The Euro­pean Data Pro­tec­tion and Pri­va­cy Aut­ho­ri­ty EDSA has adopted the March 28, 2023 Final ver­si­on of the gui­de­lines on the right to infor­ma­ti­on published. The pre­vious ver­si­on was dated Janu­ary 18, 2022 and was open for public con­sul­ta­ti­on. A del­ta view can be found here.

The rele­vant chan­ges do not con­cern a con­cep­tu­al issue that runs through, but rather indi­vi­du­al points:

The gui­dance inclu­des a hel­pful new Exam­p­le 5 rela­ted to. Request for infor­ma­ti­on in the labor pro­cess. In this case, the employer can­not assu­me that a request for infor­ma­ti­on means all data, which is why the employer may first request a spe­ci­fi­ca­ti­on of the request for infor­ma­ti­on:

Exam­p­le 5In an employment rela­ti­on­ship, in case of a gene­ral­ly for­mu­la­ted request for access, it is not per se clear that the employee wants to recei­ve all user-log­in data, data on access to a work­place, data on sett­le­ments in the can­teen, data on sala­ry payments, etc.. A request for spe­ci­fi­ca­ti­on made by the employer could for exam­p­le lead to the cla­ri­fi­ca­ti­on, that the employee’s inte­rest is to under­stand or veri­fy to whom his per­for­mance assess­ment has been pas­sed on. Wit­hout request for spe­ci­fi­ca­ti­on, the employee would recei­ve a lar­ge quan­ti­ty of infor­ma­ti­on, wit­hout having an inte­rest in most of the data. At the same time, the employer would need to give infor­ma­ti­on on the dif­fe­rent con­texts of pro­ce­s­sing which could con­cern the employee in order to allow the employee to spe­ci­fy the request sensibly.

One cla­ri­fi­ca­ti­on con­cerns the case that a request for infor­ma­ti­on is refers to data that are inten­ded for dele­ti­on – in this case, the data con­trol­ler may pro­cess the rele­vant data for a lon­ger peri­od of time in order to cla­ri­fy the obli­ga­ti­on to pro­vi­de infor­ma­ti­on, on the basis of Art. 6(1)(c) DSGVO, i.e. to ful­fill a legal obligation.

Dele­ted the ear­lier state­ment with refe­rence to a pre­vious infor­ma­ti­on based on a sec­to­ral regu­la­ti­onHere, the con­trol­ler would have to check whe­ther the later request for infor­ma­ti­on under the GDPR has alre­a­dy been ful­fil­led. Howe­ver, this dele­ti­on can­not mean that an ear­lier request for infor­ma­ti­on – to use this unat­trac­ti­ve expres­si­on – would not be rele­vant, e.g. when checking whe­ther a request for infor­ma­ti­on is unfoun­ded or excessive.

Also recor­ded was the Case law of the ECJaccor­ding to which the right to infor­ma­ti­on inclu­des, if pos­si­ble, the indi­vi­du­al reci­pi­en­ts (not only cate­go­ries). If the data sub­ject does not limit the request for infor­ma­ti­on in this respect, all reci­pi­en­ts must the­r­e­fo­re be named in prin­ci­ple – in other words, the data sub­ject does not have to express­ly request this. The fact that the­re may be a lar­ge num­ber of reci­pi­en­ts does not make the request excessive.

Go to Infor­ma­ti­on for­mat Artic­le 15 (3) of the GDPR pro­vi­des that the copy of the data in the case of elec­tro­nic requests “in a com­mon elec­tro­nic for­mat” must be made available. Here the EDSA specifies,

In order to deter­mi­ne what for­mat is to be con­side­red as a com­mon­ly used for­mat in the situa­ti­on at hand, the con­trol­ler will have to assess if the­re are spe­ci­fic for­mats gene­ral­ly used in the controller’s area of ope­ra­ti­on or in the given con­text. When the­re are no such for­mats gene­ral­ly used, open for­mats set in an inter­na­tio­nal stan­dard, such as ISO, should, in gene­ral, be con­side­red as com­mon­ly used elec­tro­nic for­mats. Howe­ver, the EDPB does not exclude the pos­si­bi­li­ty that other for­mats may also be con­side­red to be com­mon­ly used within the mea­ning of Artic­le 15(3). When asses­sing if a for­mat is a com­mon­ly used elec­tro­nic for­mat, the EDPB con­siders that it is of importance how easi­ly the indi­vi­du­al can access infor­ma­ti­on pro­vi­ded in the cur­rent for­mat. In this regard it should be noted what infor­ma­ti­on the con­trol­ler has pro­vi­ded to the data sub­ject about how to access a file which has been pro­vi­ded in a spe­ci­fic for­mat, such as what pro­grams or soft­ware that could be used, to make the for­mat more acce­s­si­ble to the data subject.The data sub­ject should, howe­ver, not be obli­ged to buy soft­ware in order to get access to the information.

