umraniye escort pendik escort
maderba.com
implant
olabahis
canli poker siteleri meritslot oleybet giris adresi betgaranti
escort antalya
istanbul escort
sirinevler escort
antalya eskort bayan
brazzers
sikis
bodrum escort
Articles

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

’I want my data!’- Recent Developments in the Right to Access One’s P

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

22.08.2019 BE law

The Belgian Data Protection Authority has recently adopted a broad view of the right to access one's personal data.

The Belgian Data Protection Authority ('Belgian DPA') has recently rendered a decision on an individual’s request to access his personal data. After a brief discussion of this decision (Section 1), we put it in a broader context (Section 2), and outline some takeaways for an individual’s request to access his or her personal data (Section 3).

  1. Belgian Case

In short, an individual’s nomination to a position had been published in the Belgian Gazette. The employer later revoked this nomination. Consequently, the subject of the revocation decided to exercise his right to access his personal data (Article 15 of the GDPR) in order to understand the reasons of the decision. He however did not receive any response to his request. Therefore, he ended up referring the matter to the Belgian DPA. The DPA ordered the defendant to respond to the data access request. Given the lack of reaction, it reprimanded and ordered the defendant.

  1. The broader context

Ordering the defendant to give access to the file and the documents explaining the revocation was not obvious. In fact, the Belgian DPA does not explain why the file and the documents should be regarded as personal data. Moreover, it does not comment on the scope of the access: does it concern the personal data in itself (i.e. those contained in the file and in documents thereof), the documents containing personal data, or the whole file?

With regard to the qualification of the documents and files as personal data, the Article 29 Working Party qualifies subjective judgments and evaluations as personal data (e.g. Mr. X is a good worker), regardless of whether or not this information is correct. However, the European Court of Justice seems to have a different opinion, taking a more narrow view on the scope of the access right. In the cases C-141/12 and C-372/12, the ECJ ruled that “the data in the legal analysis contained in that document are ‘personal data’ […] whereas, by contrast, that analysis cannot in itself be so classified”. In another case, the ECJ (C-434/16) deemed the right to erasure to apply to “examination answer and the examiner’s comments with respect to them”. The scope of the right to access has also been the subject of questions in the Netherlands, where contrasting decisions on the access to one’s personal file have been taken (see the Stibbe White Paper thereon).

The Belgian DPA thus at first sight seems to adopt a broad view of the concept of personal data, and to allow for a more generous access that is not only limited to the personal data per se.

  1. Conclusion

Even though some could regret the lack of motivation of the Belgian DPA, this recent decision is interesting. Firstly, it does shed some light on the Belgian DPA’s sanction policy, which was rather moderate in this case. Indeed, the Belgian DPA first chose to order the defendant to meet the individual’s access request and, once the latter did not comply, it reprimanded the defendant, though without any fine being been issued. Secondly, it helps us apprehending the Belgian DPA’s understanding of the scope of the right to access. Finally, the Belgian DPA also emphasizes that concrete internal processes and measures must be put in place to be able to respond to data subjects requests. Indeed, no matter how good a policy is written, it is only as valid as the processes and measures that ensure its implementation within the specific context of a particular company or organisation.

Team

Related news

04.03.2021 BE law
Webinar: Responding to Personal Data Breaches in the Post-GDPR era

Seminar - On 24-26 March 2021 ERA (Adademy of European Law) organises an online Conference "Responding to Personal Data Breaches in the Post-GDPR era". Erik Valgaeren, our Brussels TMT partner, addresses the topic "Managing personal data breach in a complex international scenario", including cross border cases in the EU and breaches at non-EU establishments.

Read more

12.02.2021 EU law
After the Uber case and the Airbnb case … the Star Taxi App case: focus on the question of the qualification as “Information Society Service”

Articles - Societal and digital developments are reflected in the case law of the CJEU. For several years now, European judges resolve disputes relating to digital applications and the services they provide. On 3 December 2020, they handed down a judgment in a case concerning Star Taxi App. This blog analyses the Star Taxi App case law in the light of the Uber case law and the Airbnb case law. The three judgments have in common the question of the qualification of services as Information Society Services.  

Read more