The English regulatory authority ICO has published a detailed Guideline for dealing with requests from affected parties published.
The guideline also contains, for example, explanations of the efforts that companies should make in the Search for personal data of the person concerned are expected:
- Data in Archive and backup systems are to be searched in principle, even if the possibilities are more limited than in the case of production systems (although exceptions can be found here in the transposition law, as for example in § 34 para. 1 no. 2 of the German BDSG). In contrast, a company does not have to attempt to restore deleted data (which relates back to the concept of deletion, because deletion only has to result in personal data being unrecoverable under the circumstances, theoretical recoverability does not hurt – a request for information does not affect this standard if recovery is not required).
- At EmailsIf a search reveals 2000 e‑mails in which the person concerned was a copy, a corresponding notification without a copy of the e‑mails is sufficient. However, if the content of the mails also relates to the data subject, the data subject is entitled to a copy (redacted if necessary). What the ICO does not address is the question under which circumstances employees have a right to a copy of e‑mails at all, cf. Berlin; LG Cologne; LG Heidelberg; and Hesse; cf. also the judgment A3/2015/3077 of the English Court of Appeal of 16 February 2017 concerning disproportionality of effort).
It is also interesting to confirm that the Information deadline in the event of justified queries by the data controller to the data subject about the more specific subject of a request for information:
This means that you do not need to provide the individual with a copy of the information, or any of the supplementary information that you cannot reasonably provide, unless you have obtained clarification.