fact that there may be a large number of recipients does not make the request excessive.
Go to Information format Article 15 (3) of the GDPR provides that the copy of the data in the case of electronic requests “in a common electronic format” must be made available. Here the EDSA specifies,
In order to determine what format is to be considered as a commonly used format in the situation at hand, the controller will have to assess if there are specific formats generally used in the controller’s area of operation or in the given context. When there are no such formats generally used, open formats set in an international standard, such as ISO, should, in general, be considered as commonly used electronic formats. However, the EDPB does not exclude the possibility that other formats may also be considered to be commonly used within the meaning of Article 15(3). When assessing if a format is a commonly used electronic format, the EDPB considers that it is of importance how easily the individual can access information provided in the current format. In this regard it should be noted what information the controller has provided to the data subject about how to access a file which has been provided in a specific format, such as what programs or software that could be used, to make the format more accessible to the data subject.The data subject should, however, not be obliged to buy software in order to get access to the information.
Go to Compliance with the deadline when providing information, the EDSA adds in a new footnote that national law on access and local holidays must be observed, if applicable.
The guidelines also refer to the pending ECJ case Rs. C‑487/21, in which the Federal Administrative Court of Austria referred the following questions to the Court for a preliminary ruling
- Is the Concept of “copy in Art. 15(3) [GDPR] is to be interpreted as meaning a photocopy or a facsimile or an electronic copy of an (electronic) datum, or, following the understanding of the term in German, French and English dictionaries, falls under the term also a “Transcript”, un “double” (“duplicata”) or a “transcript”?
- Is Art. 15(3), first sentence, GDPR, according to which “the controller shall provide a copy of the personal data undergoing processing” to be interpreted as meaning that therein a general legal right of a data subject to obtain a copy – also – of entire documents in which personal data of the data subject are processed, or to obtain a copy of an extract from the database where the personal data are processed in such a way, or does it consist of – a copy of the personal data of the data subject in the case of processing of personal data in such a way only – a legal right for the data subject to faithful reproduction of the personal data to be provided according to Art. 15 (1) DSGVO?
- In the event that the answer to question 2 is that the data subject only has a legal right to a faithful reproduction of the personal data to be provided pursuant to Art. 15 (1) of the GDPR, Art. 15 (3) sentence 1 of the GDPR must be interpreted as meaning that, due to the nature of the data processed (e.g., with regard to the diagnoses, examination results or findings listed in recital 63), it is not possible to provide the data subject with the original data. 3 sentence 1 GDPR is to be interpreted to the effect that, due to the nature of the data processed (for example, with regard to the diagnoses, examination results, findings or also documents in connection with an examination within the meaning of the judgment of the Court of Justice of 20 December 2017, Nowak) and the transparency requirement in Art. 12 (1) GDPR, may nevertheless be necessary in individual cases, also text passages or entire documents to be made available to the person concerned?
- Is the Term “informationwhich, according to Art. 15(3) sentence 3 GDPR, must be provided to the data subject “in a commonly used electronic format” if the data subject submits the request electronically, “unless he or she indicates otherwise”, must be interpreted as meaning that only the “electronic files” referred to in Art. 15(3) sentence 1 are to be provided.personal datawhich are the subject of processing” are meant?
- a) If question 4 is answered in the negative: Is the term “information”, which according to Art. 15(3), third sentence, GDPR must be provided to the data subject “in a commonly used electronic format” if the data subject makes the request electronically, “unless he or she indicates otherwise”, to be interpreted to that effect, that, in addition, the information pursuant to Art. 15(1)(a) to (h) of the GDPR is also meant?
- b) If question 4 a) is also answered in the negative: Is the term “information” which, according to the third sentence of Art. 15(3) of the GDPR, must be provided to the data subject “in a commonly used electronic format” if the data subject makes the request electronically “unless he or she indicates otherwise” to be interpreted as meaning that, in addition to the “personal data which are the subject of the processing” and the information referred to in Art. 15(1)(a) to (h) of the GDPR For example, associated metadata are meant?