ICO: Gui­d­ance on affec­ted per­son petitions

The Eng­lish regu­la­to­ry aut­ho­ri­ty ICO has published a detail­ed Gui­de­li­ne for dealing with requests from affec­ted par­ties published.

The gui­de­li­ne also con­tains, for examp­le, explana­ti­ons of the efforts that com­pa­nies should make in the Search for per­so­nal data of the per­son con­cer­ned are expected:

  • Data in Archi­ve and back­up systems are to be sear­ched in princip­le, even if the pos­si­bi­li­ties are more limi­ted than in the case of pro­duc­tion systems (alt­hough excep­ti­ons can be found here in the trans­po­si­ti­on law, as for examp­le in § 34 para. 1 no. 2 of the Ger­man BDSG). In con­trast, a com­pa­ny does not have to attempt to res­to­re dele­ted data (which rela­tes back to the con­cept of dele­ti­on, becau­se dele­ti­on only has to result in per­so­nal data being unre­co­ver­a­ble under the cir­cum­stan­ces, theo­re­ti­cal reco­vera­bi­li­ty does not hurt – a requ­est for infor­ma­ti­on does not affect this stan­dard if reco­very is not required).
  • At EmailsIf a search reve­als 2000 e‑mails in which the per­son con­cer­ned was a copy, a cor­re­spon­ding noti­fi­ca­ti­on without a copy of the e‑mails is suf­fi­ci­ent. Howe­ver, if the con­tent of the mails also rela­tes to the data sub­ject, the data sub­ject is enti­t­led to a copy (redac­ted if necessa­ry). What the ICO does not address is the que­sti­on under which cir­cum­stan­ces employees have a right to a copy of e‑mails at all, cf. Ber­lin; LG Colo­gne; LG Hei­del­berg; and Hes­se; cf. also the judgment A3/2015/3077 of the Eng­lish Court of Appeal of 16 Febru­a­ry 2017 con­cer­ning dis­pro­por­tio­na­li­ty of effort).

It is also inte­re­sting to con­firm that the Infor­ma­ti­on dead­line in the event of justi­fied que­ries by the data con­trol­ler to the data sub­ject about the more spe­ci­fic sub­ject of a requ­est for information:

This means that you do not need to pro­vi­de the indi­vi­du­al with a copy of the infor­ma­ti­on, or any of the sup­ple­men­ta­ry infor­ma­ti­on that you can­not rea­son­ab­ly pro­vi­de, unless you have obtai­ned clarification.