Articles

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

’I want my data!’- Recent Developments in the Right to Access One’s P

’I want my data!’- Recent Developments in the Right to Access One’s Personal Data

22.08.2019 BE law

The Belgian Data Protection Authority has recently adopted a broad view of the right to access one's personal data.

The Belgian Data Protection Authority ('Belgian DPA') has recently rendered a decision on an individual’s request to access his personal data. After a brief discussion of this decision (Section 1), we put it in a broader context (Section 2), and outline some takeaways for an individual’s request to access his or her personal data (Section 3).

  1. Belgian Case

In short, an individual’s nomination to a position had been published in the Belgian Gazette. The employer later revoked this nomination. Consequently, the subject of the revocation decided to exercise his right to access his personal data (Article 15 of the GDPR) in order to understand the reasons of the decision. He however did not receive any response to his request. Therefore, he ended up referring the matter to the Belgian DPA. The DPA ordered the defendant to respond to the data access request. Given the lack of reaction, it reprimanded and ordered the defendant.

  1. The broader context

Ordering the defendant to give access to the file and the documents explaining the revocation was not obvious. In fact, the Belgian DPA does not explain why the file and the documents should be regarded as personal data. Moreover, it does not comment on the scope of the access: does it concern the personal data in itself (i.e. those contained in the file and in documents thereof), the documents containing personal data, or the whole file?

With regard to the qualification of the documents and files as personal data, the Article 29 Working Party qualifies subjective judgments and evaluations as personal data (e.g. Mr. X is a good worker), regardless of whether or not this information is correct. However, the European Court of Justice seems to have a different opinion, taking a more narrow view on the scope of the access right. In the cases C-141/12 and C-372/12, the ECJ ruled that “the data in the legal analysis contained in that document are ‘personal data’ […] whereas, by contrast, that analysis cannot in itself be so classified”. In another case, the ECJ (C-434/16) deemed the right to erasure to apply to “examination answer and the examiner’s comments with respect to them”. The scope of the right to access has also been the subject of questions in the Netherlands, where contrasting decisions on the access to one’s personal file have been taken (see the Stibbe White Paper thereon).

The Belgian DPA thus at first sight seems to adopt a broad view of the concept of personal data, and to allow for a more generous access that is not only limited to the personal data per se.

  1. Conclusion

Even though some could regret the lack of motivation of the Belgian DPA, this recent decision is interesting. Firstly, it does shed some light on the Belgian DPA’s sanction policy, which was rather moderate in this case. Indeed, the Belgian DPA first chose to order the defendant to meet the individual’s access request and, once the latter did not comply, it reprimanded the defendant, though without any fine being been issued. Secondly, it helps us apprehending the Belgian DPA’s understanding of the scope of the right to access. Finally, the Belgian DPA also emphasizes that concrete internal processes and measures must be put in place to be able to respond to data subjects requests. Indeed, no matter how good a policy is written, it is only as valid as the processes and measures that ensure its implementation within the specific context of a particular company or organisation.

Team

Related news

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 2nd at 4 pm, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

19.08.2019 EU law
Enable “likes” and bear joint-controllership

Articles - The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV,  that a website operator that features “Like” social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors’ personal data collection and transmission to Facebook.

Read more

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring