In 2023, the European Court of Justice (ECJ) clarified the limits of applicants’ right of access requests under Article 15 of the European Union’s General Data Protection Regulation (GDPR) in landmark decisions with far-reaching consequences for employers.
Quick Hits
- The ECJ ruled in two cases in 2023 that companies may be required to provide extracts of documents, entire documents, or even extracts from databases to applicants who request data under Article 15 of the GDPR.
- Employers have multiple starting points for responding to right-of-access requests, but the underlying legal considerations are in flux due to decisions of the ECJ.
For example, the right to a copy of data under Art. 15 para. 3 GDPR may mean that employers must provide applicants with extracts of documents, entire documents, or even extracts from databases. (ECJ cases C-487/21 (May 4, 2023) and C-307/22 (October 26, 2023)). Court decisions like these make it clear that employers will want to continue to pay particular attention to the right of access request under Art. 15 GDPR in 2024.
In the following, we would like to show what options employers have when dealing with such requests for information.
Deadlines
Employers may want to install fixed internal processes to ensure that right of access requests are responded to in a timely manner. Employers may also want to note that right of access requests under Art. 15 GDPR can also be made informally and can therefore potentially be submitted via various channels. Failure to comply with a deadline can already result in liability under Art. 82 GDPR, regarding the right to compensation and liability.
Right of access requests must be answered immediately in accordance with Art. 12 para. 3 GDPR, at the latest within one month of receipt. If the complexity and/or the number of right of access requests requires more time, the deadline can be extended once by two months. The employer must inform the applicant of the extension of the deadline and the reasons for the extension within one month of receipt of the right of access request.
Conflicting Rights and Freedoms of Other Persons
Before providing information, employers may want to check whether the information to be disclosed affects the rights and freedoms of third parties.
Right of access requests are restricted where they conflict with the rights and freedoms of third parties. Such rights include, in particular, copyrights, personal rights, data protection of third parties, or the protection of trade and business secrets.
If the rights and freedoms of third parties outweigh the right of the person submitting a right of access request, this will result in a restriction of the rights of access request. For example, where reasonable, information relating to third parties must be redacted.
Legally, these restrictions are based on Art. 15 para. 4 GDPR and Section 29 para. 1 Sentence 2 Var. 2 German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The standard from the Federal Data Protection Act is based on the opening clause of Art. 23, letter i, of the GDPR and is predominantly considered to be compliant with European law. In terms of content, it goes farther than Art. 15 para. 4 GDPR, as it not only takes into account the rights and freedoms of third parties, but also whether the nature of the information itself requires confidentiality. The latter is likely to be the case if the purpose of confidentiality is recognized by the legal system as worthy of protection.
In legal disputes, employers may want to present the conflicting rights of third parties to the court in detail, so that the court can weigh them up in the first place (and, potentially, render a decision in favor of the employer).
Confidentiality Obligations
Employers may also want to check whether legal provisions also require certain information to be kept confidential from the applicant. Insofar as these legal provisions subject the information to confidentiality, claims for information can regularly be restricted in that such information requiring confidentiality cannot be part of a right of access request.
Pursuant to Section 29 para. 1 Sentence 2 Var. 1 German Federal Data Protection Act (BDSG), right of access requests can be restricted if the information is subject to a statutory confidentiality obligation. Such confidentiality obligations include, for example, professional secrets.
Disproportionate Effort
Right of access requests must be answered. As a rule, it is generally not recommended that employers reject right of access requests on the basis of high or disproportionate effort required to process such requests.
Unlike Art. 14 GDPR, Art. 15 GDPR does not contain an exception for the case of disproportionate effort. The question of whether employers can successfully invoke the national provision of Section 275 para. 2 German Civil Code (Bürgerliches Gesetzbuch – BGB) to refuse right of access requests under European law in accordance with Art. 15 GDPR due to the disproportionate effort involved must in all likelihood be denied in view of the rulings of the courts.
Obviously Unfounded and Excessive Applications
In particular, employers may want to check whether persons have already submitted multiple requests in accordance with Art. 15 GDPR.
