A manifestly excessive request of data under the GDPR – new decision from the Danish Data Protection Agency
As a rule, a data controller for the processing personal data has a legal obligation under the GDPR to provide a natural person with a copy of personal data relating to him or her – the right of access. This right includes data processed by the controller and data processed by a data processor on behalf of the controller. There is however a key exemption; the controller is not required to act on a request if the request is deemed to be manifestly unfounded or excessive.
The Danish Data Protection Agency (DPA) recently published a decision that shed some light on what constitutes a manifestly excessive request. After the termination of employment, a former municipality employee requested access to all communications in connection with his duties, in order to collect evidence against the municipality concerning his dismissal.
After providing information under the rules on access to documents, the municipality tried to get the former employee to clarify and limit his request. The former employee explained that the desired material was extensive after several years of employment. However, the data subject failed to clarify the scope of his request.
The municipality subsequently refused to provide additional material. It referred to the fact that the requested material constituted a vast amount of information in the form of notes, letters and e-mails which the former employee had prepared or sent in connection with the performance of his duties.
The DPA emphasized in its decision that although the information contained in such communications should be considered personal data, this information was first and foremost related to the data subject’s functions, and not information about the data subject himself or his personal attributes. The DPA held that in some cases, information which might include a description of a course of action which is a personal choice made by the data subject may thus be subject to his right of access, and that this would be an assessment that the controller would have to carry out.
The DPA concluded that this request constituted a manifestly excessive request, since it comprised a very large amount of personal data predominantly connected to the data subject’s duties and not personal attributes.
This decision is of key interest for data controllers in the whole of the Union – and not only in Denmark – due to the nature of the data subject access request: a former employee’s request after the termination of his employment.
In January 2022, the European Data Protection Board (EDPB) published draft guidance on the right of access. It is important to note that this guidance remains in draft form and has not been formally adopted. Prior consultation closed in March 2022, and it is probable that the guidance will be formally adopted in 2022.
The first example given in the draft guidance is eerily similar to the case tried by the DPA:
An individual was dismissed by their employer. One week later, the individual decides to collect evidence to file an unfair dismissal lawsuit against their former employer. With that in mind, they write to the former employer requesting access to all personal data relating to the data subject, that the former employer, as controller, processes.
The controller shall not assess the intention of the data subject, and the data subject does not need to provide the controller with the reason for their request. Therefore, if the request fulfils all other requirements, the controller needs to comply with the request, unless the request proves to be manifestly unfounded or excessive, which the controller is required to demonstrate.
The EDPB interprets the right of access as a right without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject’s request. Further, the EDPB specifies that the fact that it would take the controller a vast amount of time and effort to provide the copy to the data subject cannot on its own render a request excessive. It is the EDPB’s conclusion that it is the controller who bears the onus to demonstrate a request is manifestly excessive.
The recitals to the GDPR states that where the controller processes a large quantity of data relating to the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates. The EDPB has interpreted this as an option for the controller that do not entail an obligation for the data subject to specify the request. The data subject still has the right to request a copy of all data being processed (section 35(b) of the draft guidance).
It is difficult to reconcile the DPA’s decision with the EDPB’s draft guidance. The decision is brief, and the analysis does not go into details. With that said, it appears that the decisive factor was that the request comprised a very large amount of personal data predominantly connected to the data subject’s duties and not personal attributes (information about the work function in relation to information about the data subject).
What is noteworthy is that the DPA is a member of the EDPB and thus a place at the table when deciding what guidance to publish and adapt. This fact raises the question: Is there perhaps no agreement between the regulators?
Within the context of this article, it is of course not possible to answer this question. We can simply conclude that this topic remains difficult for controller’s who de facto are required to make a risk assessment on how to view and handle data subject access requests. Thus, there is material uncertainty in the interpretation of the GDPR. It is not unlikely that this question needs to be referred to the Court of Justice for the European Union for controllers to receive clarification.
For further information, please contact:
FCG has extensive experience in advising data controllers on data subjects rights. This includes the establishment of governance procedures, risk assessments, and the demonstration of compliance. In addition, it includes experience for providing hands on advice in the assessment of individual access requests.