Learnings from recent DSAR related Case Laws
Regulations like GDPR and CCPA have mandated the taking and processing of Data Subjects Access Requests to provide individuals with privacy rights and control over their data. Since their implementation, courts and regulatory bodies have had to deal with multiple such cases. Below is a summary of some recent DSAR related rulings and updates and our takeaways to serve as a reference for Data Privacy and Information Governance professionals.
Lees -v- Lloyds Bank Plc | February 2020
High Court of England and Wales dismissed the claim against a Bank for failing to adequately respond to numerous and repetitive DSARs
Summary: The claimant, Mr. Lees held 3 buy-to-let mortgages with Lloyds Bank Plc. Lees. In late 2019 submitted a DSAR for a copy of his loan application as well as information regarding the Bank's apparent sale of the loans. The Bank responded that neither could the applications be found nor any evidence of the sale. Lees then, in March of 2019, submitted over 70 DSARs seeking the same information. The Bank responded via its solicitors on 2nd April 2019. In early 2020, Lees served a Part 8 claim form, accusing the defendant of failing to provide information under the DPA and GDPR and seeking disclosure on the loan application information.
Outcome: The court found that the Bank had in fact provided adequate responses and in the case that they had not, the court had good reason to decline exercising its discretion in favour of Lees, the reasons being
1. The number and repetitiveness of the requests which bordered on abusive 2. The real purpose of the requests was to obtain documentation rather than personal data 3. The collateral purpose behind the requests was to obtain assistance in his possession proceedings with the bank 4. The data obtained would be of no real benefit to Lees
Key Takeaways: The Lees v LLoyds case highlighted the fact that the Courts have final discretion in matters relating to DSARs and that factors like the purpose and repetitiveness of the requests do in fact play a role in the ultimate decision.
Den Blå Avis | Danish DPA | January 2022
The Danish DPA ruled that Den Blå Avis’ (DBA) refusal pertaining to a request for deletion of a user profile along with some additional information was warranted under the GDPR.
Summary: The complainant had approached DBA to have their user profile and other information deleted. The company rejected the request stating that it had received three independent complaints from its buyers regarding the complainant and it was necessary for it to store the complainant’s data for blocking their access to DBA's platform. DBA also stated that the complainant had previously tried to work their way around the system by creating new profiles using different email addresses, but the retention of the complainant’s information helped in identifying and closing all the profiles. The company specified that the complainant’s profile and related personal data would not be deleted, and the information would be expunged after 24 months of inactivity with DBA.
Outcome: The Danish DPA found that
1.The processing of the complainant’s personal data is necessary for DBA to pursue a legitimate interest that precedes the interest of the data subject. 2.It ruled that the data processing, in this case, cannot be in conflict with the principle of "storage limitation" in Article 5 (1) of the Data Protection Regulation as the information will be automatically deleted by DBA after 24 months of inactivity.
Key takeaways: If the controller demonstrates compelling legitimate grounds for data processing that outweigh the interests, rights and freedoms of data subjects or if the processing is necessary for the establishment, assertion or defence of legal claims, then the processing may continue.