Neodyum Miknatis
maderba.com
implant
olabahis
Casino Siteleri
canli poker siteleri meritslot
escort antalya
istanbul escort
sirinevler escort
antalya eskort bayan
brazzers
Articles

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

’I want my data!’- Recent Developments in the Right to Access One’s P

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

22.08.2019 BE law

The Belgian Data Protection Authority has recently adopted a broad view of the right to access one's personal data.

The Belgian Data Protection Authority ('Belgian DPA') has recently rendered a decision on an individual’s request to access his personal data. After a brief discussion of this decision (Section 1), we put it in a broader context (Section 2), and outline some takeaways for an individual’s request to access his or her personal data (Section 3).

  1. Belgian Case

In short, an individual’s nomination to a position had been published in the Belgian Gazette. The employer later revoked this nomination. Consequently, the subject of the revocation decided to exercise his right to access his personal data (Article 15 of the GDPR) in order to understand the reasons of the decision. He however did not receive any response to his request. Therefore, he ended up referring the matter to the Belgian DPA. The DPA ordered the defendant to respond to the data access request. Given the lack of reaction, it reprimanded and ordered the defendant.

  1. The broader context

Ordering the defendant to give access to the file and the documents explaining the revocation was not obvious. In fact, the Belgian DPA does not explain why the file and the documents should be regarded as personal data. Moreover, it does not comment on the scope of the access: does it concern the personal data in itself (i.e. those contained in the file and in documents thereof), the documents containing personal data, or the whole file?

With regard to the qualification of the documents and files as personal data, the Article 29 Working Party qualifies subjective judgments and evaluations as personal data (e.g. Mr. X is a good worker), regardless of whether or not this information is correct. However, the European Court of Justice seems to have a different opinion, taking a more narrow view on the scope of the access right. In the cases C-141/12 and C-372/12, the ECJ ruled that “the data in the legal analysis contained in that document are ‘personal data’ […] whereas, by contrast, that analysis cannot in itself be so classified”. In another case, the ECJ (C-434/16) deemed the right to erasure to apply to “examination answer and the examiner’s comments with respect to them”. The scope of the right to access has also been the subject of questions in the Netherlands, where contrasting decisions on the access to one’s personal file have been taken (see the Stibbe White Paper thereon).

The Belgian DPA thus at first sight seems to adopt a broad view of the concept of personal data, and to allow for a more generous access that is not only limited to the personal data per se.

  1. Conclusion

Even though some could regret the lack of motivation of the Belgian DPA, this recent decision is interesting. Firstly, it does shed some light on the Belgian DPA’s sanction policy, which was rather moderate in this case. Indeed, the Belgian DPA first chose to order the defendant to meet the individual’s access request and, once the latter did not comply, it reprimanded the defendant, though without any fine being been issued. Secondly, it helps us apprehending the Belgian DPA’s understanding of the scope of the right to access. Finally, the Belgian DPA also emphasizes that concrete internal processes and measures must be put in place to be able to respond to data subjects requests. Indeed, no matter how good a policy is written, it is only as valid as the processes and measures that ensure its implementation within the specific context of a particular company or organisation.

Team

Related news

05.01.2021 EU law
Uitwisseling van persoonsgegevens met het Verenigd Koninkrijk

Short Reads - Uit de Brexit deal volgt dat gedurende de eerste 4 maanden van 2021 de doorgifte van persoonsgegevens naar het Verenigd Koninkrijk (“VK”) nog op dezelfde manier mag plaatsvinden als voorheen. Maar alleen als het VK in deze periode de regels voor de bescherming van persoonsgegevens niet verandert. Deze periode van 4 maanden kan worden verlengd tot 6 maanden.

Read more

28.10.2020 EU law
Webinar: Cloud computing in the financial sector

Seminar - On Wednesday 4 November 2020, Marc Spuijbroek and Roderik Vrolijk will host a webinar about cloud computing in the financial sector, which, at the same time, may be relevant outside that sector. This webinar is part of the TMT Masterclasses webinar-series. In this series subjects will be discussed regarding IT, Data or IP, with a focus on current affairs and trends.

Read more