Articles

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

’I want my data!’- Recent Developments in the Right to Access One’s P

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

22.08.2019 BE law

The Belgian Data Protection Authority has recently adopted a broad view of the right to access one's personal data.

The Belgian Data Protection Authority ('Belgian DPA') has recently rendered a decision on an individual’s request to access his personal data. After a brief discussion of this decision (Section 1), we put it in a broader context (Section 2), and outline some takeaways for an individual’s request to access his or her personal data (Section 3).

  1. Belgian Case

In short, an individual’s nomination to a position had been published in the Belgian Gazette. The employer later revoked this nomination. Consequently, the subject of the revocation decided to exercise his right to access his personal data (Article 15 of the GDPR) in order to understand the reasons of the decision. He however did not receive any response to his request. Therefore, he ended up referring the matter to the Belgian DPA. The DPA ordered the defendant to respond to the data access request. Given the lack of reaction, it reprimanded and ordered the defendant.

  1. The broader context

Ordering the defendant to give access to the file and the documents explaining the revocation was not obvious. In fact, the Belgian DPA does not explain why the file and the documents should be regarded as personal data. Moreover, it does not comment on the scope of the access: does it concern the personal data in itself (i.e. those contained in the file and in documents thereof), the documents containing personal data, or the whole file?

With regard to the qualification of the documents and files as personal data, the Article 29 Working Party qualifies subjective judgments and evaluations as personal data (e.g. Mr. X is a good worker), regardless of whether or not this information is correct. However, the European Court of Justice seems to have a different opinion, taking a more narrow view on the scope of the access right. In the cases C-141/12 and C-372/12, the ECJ ruled that “the data in the legal analysis contained in that document are ‘personal data’ […] whereas, by contrast, that analysis cannot in itself be so classified”. In another case, the ECJ (C-434/16) deemed the right to erasure to apply to “examination answer and the examiner’s comments with respect to them”. The scope of the right to access has also been the subject of questions in the Netherlands, where contrasting decisions on the access to one’s personal file have been taken (see the Stibbe White Paper thereon).

The Belgian DPA thus at first sight seems to adopt a broad view of the concept of personal data, and to allow for a more generous access that is not only limited to the personal data per se.

  1. Conclusion

Even though some could regret the lack of motivation of the Belgian DPA, this recent decision is interesting. Firstly, it does shed some light on the Belgian DPA’s sanction policy, which was rather moderate in this case. Indeed, the Belgian DPA first chose to order the defendant to meet the individual’s access request and, once the latter did not comply, it reprimanded the defendant, though without any fine being been issued. Secondly, it helps us apprehending the Belgian DPA’s understanding of the scope of the right to access. Finally, the Belgian DPA also emphasizes that concrete internal processes and measures must be put in place to be able to respond to data subjects requests. Indeed, no matter how good a policy is written, it is only as valid as the processes and measures that ensure its implementation within the specific context of a particular company or organisation.

Team

Related news

26.02.2020 BE law
18 March 2020: Erik Valgaeren sheds a light on the legal perspectives of industrial data during a Beltug conference

Speaking slot - In this era of digitisation, data is often called the 'new gold' or 'oil'.  In our aim to gain more insights that will lead us to higher revenue, new market opportunities or new regions, we are analysing data at full throttle. But it needs to be handled with care, using a data architecture that follows your general strategy while ensuring solid security, quality, etc.

Read more

16.01.2020 BE law
24 January 2020: Carol Evrard participates in a panel session on Global Compliance at the CPDP conference in Brussels

Speaking slot - Stibbe is a long standing partner of the International Computers, Privacy and Data Protection Conference (CPDP) which takes place in Brussels between 22 and 24 January 2020 This year's theme is “Data protection and Artificial intelligence”. Carol Evrard, associate in our TMT team, participates in a panel organised by TrustArc (a privacy compliance technology company based in San Francisco, California) on "Changing Technology and Laws: Can Accountability be a Key to Global Compliance?"

Read more

21.02.2020 NL law
Podcast: Data en financiële instellingen

Short Reads - In deze podcast praten Roderik Vrolijk en Frederiek Fernhout van Stibbe in Amsterdam en Joran Iedema van Stibbe StartsUP-deelnemer Dyme over Fintech, PSD2 en het gebruik van data door financiële instellingen. Aan de ene kant biedt nieuwe regelgeving zoals PSD2 nieuwe mogelijkheden, aan de andere kant neemt de regeldruk en het toezicht op bescherming van persoonsgegevens toe.

Read more

15.01.2020 NL law
Consultatiereactie 'Wet plan van aanpak witwassen'

Short Reads - Soeradj Ramsanjhal, Karlijn van den Heuvel, Djoe Kuils, Rogier Raas, Judica Krikke en Muriël Rosing hebben een reactie ingediend op het concept wetsvoorstel ‘Wet plan van aanpak witwassen’. Dit wetsvoorstel is 2 december 2019 in consultatie gegaan en bevat verschillende voorgestelde wijzigingen van de Wet ter voorkoming van witwassen en financieren van terrorisme en de Wet op de economische delicten. 

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring