One of our fundamental rights as per the GDPR is the right of access outlined in Article 15, stating that we 1) have the right to know whether or not our personal data is being processed, 2) access to it, as well as 3) a copy.
⚠️ However, we might be refused these rights if our requests are found "manifestly unfounded or excessive", as described in Article 12(5).
Unfortunately, the GDPR doesn't define the term “excessive”, leaving it up to data protection authorities and courts to decide where someone has lodged a complaint after being refused access.
And despite the key objective behind a 'regulation' vs. a 'directive' in EU law to streamline application, we, unfortunately, see not only varying enforcement, but outright contrary court rulings. Take a listen to our episode discussing this in more detail - and check out several decisions and rulings below. 👇
Links and resources:
- 🎙 The GDPRhub newsletter audio recording
- The EDPB's Guidelines 01/2022 on data subject rights - Right of access (NB! These were only public consultation until 11 March and has not been finalized yet.)
- The Higher Regional Court Dresden held that an insurance company can reject a request to access as excessive if the request's purpose is not to be aware of or verify the lawfulness of the processing but to verify the validity of increases to insurance premiums. Read more on the GDPRhub
- The Regional Court of Essen held that an insurance company can reject an access request as excessive if the request's purpose is not to be aware of or verify the lawfulness of the processing but to check why the premium has increased. Read more on the GDPRhub
- The Higher Regional Court of Köln held that an access request of an insurance holder aimed to verify the lawfulness of premium increases - and not the lawfulness of the data processing - cannot be considered excessive under Article 12(5) GDPR. Read more on the GDPRhub
- The Higher Regional Court Nuremberg held that a controller can reject an access request according to Article 12(5)(b) GDPR if the purpose of the request is not to be aware of or verify the lawfulness of the processing. Read more on the GDPRhub
- The Regional Labour Court of Hesse decided that an employer who cannot prove the existence of overriding confidentiality interests has to provide information pursuant to Article 15 GDPR to an employee, even if such information can be used in defence against criminal proceedings initiated by the employer. Read more on the GDPRhub
- The Financial Court of Berlin-Brandenburg held that data subjects must specify the data requested under Article 15(1) GDPR when the controller processes large amounts of data, and that a request concerning any type of data over a period of more than 50 years is excessive. Read more on the GDPRhub
- The Danish DPA also held that an access request by a data subject asking his previous employer to provide all emails, notes and letters sent or signed by him was excessive according to Article 12(5)(b) GDPR, since it comprised a very large amount of personal data predominantly connected to his duties and not personal attributes. Read more on the GDPRhub