Right to a copy of personal data
With the adoption of the EU General Data Protection Regulation (2016/679) (GDPR), the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Accordingly, the right of access has been reinforced.
Notably, data controllers must provide applicants with a copy of their personal data (Article 15(3) of the GDPR). This provision has led to some confusion over whether Article 15(3) grants applicants the right to access files or documents containing personal data such as emails, letters and contracts. Files or documents do not qualify as 'personal data' but are the 'medium' on which the data is stored. Still, lawyers are increasingly resorting to Article 15(3) as a means to obtain documentary evidence for their clients.
However, the wording of Article 15(3) is unambiguous. The English language version reads: "The controller shall provide a copy of the personal data undergoing processing." The German language version concurs: "Der Verantwortliche stellt eine Kopie der personenbezogenen Daten, die Gegenstand der Verarbeitung sind, zur Verfügung." The French version is also congruent: "Le responsable du traitement fournit une copie des données à caractère personnel faisant l'objet d'un traitement."
The English, German and French versions clearly refer to the provision of a copy of personal data itself. They do not leave room for an interpretation where files or documents containing such information are subject to the right of access. Moreover, the GDPR's Recital 63 describes clearly the aim of the right of access. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
The Austrian Federal Administrative Court (AFAC) corrected an ambiguous decision by the Austrian Data Protection Authority (ADPA), which could have been misread as obliging a bank to provide duplicates of account statements to an applicant. In a later decision, the ADPA differentiated between the contents of an email and the email itself. The ADPA qualified the content of the email as personal data to which the right of access generally applies. Both decisions are final.
Although the AFAC did not address the issue of granting access to documents directly, its decision offers some guidance in that regard.1
In 2017, the plaintiff (a bank client) asked the respondent (the bank) for information concerning his payments to a certain recipient during the previous five years. The respondent agreed to provide duplicates of account statements for a fee of €30 per year (which he was allowed to levy under the applicable Payment Service Regulation). However, the plaintiff was unwilling to pay this fee and requested the data again with explicit reference to his right of access under the (then applicable) Austrian Data Protection Act. The respondent did not comply with the plaintiff's access request but reiterated its willingness to provide statements of account only on receipt of the fee. The plaintiff considered this a violation of his right of access and filed a complaint with the ADPA.
In its June 2018 decision,2 the ADPA ruled that the respondent had infringed the plaintiff's rights by not complying with his access request. Yet, the decision was ambiguous. It was unclear from the decision whether the respondent was obliged to provide the requested duplicates of account statements or only specific personal data contained in those statements. The respondent appealed to the AFAC.
The AFAC upheld the ADPA's decision but altered its verdict by clarifying what specific personal data had to be provided to the plaintiff. However, the AFAC limited the plaintiff's request to data access only and thus denied access to documents. Remarkably, both the ADPA and the AFAC acknowledged that Article 15(3) governs the right of access in general, but may be superseded by more specific legislation addressing the right of access.
ADPA email decision
In this case, the plaintiff requested access to a file in an administrative criminal proceeding.3 The request was denied regarding an email in which the plaintiff was accused of the relevant administrative offence. The administrative authority, a municipality, aimed to protect the accuser's identity.
The ADPA recognised the right of access to the content of a document (in this case an email), but only as far as it contained an applicant's personal data. However, in this particular case, the right of access to the personal data of another data subject was denied, as there was no specific reason to grant such access. If a document contains the data of another data subject and the interests of that data subject override those of the applicant, a copy of said document may not be transmitted in its entirety to the applicant (Article 15(4) of the GDPR).
For instance, data controllers must protect their employees' personal data. Hence, as long as personal data is processed lawfully, controllers are not obliged to provide information on which employee accessed a certain file. However, if an employee accesses documents without authorisation, the employee qualifies as a third party and applicants might have a right to be informed of such access to their personal data.4
Note: Austrian law permits the refusal of access requests if trade or business secrets could be jeopardised (Section 4(6) of the Austrian Data Protection Act).5
The GDPR does not grant a right of access to files or documents. However, the content of documents may qualify as personal data. Providing copies of personal data stored within a document will often be the easiest option by redacting superfluous information and providing the document to the applicant. When doing so, data controllers must protect the rights and interests of other data subjects and are permitted and well advised to guard their own trade and business secrets.
In terms of the GDPR, employees are treated as data subjects whose interests need protection. Therefore, employee data might need to be anonymised when transmitting documents. However, in special circumstances (eg, the unauthorised use of personal data), data controllers could be required to inform the applicant of which employee accessed their personal data unlawfully.