No right of access to data from backups?
Update Data Protection No. 74 | Update Compliance 7/2020
The Heidelberg Regional Court rejected an employee’s claim for access to information about the employer’s processing of his personal data insofar as this data is merely located in backup files of his email account. Restoring such data was said to represent disproportionate effort for the controller in this individual case (judgment of February 6, 2020 – 4 O 6/19).
In the matter underlying the ruling of the Heidelberg Regional Court, the plaintiff, as a former member of the controller’s managing board, requested access to data from the controller under Art. 15 GDPR as well as the handover of a copy of all available personal data that had been processed (principal claim), and, in the alternative, information about personal email data that had been processed for a specified period of approximately one year. A peculiarity of the case was that the controller had become insolvent in the interim and both all data from the plaintiff’s period of employment (approx. ten years previously) and the corresponding hardware had been passed to a third party in the intervening period. In order to comply with the claim for access to data, the controller’s insolvency administrator would have had to restore the data from the backups at an (estimated) financial cost of approx. EUR 4,000.
The Heidelberg Regional Court rejected the claims for access to data in full on the following grounds:
1. Lack of certainty of the main claim for access to data
With reference to recital 63 GDPR, the Court first rejected the sweeping main claim on the grounds that the claim for access to data lacked certainty, given that the data subject had merely reproduced the statutory wording of Art. 15 GDPR. The Court justified the lack of certainty of the claim in that the plaintiff had not described the areas or categories it wanted its access to extend to. In the Court’s opinion, it was incumbent on the data subject to clarify in his request for access to data, which specific information or which processing operations he was interested in, as is also provided for in the specified recital.
Regarding the alternative claim, which the Court deemed to be adequately defined due to the temporal limitation and limitation to the data category “emails”, it ruled that:
2. Data from backups is not necessarily covered by the right of access
According to the Heidelberg Regional Court, the very question of whether the controller is still in fact processing the plaintiff’s data stored in the backup within the meaning of the GDPR, is doubtful. After all, the controller is not required to provide access to any data which it no longer has access to. This, the Court held, was the case here as the data had been handed to a third party. Even if the controller still had a right of access to this data, this does not necessarily alter the position because the data in backups may not be directly accessible by the controller. In this context, the Court referred to the old provision of the German Federal Data Protection Act (BDSG), section 34 (7) in conjunction with section 33 (2) sent. 1 no. 2 BDSG (old version), which stated that a claim for access to data will lapse if the sole purpose of the data was for data backup and the provision of information would involve disproportionate effort. The fact that this law has been superseded does not mean that all backups are now covered by the obligation to provide access to data. Instead, the principal issue is the specific effort required of the controller, which the Court examined in more detail in the further grounds:
3. Provision of the backups represents disproportionate effort measured against the plaintiff’s interest in the information
In the instant case, the Court was further satisfied that the provision of access to the information represented a disproportionate effort for the controller. Restoring the data as well as the inspection and redaction of the data as necessary would involve disproportionate resources and in particular would generate substantial costs. The Court balanced this fact against the plaintiff’s interest in the information – which the Court deemed minor, if it existed at all – and ultimately established that the provision of access to the data represents a disproportionate effort. The Court considered it relevant that the data requested by the plaintiff was already nine to ten years old, the company acting as controller no longer existed in the same form as back then, the plaintiff had not worked for the controller for nine years and the claim had thus only been made years after the end of his employment. Finally, the Court pointed out that it had drawn adverse conclusions about the plaintiff’s lack of or minimal interest in the information, given that he failed to attend the oral hearing without providing an excuse.
The judgment of the Heidelberg Regional Court relates to a special case where the data subject is requesting information about data that now only exists in backups belonging to the controller for data storage purposes.
The fundamental right of access to data and the obligation to provide access to personal data that is still contained on the controller’s system thus does not preclude the ruling of the Heidelberg Regional Court. Under the GDPR, the right of access to data must be complied with provided no abuse has taken place or third parties’ protectable rights and freedoms are compromised. No exception due to a disproportionate effort is discernible from the wording of Art. 15 GDPR.
In taking its decision to subject the provision of backup data to a proportionality test, it took its lead from the former and no longer valid provisions of section 34 (7) in conjunction with section 33 (2) sent. 1 no. 2 BDSG old version. These stated that, for this special case of data backup, the right of access to data lapses if accessing the information represents disproportionate effort for the controller. However, whether deriving such a proportionality test from the old provisions of the BDSG will withstand further judicial scrutiny remains to be seen.
This ruling is the first apparent decision that looks at the issue of backups in the context of data subjects’ rights. How it is evaluated and dealt with going forward is also likely to impact the discussion on whether data from backups also needs to be deleted under the right to erasure (Art. 17 GDPR). Ultimately, if providing access to data via backup data is deemed to be disproportionate, then the erasure of this data, which equally requires prior restoration, will be all the more disproportionate. Accordingly, controllers would no longer be obligated to perform the erasure on their backups as well when they receive future requests for erasure.
In summary, it has been established that the ruling of the Heidelberg Regional Court has special relevance for claims for access to data relating to data from backups. In such cases it will be advisable in future to review whether the restoration of the data in the specific case represents a disproportionate effort. This balancing process may take into account for example the restoration costs, additional costs (such as the costs of redaction) as well as the data subject’s interest in the information. Similarly, the judgment also suggests that requests for erasure relating to data from backups that would require a prior restoration of the data may be rejected in individual cases on the grounds of disproportionate effort.
That notwithstanding, the judgment handed down changes nothing about the fundamental option to make a standard request for access to personal data that still exists on the controller’s system. This is not precluded by the decision of the Heidelberg Regional Court, and that also applies to data from internal investigations. Responding to such queries can also not be avoided by moving personal data into a backup because this would not only involve significant limitations to the operational procedures, but could also be considered by courts to be an abusive act. However, it is clear from the judgment that where standard claims for access to data are made, care should be taken to present the request for access to data as far as possible as set out in recital 63 GDPR by data categories and time periods.