Right of access requests can even be rejected altogether in accordance with Art. 12 para. 5 GDPR if they are made improperly. Such improper use can be assumed, for example, if requests are “excessive” or “manifestly unfounded.” However, the hurdles for accepting such an exception are generally high.
In order to be able to assume such an excessive request, there must first be a number of requests. Since there may also be objective reasons for repeated requests for information, the assumption of an excessive request also requires that there are no valid reasons for the repeated requests for information.
Finally, an improper right of access request is likely to be assumed if it is demonstrably made solely for the purpose of harassment.
Purposes Contrary to Data Protection
Employers may ultimately want to check what purposes applicants are pursuing with their right of access requests if such a request contains corresponding information or allows conclusions to be drawn about the purpose of the right of access request.
In the past at least, employers have been able to successfully argue in court that the right of access request was being used for purposes contrary to data protection. The Saxony State Labor Court rejected a right of access request because, in the court’s view, the plaintiff merely wanted to prepare a claim for overtime pay (State Labour Court Saxony, of February 17, 2021 – 2 Sa 63/20).
In contrast, the Berlin-Brandenburg State Labor Court considered a right of access request to be admissible even if it does not serve any of the purposes listed in recital 63 of the GDPR (Berlin-Brandenburg State Labor Court, of March 30, 2023 – 5 Sa 1046/22). According to recital 63, right of access requests are intended to enable applicants to verify the lawful processing of their personal data.
The ECJ has now ruled on this issue. According to the ECJ’s decision of October 26, 2023, right of access requests are not considered to be an abuse of rights simply because they pursue purposes other than those stated in recital 63. Even if right of access requests are made for purposes unrelated to data protection, they must still be answered.
Although the Federal Labor Court has not yet commented on this, it can be assumed that the lower courts will follow the ECJ’s line in the future. Nevertheless, it cannot be ruled out that the pursuit of purposes contrary to data protection law may also lead to a restriction of right of access requests in the future, at least in individual cases.
Burden of Presentation and Proof in Court
Employers that are confronted with right of access requests asserted in court may want to confirm whether claims for such information are justified and must be fulfilled accordingly.
Employers may want to check whether the right of access requests meet the strict requirements of the Federal Labor Court. For example, the Federal Labor Court requires that the copies to be handed over in accordance with Art. 15 para. 3 GDPR be described as precisely as possible (Federal Labor Court of April 27, 2021 – 2 AZR 432/20). If the requests do not meet these requirements, this is a possible starting point for a defense.
Employers that have already provided information prior to a legal dispute may want to review requests to determine whether they are based solely on the wording of Art. 15 GDPR. According to a court ruling of the Regional Labor Court of Hamm, applicants can be expected to specify right of access requests still to be disclosed if information has already been granted (Hamm State Labour Court of December 2, 2022 – 19 Sa 756/22).
Liability Risks and Fines
If right of access requests are answered late or incorrectly, employers regularly face liability risks. Applicants often demand compensation under Art. 82 GDPR following a late or allegedly incorrect response to a right of access request. Fines from supervisory authorities under Art. 83 GDPR are also possible.
However, according to a recent decision by the Düsseldorf Regional Labor Court, no compensation can be claimed under Art. 82 GDPR due to a delayed and initially incomplete provision of information (Düsseldorf State Labor Court of November 28, 2023, – 3 Sa 285/23). In the opinion of the Düsseldorf Regional Labor Court, a mere breach of the duty to provide information in accordance with Art. 15 GDPR does not fall within the scope of Art. 82 GDPR.
Outlook
There are various starting points for employers to analyze and respond to right of access requests. The underlying legal considerations are in flux due to the court decisions of the ECJ and will have to be closely monitored. Important rulings from Europe for employers can also be expected in 2024.
Claims for information under Art. 15 GDPR entail liability risks under Art. 82 GDPR that must be taken into account, so it makes sense to take seriously every right of access request.
Ogletree Deakins’ Berlin office will continue to monitor developments and will publish updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Follow and Subscribe