GDPR and ‘Right of Access’ – How much information are your customers entitled to?
In Germany, GDPR guidance concerning ‘right of access’ to personal data is well-known for being more relaxed than in UK guidelines.
‘Right of access’ resides in Article 15, and it states that copies of the following information should be accessible to clients who request it:
- the purposes of data processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed,
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- where the personal data are not collected from the data subject, any available information as to their source.
However, an insurance company in Germany recently discovered that a ‘summary’ wasn’t deemed adequate in court.
A change in the law?
The Appeal Court of Cologne held that one of the insurance company’s customers was entitled to access all of the personal data gathered about them, including any internal notes and conversations between employees and customers.
The insurance company argued that it was impracticable to compile and produce the information due to the large amounts of customer information they process daily, but the court was unimpressed and stated that they were compelled to adapt their IT systems to meet the exact requirements of GDPR.
What does this mean for your practices?
The court ruled that copies of all e-mails containing personal data of the person concerned must also be made available to the data subject. This action confirms that the right of access is becoming a powerful tool in litigation, and could now significantly affect outcomes in civil and labour law cases.
It remains to be seen if this view will become established case law, but since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it looks very likely indeed.
In the meantime, our advice is that you remember these important points:
- It’s free to request a right of access request – it doesn’t cost the data subject anything anymore (it used to have a cost attached), and it is becoming a growing weapon of choice for disgruntled employees and unhappy service users.
- The request does not have to be in writing.
- You only have one calendar month to pull all relevant information together. It doesn’t matter that you have to trawl through 1000’s of documents – you created a clunky system, not the applicant.
How can I prepare for a Subject Access Request?
- Make your systems as streamlined and as efficient as possible, bear in mind that subject access requests are now much more likely.
- Do not have paper trails if this is
- Delete all data as soon as is possible to avoid excessive retention
- Remember all datasets are within scope –manual indexed files, databases, emails, backups!
- Ensure you have all relevant policies, guidance and oversight in place for Retention and Subject Access Requests.
- Ensure all relevant staff are adequately trained in all of the above.
Get in touch with our team. We are specialists and we would be delighted to guide you. We can help to keep your company, your clients, and your reputation safe.