The Belgian Data Protection Authority ('Belgian DPA') has recently rendered a decision on an individual’s request to access his personal data. After a brief discussion of this decision (Section 1), we put it in a broader context (Section 2), and outline some takeaways for an individual’s request to access his or her personal data (Section 3).
- Belgian Case
In short, an individual’s nomination to a position had been published in the Belgian Gazette. The employer later revoked this nomination. Consequently, the subject of the revocation decided to exercise his right to access his personal data (Article 15 of the GDPR) in order to understand the reasons of the decision. He however did not receive any response to his request. Therefore, he ended up referring the matter to the Belgian DPA. The DPA ordered the defendant to respond to the data access request. Given the lack of reaction, it reprimanded and ordered the defendant.
- The broader context
Ordering the defendant to give access to the file and the documents explaining the revocation was not obvious. In fact, the Belgian DPA does not explain why the file and the documents should be regarded as personal data. Moreover, it does not comment on the scope of the access: does it concern the personal data in itself (i.e. those contained in the file and in documents thereof), the documents containing personal data, or the whole file?
With regard to the qualification of the documents and files as personal data, the Article 29 Working Party qualifies subjective judgments and evaluations as personal data (e.g. Mr. X is a good worker), regardless of whether or not this information is correct. However, the European Court of Justice seems to have a different opinion, taking a more narrow view on the scope of the access right. In the cases C-141/12 and C-372/12, the ECJ ruled that “the data in the legal analysis contained in that document are ‘personal data’ […] whereas, by contrast, that analysis cannot in itself be so classified”. In another case, the ECJ (C-434/16) deemed the right to erasure to apply to “examination answer and the examiner’s comments with respect to them”. The scope of the right to access has also been the subject of questions in the Netherlands, where contrasting decisions on the access to one’s personal file have been taken (see the Stibbe White Paper thereon).
The Belgian DPA thus at first sight seems to adopt a broad view of the concept of personal data, and to allow for a more generous access that is not only limited to the personal data per se.
Even though some could regret the lack of motivation of the Belgian DPA, this recent decision is interesting. Firstly, it does shed some light on the Belgian DPA’s sanction policy, which was rather moderate in this case. Indeed, the Belgian DPA first chose to order the defendant to meet the individual’s access request and, once the latter did not comply, it reprimanded the defendant, though without any fine being been issued. Secondly, it helps us apprehending the Belgian DPA’s understanding of the scope of the right to access. Finally, the Belgian DPA also emphasizes that concrete internal processes and measures must be put in place to be able to respond to data subjects requests. Indeed, no matter how good a policy is written, it is only as valid as the processes and measures that ensure its implementation within the specific context of a particular company or organisation.