Picture this: A subject access request (SAR) pursuant to Article 15 of the GDPR lands on your desk. What now, what needs to be done? What if a customer or former employee requests copies of their personal information? Can a subject access request be rejected as unreasonable?
In principle, anyone who processes data is obliged to provide information to the data subjects in accordance with Article 15 of the GDPR. There are only a few exceptions which discharge the controller from its obligation to provide information or limit the scope of information. The obligation to provide information does not fall under the statute of limitation. An SAR must be complied with within one month of receipt. This period may be extended to a further two months in exceptional cases only.
Depending on the circumstances, such a subject access request can be made electronically, by post or even verbally. If the data subject has requested a copy of his or her personal information, the data must be handed over to him or her ("right to a copy of the data under going processing" according to Art 15 (3) GDPR). However, there are limits:
In a decision, the German District Court of Pankow had to deal with the question of what applies when the “personal information” refers to video surveillance recordings which have already been deleted due to a short storage period.
The plaintiff in the case in question had used the public suburban railway in Berlin. Video surveillance systems are installed on some Berlin trains, and the recorded material is stored for a period of 48 hours. The plaintiff was informed about the video recordings in compliance with the GDPR. He subsequently requested that the video images depicting him be handed over and that the recordings not be deleted. The public transport provider did not comply with the subject access request; specifically, it did not provide copies of the data and deleted these within the 48- hour period. The plaintiff then claimed damages on grounds of a violation of his data protection rights as he was not given the requested information.
The Pankow District Court ruled that it had been unreasonable for the public transport provider to comply with the plaintiff's request. The provision of information, including the transmission of the video recordings, would have required a considerable amount of time, money and manpower while the plaintiff's interest in the fulfilment of the request was very small. The public transport provider had therefore acted lawfully when it did not provide information. The decision is not yet final and unappealable.
In practice, this means that every subject access request is to be taken seriously but there is no need to provide information about everything and instantaneously. Review as to whether an SAR is unreasonable, whether and to what extent copies must be provided, whether confidentiality interests are affected, etc. is required on a case-by-case basis. In this context, it is important to implement appropriate processes in the company.
We will be happy to support you in this!
Link: AG Pankow: 4 C 199/21 vom 28.03.2022 | 4. Abteilung (rewis.io)