Ogletree Deakins > Blog Posts > Blog > Defense Against Right of Access Requests Pursuant to Art. 15 GDPR

Defense Against Right of Access Requests Pursuant to Art. 15 GDPR

By Stephan Makowka
Download PDFPrintShare

In 2023, the ECJ clarified the limits of right of access requests under Art. 15 GDPR in landmark decisions with far-reaching consequences for employers. For example, the right to a copy of data under Art. 15 para. 3 GDPR may mean that employers must provide applicants with extracts of documents, entire documents or even extracts from databases. (ECJ of May 04 2023 – C-487/21 and of October 26, 2023 – C-307/22). Court decisions like this makes it clear that employers should continue to pay particular attention to the right of access request under Art. 15 GDPR in 2024. In the following, we would like to show what options employers have when dealing with such requests for information.

Deadlines

First of all, employers should install fixed internal processes to ensure that right of access requests are responded to in a timely manner. It should be noted that right of access requests under Art. 15 GDPR can also be made informally and can therefore potentially be submitted via various channels. Failure to comply with a deadline can already result in liability under Art. 82 GDPR.

Right of access requests must be answered immediately in accordance with Art. 12 para. 3 GDPR, at the latest within one month of receipt. If the complexity and/or the number of right of access requests requires more time, the deadline can be extended once by two months. The employer must inform the applicant of the extension of the deadline and the reasons for the extension within one month of receipt of the right of access request.

Conflicting rights and freedoms of other persons

Before providing information, employers should always check whether the information to be disclosed affects the rights and freedoms of third parties.

Right of access requests are restricted where they conflict with the rights and freedoms of third parties. Such rights include, in particular, copyrights, personal rights, data protection of third parties or the protection of trade and business secrets.

If the rights and freedoms of third parties outweigh the right of the person submitting a rights of access request, this will result in a restriction of the rights of access request. For example, where reasonable, information relating to third parties must be redacted.

Legally, these restrictions are based on Art. 15 para. 4 GDPR and Section 29 para. 1 Sentence 2 Var. 2 German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The standard from the Federal Data Protection Act is based on the opening clause of Art. 23 letter i GDPR and is predominantly considered to be compliant with European law. In terms of content, it goes further than Art. 15 para. 4 GDPR, as it not only takes into account the rights and freedoms of third parties, but also whether the nature of the information itself requires confidentiality. The latter is likely to be the case if the purpose of confidentiality is recognized by the legal system as worthy of protection.

In legal disputes, employers should present the conflicting rights of third parties to the court in detail so that the court can weigh them up in the first place and make a decision in favor of the employer.

Confidentiality obligations

Employers should also check whether legal provisions also require certain information to be kept confidential from the applicant. Insofar as these legal provisions subject the information to confidentiality, claims for information can regularly be restricted in that such information requiring confidentiality cannot be part of a right of access request.

Pursuant to Section 29 para. 1 Sentence 2 Var. 1 German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), right of access requests can be restricted if the information is subject to a statutory confidentiality obligation. Such confidentiality obligations include, for example, professional secrets.

Disproportionate effort

Right of access requests must be answered. As a rule, it is not recommended for employers to reject right of access requests with the argument that there is high or disproportionate effort required to process these requests.

Unlike Art. 14 GDPR, for example, Art. 15 GDPR does not contain an exception, even in the event that a right of access request incurs disproportionate costs. The question whether employers can successfully invoke the national provision of Section 275 para. 2 German Civil Code (Bürgerliches Gesetzbuch – BGB) to refuse right of access requests under European law in accordance with Art. 15 GDPR due to the disproportionate effort involved must be denied in view of the rulings of the courts.

Obviously unfounded and excessive applications

In particular, employers should check whether persons have already submitted multiple requests in accordance with Art. 15 GDPR.

Right of access requests can even be rejected altogether in accordance with Art. 12 para. 5 GDPR if they are made improperly. Such improper use can be assumed, for example, if requests are excessive or manifestly unfounded. However, the hurdles for accepting such an exception are generally high.

