Right to copy of personal data: First highest court ruling on the right of access to information under data protection law pursuant to Article 15(3) GDPR issued (Federal Labor Court, April 27, 2021)
Update Data Protection No. 95
Ever since the GDPR entered into force, there has been uncertainty as to data subjects’ right of access and the right to be provided information under Article 15(1), (3) GDPR – is the data controller also required to provide documents that contain personal data? And if so, to what extent? In today’s ruling, the Federal Labor Court has now answered the latter question (Case 2 AZR 342/20): At least, not all internal documents relating to the data subject need to be provided to employees.
This article summarizes what the Federal Labor Court’s ruling means for employers and what must be observed in connection with future inquiries from (former) employees.
I. CURRENT STATUS
Pursuant to Article 15(1) GDPR, data subjects may request information from the respective controller about the processing of personal data concerning them. The employment relationship also represents such a constellation of controller and data subject where the employer processes its employees’ data as the controller within the meaning of the GDPR: this applies, for example, to payroll accounting or the storage of contact information. Consequently, the right to obtain information may also be asserted by employees against their employers. In addition to information on further data subject rights, the envisaged storage period, and the purposes of the processing, this also includes information on the categories of personal data concerned.
Along with the right to obtain information, the data subject may request from the controller to provide a copy of the personal data undergoing processing pursuant to Article 15(3) GDPR. Such a request must be fulfilled within one month (Article 12(3) GDPR). In exceptional cases, the period may be extended up to three months.
Where the data subject’s rights are not fulfilled, not sufficiently fulfilled, or not fulfilled in a timely manner, the data subject has the right to receive compensation for the damage suffered pursuant to Article 82 GDPR – including for the merely non-material damage of personal rights. In addition, administrative fines of up to EUR 20 million or up to 4 % of total worldwide annual revenue may be imposed pursuant to Article 83(5) GDPR.
Uncertainty exists as to the right of being provided a copy of the data: various court instances had issued in part contradictory rulings on the question of whether only the personal data processed must be made available to the data subject (such as name, email address, contact information; according to Cologne Higher Regional Court, 20 U 75/18 also notes of meetings with the data subject, etc.) or whether the documents containing the data (such as emails, HR files, etc.) must also be provided. While some courts held that the scope of the right to obtain a copy is based on Article 15(1) GDPR so that only information on the processed data must be provided (e.g., Dresden Regional Court, 6 O 76/20; Bonn Labor Court, 3 Ca 2026/19), other courts granted a comprehensive right to obtain information (e.g., Cologne Higher Regional Court, 20 U 75/18; Bonn Local Court, 118 C 315/19). With respect to the employment relationship, the Hessian Commissioner for Data Protection and Freedom of Information arrives at a similar assessment (from p. 75). A highest court ruling at the national level or by the CJEU has yet to be issued; a relevant case before the Federal Labor Court ended with an out-of-court settlement agreement in 2020 (Case 5 AZR 66/19).
Although the right to obtain a copy of the personal data undergoing processing is also limited by the rights and freedoms of others pursuant to Article 15(4) GDPR, the relevant case law also lacks consistency. Additionally, this limitation is frequently not relevant where legal entities are concerned.
II. THE RULING OF THE FEDERAL LABOR COURT
In the most recent judgement, the Federal Labor Court dealt with a dismissed employee’s right of access to information and the request to obtain a copy of his personal data pursuant to Article 15(1), (3) GDPR. Following his dismissal, the employee had asserted these claims. The business lawyer had in parallel objected to his termination by the data controller. After the company complied with the employee’s right to obtain information without providing every single email containing his name, the employee filed a lawsuit.
Hameln Labor Court (Case 3 Ca 24/19) had initially rejected the complaint with a view to the data copy as inadmissible on procedural grounds. In the second instance, Lower Saxony Regional Labor Court (Case 9 Sa 608/19) also rejected a claim for obtaining copies of entire sets of email correspondence. It held that Article 15(3) GDPR only referred to data also covered by the right of access pursuant to Article 15(1) GDPR. According to the ruling, the data would have to have a certain informative value about the data subject. Lower Saxony Regional Labor Court therefore required that the data subject sufficiently specify his request, at least where the processing of a large amount of data is concerned. The claim under Article 15(3) GDPR would not be aimed at creating a copy of the data, but at enabling the review of the processing. Considering the additional right to data portability (Article 20 GDPR), this assessment seems obvious.
III. CONTENTS OF THE RULING
In its ruling, the Federal Labor Court now at least partially agreed with Lower Saxony Regional Labor Court. Pursuant to the Federal Labor Court, the employer only needed to provide the employee’s personal data. Accordingly, the employee is not entitled to the creation of a comprehensive data copy where all documents concerning him are being provided. Regrettably, the court left open whether the right to be provided with a copy of the data under Article 15(3) GDPR also covers duplicates of individual emails. In any event, the assertion of a claim to be provided with a copy of all emails was ruled out. Rather, the claim or the complaint must be limited to specific emails or documents.
According to initial reviews, however, the court did not base its decision on an interpretation of Article 15(3) GDPR, but rather on procedural arguments: the court argued that legal action for provision with “all” data / documents / emails did not satisfy the requirements for the specificity of the claim pursuant to Section 253(2)(2) Code of Civil Procedure. The employee’s claim would either have to be sufficiently specific or asserted by way of an action by stages pursuant to Section 254 Code of Civil Procedure. In addition, an assurance by the debtor to have surrendered “all” documents in full is not provided for in enforcement law, so that no valid complaint was given. Due to the previously inconsistent interpretation of Article 15(3) GDPR by the courts of instance, a referral for a preliminary ruling to the CJEU pursuant to Article 267(3) TFEU would have been desirable. Instead, the court deliberately left the scope of the claim for surrender open and solely relied on procedural considerations. An interpretation of Article 15(3) GDPR by the highest instance is therefore still missing. While at least comprehensive requests for being provided with information no longer have to be granted, there continues to be a regrettable uncertainty regarding the details of the data copy.
IV. PROCEDURE FOR COMPANIES
The ruling of the Federal Labor Court should fill many employers at least with some relief. Even where long-time employees assert their right to obtain a copy of the data, fulfilling this right in any event does not threaten to involve a disproportionate effort that is hardly manageable within the brief one-month period according to Article 12(3) GDPR.
It is nevertheless to be expected that (former) employees will continue to make use of their right to obtain information. So as to ensure that no risks arise from the disclosure of internal data or from infringing GDPR provisions, the following steps should be followed:
- Internally, clear responsibilities should be defined for responding quickly to requests from data subjects;
- Processes are also needed for fast internal retrieval of personal data and for rapid verification of the identity of requesting data subjects;
- Additionally, there should be guidance on how to identify conflicting rights and freedoms of others pursuant to Article 15(4) GDPR, which should not lead to a refusal to provide any information at all (cf. Paper No. 6 of the Data Protection Conference)
- Documents should be categorized upon storage so that information on the storage locations of their personal data can be provided to the data subjects. Requests of data subjects to be provided with all documents or emails containing their personal data do now no longer have to be answered;
- Data pursuant to Article 15(3) GDPR is to be provided to the data subject in a commonly used electronic form according to the prior court instance . Although the controller should, where possible, be able to provide remote access to a secure system which would provide the data subjects with direct access to their personal data (cf. Recital 63), this should only occur if the data subject has agreed thereto because of the technical hurdles involved. This also applies to providing the data as a ZIP file;
- In addition, all processes related to data subject requests should be documented if not already done, anyway.