GDPR and ‘Right of Access’ – How much information are your customers entitled to? 

16th August 2019

In Germany, GDPR guidance concerning ‘right of access’ to personal data is well-known for being more relaxed than in UK guidelines.

‘Right of access’ resides in Article 15, and it states that copies of the following information should be accessible to clients who request it:

  • the purposes of data processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed,
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • where the personal data are not collected from the data subject, any available information as to their source.
In certain areas of Germany, such as Hesse and Stuttgart, GDPR guidelines state that when a copy of data is requested, the term “copy” should not be understood literally, but rather in the sense of a “summary”.

However, an insurance company in Germany recently discovered that a ‘summary’ wasn’t deemed adequate in court.

A change in the law?

The Appeal Court of Cologne held that one of the insurance company’s customers was entitled to access all of the personal data gathered about them, including any internal notes and conversations between employees and customers.

The insurance company argued that it was impracticable to compile and produce the information due to the large amounts of customer information they process daily, but the court was unimpressed and stated that they were compelled to adapt their IT systems to meet the exact requirements of GDPR.

What does this mean for your practices?

The court ruled that copies of all e-mails containing personal data of the person concerned must also be made available to the data subject. This action confirms that the right of access is becoming a powerful tool in litigation, and could now significantly affect outcomes in civil and labour law cases.

It remains to be seen if this view will become established case law, but since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it looks very likely indeed.

In the meantime, our advice is that you remember these important points:

  • It’s free to request a right of access request – it doesn’t cost the data subject anything anymore (it used to have a cost attached), and it is becoming a growing weapon of choice for disgruntled employees and unhappy service users.
  • The request does not have to be in writing.
  • You only have one calendar month to pull all relevant information together. It doesn’t matter that you have to trawl through 1000’s of documents – you created a clunky system, not the applicant.

How can I prepare for a Subject Access Request?

  • Make your systems as streamlined and as efficient as possible, bear in mind that subject access requests are now much more likely.
  • Do not have paper trails if this is
  • Delete all data as soon as is possible to avoid excessive retention
  • Remember all datasets are within scope –manual indexed files, databases, emails, backups!
  • Ensure you have all relevant policies, guidance and oversight in place for Retention and Subject Access Requests.
  • Ensure all relevant staff are adequately trained in all of the above.
If you are not prepared, it can take weeks of work and a lot of stress to deal with one enquiry.  If you would like some help, please give us a call.

Get in touch with our team. We are  specialists and we would be delighted to guide you.  We can help to keep your company, your clients, and your reputation safe.

Call us on 01673 88 55 33 for more information today.

The ICO has updated guidance around the use of cookies

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.