As many employers will be aware, data subject access requests (DSARs) can take up a significant amount of business resources and are a common tactic used by disgruntled employees. A recent decision from the Court of Justice of the European Union (CJEU) looks at what needs to be provided to an individual as part of a response and whether a summary of the information is enough (spoiler alert: it isn’t!).

Background

According to the European General Data Protection Regulation (GDPR), which has effectively been transposed into UK law post-Brexit, individuals (including prospective, current, or former employees) are entitled to receive a “copy” of documents relating to them as part of a DSAR. Compliance with DSARs can cause a significant amount of work for employers and as a result, they are often used by disgruntled employees at the early stages of litigation.

The CJEU recently published its decision on what the exact obligations are when complying with DSARs and specifically, whether a summary of the information is sufficient.

The facts in this case

This case concerned a credit bureau, CRIF, which collected information about Austrian individuals in order to access their creditworthiness. The applicant submitted a DSAR to CRIF and asked to be sent a copy of the documents about him. In response, CRIF sent a list of the information processed about him in summary form. The applicant then complained to the Austrian data protection authority (DPA) saying that a mere summary was not sufficient.

The Austrian DPA rejected the complaint and the individual appealed. After an appeal to the Federal Administrative Court, the question was referred to the CJEU.

Decision

The CJEU held that the right to obtain a “copy” of personal data means that the individual must be given a "faithful and intelligible reproduction of all those data.” That means that individuals can obtain copies of extracts from documents or even the whole of those documents if that ensures compliance with their rights under GDPR, whilst ensuring that third-party data is protected. A purely general description of the data being processed or a reference to categories of personal data does not satisfy the requirement of providing a copy.

The CJEU also noted that one of the objectives of the right to access is to enable the individual to ensure that the personal data relating to them is correct and that it is processed in a lawful manner.

Impact on employers

In practice, employers will need to provide copies of documents (redacting personal data of third parties where necessary) and if a “shortcut” means that the individual is unable to completely understand or interpret the information, then the approach may not be compliant with GDPR.

Employers should also be mindful of redacting third-party data (for example relating to other employees), but where there is a conflict between complying with a DSAR and third-party confidentiality, employers will need to strike a balance between the two. Wherever possible, the DSAR should be complied with in a way that does not infringe third-party privacy, bearing in mind that this is not a sufficient reason to refuse a DSAR.

Although this European decision will not be legally binding in the UK, it may still be persuasive authority for the UK data protection regulator, the ICO.