According to a decision by Germany’s Federal Labour Court (‘the Court’), an employee must specify which (copies of) email correspondence they wish to obtain from the employer when making a data subject access request under the EU General Data Protection Regulation (GDPR). The Court further mentioned that the employee could have requested information by using a procedural alternative. As the Court dismissed the case on procedural grounds, it unfortunately did not provide long-awaited guidance on specific material questions relating to such requests.
Under Article 15(1) of the GDPR, a person (ie a data subject) has the right to obtain from a data controller (usually an organisation) confirmation as to whether or not the controller processes personal information about them. If so, the controller must provide a copy of the personal data it is processing (Article 15(3) of the GDPR).
It is being widely discussed and litigated whether this clause in fact obliges the controller to provide a data subject with copies of any data processed (ie all correspondence, databases, directories, etc that contain the data subject’s personal data) or whether it should be interpreted more narrowly.
The Court had to decide whether a former employee was entitled to request from his former employer copies of all email correspondence that contained his personal data and declared the claim was inadmissible because it was too generic and could therefore not be enforced.
However, the Court added that the claimant could have used a specific procedural instrument, known as ‘action by stages’ (Stufenklage, section 254 of the German Code of Civil Procedure), to obtain information about which emails about him are held by the employer. This would have allowed the claimant to specify exactly which emails he wanted a copy of.
The Court did not decide on the material scope of the claim for ‘copies’ as part of a data subject access request. In this regard, the Court mentioned in the oral hearing that it would consider referring the case to the European Court of Justice because the scope of ‘copies’ under Art.15 GDPR may need to be interpreted under EU law. However, as the case was later declared inadmissible, the court did not take this any further.
Data subject access requests are becoming more and more popular. Companies processing personal data should set up standardised procedures for gathering relevant information from their various systems and preparing their response to the request. Ideally, these procedures should be automated as much as possible as it makes the process significantly less burdensome compared to retrieving information from systems ‘manually’.