Go to Com­pli­ance with the dead­line when pro­vi­ding infor­ma­ti­on, the EDSA adds in a new foot­no­te that natio­nal law on access and local holi­days must be obser­ved, if applicable.

The gui­de­lines also refer to the pen­ding ECJ case Rs. C‑487/21, in which the Fede­ral Admi­ni­stra­ti­ve Court of Austria refer­red the fol­lo­wing que­sti­ons to the Court for a preli­mi­na­ry ruling

  1. Is the Con­cept of “copy in Art. 15(3) [GDPR] is to be inter­pre­ted as mea­ning a pho­to­co­py or a facsi­mi­le or an elec­tro­nic copy of an (elec­tro­nic) datum, or, fol­lo­wing the under­stan­ding of the term in Ger­man, French and Eng­lish dic­tio­n­a­ries, falls under the term also a “Tran­script”, un “dou­ble” (“dupli­ca­ta”) or a “tran­script”?
  2. Is Art. 15(3), first sen­tence, GDPR, accor­ding to which “the con­trol­ler shall pro­vi­de a copy of the per­so­nal data under­go­ing pro­ce­s­sing” to be inter­pre­ted as mea­ning that the­r­ein a gene­ral legal right of a data sub­ject to obtain a copy – also – of enti­re docu­ments in which per­so­nal data of the data sub­ject are pro­ce­s­sed, or to obtain a copy of an extra­ct from the data­ba­se whe­re the per­so­nal data are pro­ce­s­sed in such a way, or does it con­sist of – a copy of the per­so­nal data of the data sub­ject in the case of pro­ce­s­sing of per­so­nal data in such a way only – a legal right for the data sub­ject to faithful repro­duc­tion of the per­so­nal data to be pro­vi­ded accor­ding to Art. 15 (1) DSGVO?
  3. In the event that the ans­wer to que­sti­on 2 is that the data sub­ject only has a legal right to a faithful repro­duc­tion of the per­so­nal data to be pro­vi­ded pur­su­ant to Art. 15 (1) of the GDPR, Art. 15 (3) sen­tence 1 of the GDPR must be inter­pre­ted as mea­ning that, due to the natu­re of the data pro­ce­s­sed (e.g., with regard to the dia­gno­ses, exami­na­ti­on results or fin­dings listed in reci­tal 63), it is not pos­si­ble to pro­vi­de the data sub­ject with the ori­gi­nal data. 3 sen­tence 1 GDPR is to be inter­pre­ted to the effect that, due to the natu­re of the data pro­ce­s­sed (for exam­p­le, with regard to the dia­gno­ses, exami­na­ti­on results, fin­dings or also docu­ments in con­nec­tion with an exami­na­ti­on within the mea­ning of the judgment of the Court of Justi­ce of 20 Decem­ber 2017, Nowak) and the trans­pa­ren­cy requi­re­ment in Art. 12 (1) GDPR, may nevert­hel­ess be neces­sa­ry in indi­vi­du­al cases, also text pas­sa­ges or enti­re docu­ments to be made available to the per­son concerned?
  4. Is the Term “infor­ma­ti­onwhich, accor­ding to Art. 15(3) sen­tence 3 GDPR, must be pro­vi­ded to the data sub­ject “in a com­mon­ly used elec­tro­nic for­mat” if the data sub­ject sub­mits the request elec­tro­ni­cal­ly, “unless he or she indi­ca­tes other­wi­se”, must be inter­pre­ted as mea­ning that only the “elec­tro­nic files” refer­red to in Art. 15(3) sen­tence 1 are to be pro­vi­ded.per­so­nal datawhich are the sub­ject of pro­ce­s­sing” are meant? 
    • a) If que­sti­on 4 is ans­we­red in the nega­ti­ve: Is the term “infor­ma­ti­on”, which accor­ding to Art. 15(3), third sen­tence, GDPR must be pro­vi­ded to the data sub­ject “in a com­mon­ly used elec­tro­nic for­mat” if the data sub­ject makes the request elec­tro­ni­cal­ly, “unless he or she indi­ca­tes other­wi­se”, to be inter­pre­ted to that effect, that, in addi­ti­on, the infor­ma­ti­on pur­su­ant to Art. 15(1)(a) to (h) of the GDPR is also meant?
    • b) If que­sti­on 4 a) is also ans­we­red in the nega­ti­ve: Is the term “infor­ma­ti­on” which, accor­ding to the third sen­tence of Art. 15(3) of the GDPR, must be pro­vi­ded to the data sub­ject “in a com­mon­ly used elec­tro­nic for­mat” if the data sub­ject makes the request elec­tro­ni­cal­ly “unless he or she indi­ca­tes other­wi­se” to be inter­pre­ted as mea­ning that, in addi­ti­on to the “per­so­nal data which are the sub­ject of the pro­ce­s­sing” and the infor­ma­ti­on refer­red to in Art. 15(1)(a) to (h) of the GDPR For exam­p­le, asso­cia­ted meta­da­ta are meant?