Part 2 of this series considers the second of two recent decisions from Europe which show the struggles the Courts are facing when determining the scope of data subject access requests (DSARs) - one decision being potentially beneficial to controllers who are also in litigation with the data subject; the other of potential concern. This article considers the decision concerning DSARs and Litigation.

Part 1 in this series can be read here.

Although neither decision will directly apply to the interpretation of the UK GDPR (for jurisdictional reasons) these could be taken into account by the ICO and the UK Courts in the future.

DSARs and Litigation

The second decision comes from the German courts and considers whether a data controller can reject a DSAR if the purpose of the request is not to be aware of or verify the lawfulness of the processing.

The controller in this case [1] was a private health insurance company who was seeking to rely on the exemption under the GDPR that a DSAR can be refused where it is manifestly excessive. The data subject was insured by the controller and in a dispute with the controller concerning the premiums and coverage. During the course of this litigation a DSAR was made.

In this case, the German Court held that the data subject did not have a right of access since the request could be rejected as being manifestly excessive. 

Previously a DSAR needed to be "repetitive in character" to be classed as manifestly excessive. But the German Court's view was that this criteria was only one example of what could be considered as an excessive request and it could also cover other forms of abuse. In this case it was determined that the data subject was not interested in verifying the lawfulness of the processing but rather to check whether the adjustments made to the premiums were formally compliant with German insurance law (ie. disclosure for the purposes of the litigation). As a consequence, the court concluded that the request was abusive.

This is very much a welcome development for data controllers who are increasingly seeing DSARs used as a form of pre-action disclosure and with limited ways to resist them. It's yet to be seen whether this approach will be adopted in the UK given that the last time the UK Courts addressed this point in detail they reached the opposite conclusion, albeit that was under pre-GDPR regime [2]. Also of note in this area is the UK government's recent indication [3] to proceed with the proposal of amending the threshold for refusing to respond to/charge a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. 

Although it may not yet be possible to avoid a DSAR made for litigious purposes, the review for personal data can be put to good use. When dealing with DSARs connected to litigation (in particular employment grievances) WBD Clarity provides a solution which allows the DSAR review to be undertaken, but also simultaneously flag any documents which may need to be disclosed in litigation or may assist/harm your case. This DSAR review can therefore be used to your advantage of understanding at an earlier stage the risk profile of the documents and make tactical decisions around settlement.