In order to be able to assume such an excessive request, there must first be a number of requests. Since there may also be objective reasons for repeated requests for information, the assumption of an excessive request also requires that there are no valid reasons for the repeated requests for information.

Finally, an improper right of access request is likely to be assumed if it is demonstrably made solely for the purpose of harassment.

Purposes contrary to data protection

Employers should ultimately check what purposes applicants are pursuing with their right of access requests if such a request contains corresponding information or allows conclusions to be drawn about the purpose of the right of access request.

In the past at least, employers have been able to successfully argue in court that the right of access request was being used for purposes contrary to data protection. The Saxony State Labor Court rejected a right of access request because, in the court’s view, the plaintiff merely wanted to prepare a claim for overtime pay (State Labour Court Saxony, of February 17, 2021 – 2 Sa 63/20).

In contrast, the Berlin-Brandenburg State Labor Court considered a right of access request to be admissible even if it does not serve any of the purposes listed in recital 63 (Berlin-Brandenburg State Labor Court, of March 30, 2023 – 5 Sa 1046/22). According to recital 63, right of access requests are intended to enable applicants to verify the lawful processing of their personal data.

The ECJ has now ruled on this issue. According to the ECJ’s decision of October 26, 2023, right of access requests are not considered to be an abuse of rights simply because they pursue purposes other than those stated in recital 63 (ECJ of October 26, 2023 – C -307/22). Even if right of access requests are made for purposes unrelated to data protection, they must still be answered.

Although the Federal Labor Court has not yet commented on this, it can be assumed that the lower courts will follow the ECJ’s line in the future. Nonetheless, it cannot be ruled out that the pursuit of purposes contrary to data protection law may also lead to a restriction of right of access requests in the future, at least in individual cases.

Burden of presentation and proof in court

If employers are confronted with right of access requests asserted in court, they should always check whether the claim for such information is justified and must be fulfilled accordingly.

It should be checked whether the right of access requests meet the strict requirements of the Federal Labor Court. For example, the Federal Labor Court requires that the copies to be handed over in accordance with Art. 15 para. 3 GDPR be described as precisely as possible (Federal Labor Court of April 27, 2021 – 2 AZR 432/20). If the requests do not meet these requirements, this is a possible starting point for a defense.

If information has already been provided by employers prior to a legal dispute, requests should be reviewed to determine whether they are based solely on the wording of Art. 15 GDPR. According to the court ruling of the Regional Labor Court of Hamm, applicants can be expected to specify right of access requests still to be disclosed if information has already been granted (Hamm State Labour Court of December 2, 2022 – 19 Sa 756/22).

Liability risks, fines

If right of access requests are answered late or incorrectly, employers regularly face liability risks. Applicants often demand compensation under Art. 82 GDPR following a late or allegedly incorrect response to a right of access request. Fines from supervisory authorities under Art. 83 GDPR are also possible.

However, according to a recent decision by the Düsseldorf Regional Labor Court, no compensation can be claimed under Art. 82 GDPR due to a delayed and initially incomplete provision of information (Düsseldorf State Labor Court of November 28, 2023, – 3 Sa 285/23). In the opinion of the Düsseldorf Regional Labor Court, a mere breach of the duty to provide information in accordance with Art. 15 GDPR does not fall within the scope of Art. 82 GDPR.

Outlook

There are various starting points for employers to respond to right of access requests and at least restrict them. The underlying legal considerations are in flux due to the court decisions of the ECJ and should be closely monitored. Important rulings from Europe for employers can also be expected in 2024. Claims for information under Art. 15 GDPR entail liability risks under Art. 82 GDPR that must be taken into account, so that every right of access request should be taken seriously.

Photo: Shutterstock / Thanadon88

Author

Stephan Makowka
Senior Associate / Attorney, Berlin

Topics

Blog

Browse More Insights

Podcasts Seminars Webinars

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now