Regulations like GDPR and CCPA have mandated the accepting and processing of Data Subjects Access Requests to provide individuals with privacy rights and control over their data. Since their implementation, courts and regulatory bodies have had to deal with multiple such cases.

Below is a summary of some recent DSAR-related rulings, guidance, regulatory opinions, updates, and our takeaways to serve as a reference for Data Privacy and Information Governance professionals.

GDPR

Lees -v- Lloyds Bank Plc | February 2020

High Court of England and Wales dismissed the claim against a Bank for failing to adequately respond to numerous and repetitive DSARs

Summary: The claimant, Mr. Lees held 3 buy-to-let mortgages with Lloyds Bank Plc. Lees. In late 2019 submitted a DSAR for a copy of his loan application as well as information regarding the Bank's apparent sale of the loans. The Bank responded that neither could the applications be found nor any evidence of the sale. Lees then, in March of 2019, submitted over 70 DSARs seeking the same information. The Bank responded via its solicitors on 2nd April 2019. In early 2020, Lees served a Part 8 claim form, accusing the defendant of failing to provide information under the DPA and GDPR and seeking disclosure on the loan application information.

Outcome: The court found that the Bank had in fact provided adequate responses and in the case that they had not, the court had good reason to decline exercising its discretion in favour of Lees, the reasons being

1. The number and repetitiveness of the requests which bordered on abusive 2. The real purpose of the requests was to obtain documentation rather than personal data 3. The collateral purpose behind the requests was to obtain assistance in his possession proceedings with the bank 4. The data obtained would be of no real benefit to Lees

Key Takeaways: The Lees v LLoyds case highlighted the fact that the Courts have final discretion in matters relating to DSARs and that factors like the purpose and repetitiveness of the requests do in fact play a role in the ultimate decision.

Link to full ruling: A DSAR too far: bank not obliged to comply with numerous and repetitive DSARs | Hill Dickinson

Den Blå Avis | Danish DPA | January 2022

The Danish DPA ruled that Den Blå Avis’ (DBA) refusal pertaining to a request for deletion of a user profile along with some additional information was warranted under the GDPR.

Summary: The complainant had approached DBA to have their user profile and other information deleted. The company rejected the request stating that it had received three independent complaints from its buyers regarding the complainant and it was necessary for it to store the complainant’s data for blocking their access to DBA's platform. DBA also stated that the complainant had previously tried to work their way around the system by creating new profiles using different email addresses, but the retention of the complainant’s information helped in identifying and closing all the profiles. The company specified that the complainant’s profile and related personal data would not be deleted, and the information would be expunged after 24 months of inactivity with DBA.

Outcome: The Danish DPA found that

1.The processing of the complainant’s personal data is necessary for DBA to pursue a legitimate interest that precedes the interest of the data subject. 2.It ruled that the data processing, in this case, cannot be in conflict with the principle of "storage limitation" in Article 5 (1) of the Data Protection Regulation as the information will be automatically deleted by DBA after 24 months of inactivity.

Key takeaways: If the controller demonstrates compelling legitimate grounds for data processing that outweigh the interests, rights and freedoms of data subjects or if the processing is necessary for the establishment, assertion or defence of legal claims, then the processing may continue.

Link to full ruling: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2022/jan/dba-var-berettiget-til-at-afslaa-en-anmodning-om-sletning

ClickQuickNow | Polish DPA | November 2019

The President of the Personal Data Protection Office issued a fine of approx. 47,000-euro against company ClickQuickNow for implementing measures that hindered data subjects from exercising their right to be forgotten and right to withdraw consent to processing of personal data under GDPR

Summary: The process to exercise privacy rights for data subjects included a consent withdrawal link that provided the data subject with misleading information and furthermore insisted on the providing the reason for withdrawal, which is not a requirement under the law. Failure to provide a reason, terminated the request process. The various obstacles in the process, made the exercising of rights cumbersome and virtually impossible.

Outcome: The President of the Personal Data Protection Office further noted that

1. The company, in its failure to respond to subjects request to cease processing their personal data had violated the ‘right to be forgotten’ 2. The PPDPO, in his decision, found that the company’s actions were intentional 3. The company violated the principles of Transparency and Fairness by communicating misleading information to the data subjects

The PPDPO imposed a fine and ordered the company to make changes to their process of dealing with data subject requests according to the provisions of the GPDR and to delete the data of those who objected to the processing of their personal data. The company was given 14 days' time to comply with the decision.

Key Takeaways: Technical and organisational practices must be implemented for data subjects to exercise their rights under GPDR. Arduous and complicated procedures can be found in violation of privacy regulations and should be replaced by easier and transparent methods.

Link to full ruling: Polish DPA: Withdrawal of consent shall not be impeded | European Data Protection Board (europa.eu)

Federal Court of Justice Germany | 2021

Following a case wherein an individual claimed that the defendant did not provide all information requested by claimant under GDPR, the Highest Civil Court in Germany specified the broadened scope of Article 15 of the GDPR compared to extent of its previous grasp in Germany

Summary: The claimant, an individual insured by the defendant, a life insurance company, claimed that the latter had not provided all the data requested. The claimant lost the case at the first instant after referring to laws previous to GDPR. The case was also dismissed by the Regional Court of Cologne wherein it was found that the defendant had in fact provided the relevant information and the claimant was not able to provide evidence to contradict this. Finally, the claimant approached the Federal Court of Justice

Outcome: The FCJ found that the defendant had not in fact disclosed all the information as required under Article 15 of the GDPR. The Court held the following

1. Personal data does not only include sensitive or private information, but all kinds of information related to the data subject 2. The data subject can exercise his ‘right of access’ even if he possesses knowledge of the correspondence 3. Personal Data must include the data in ‘internal processes’ or the internal notes made by the company 4. Legal analysis does not constitute personal data even though it might contain the same, however a summary of the same must be provided

Key Takeaways: The widened scope of Article 15 of GDPR should be considered as it includes factors previously not considered in Germany, such as information not falling under sensitive data as well as information considered ‘internal processes’ which constitute internal notes made by the company

Link to full ruling: Subject Access Request: Germany’s highest court widens the scope of data subject access requests in Germany | Data Protection Report

Regional Labour Court of Stuttgart| December 2018

The employer of a company was required, by a judgement made by the Regional Labour Court of Stuttgart, to disclose to an employee, records containing performance and behavioural data of the employee as well as internal investigation information

Summary: In order to further his defence against the termination of his employment contract, an employee of a company made data subject access requests under the GDPR for information that led to his dismissal, this included internal investigations and charges. The employer denied the requests under the protection of whistle-blower confidentiality

Outcome: The Regional Court of Stuttgart held that

1. The employer was required to respond to the request and was not allowed to refuse the same by relying on the exemption pursuant to Article 15 (4) GDPR without providing any justification 2. A general rule that the protection of whistle-blower confidentiality overrides employees access rights does not exist. Each instance should be considered on a case-by-case basis and justification for protecting the whistle-blower's identity should be provided

Key Takeaways: In order for employers refuse requests by relying on the exemption pursuant to Article 15 (4) of the GDPR, proper justification must be provided on each individual case. Further, employee access rights can override whistle-blower confidentiality without appropriate justification.

Link to full ruling: German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right | Data Protection Report

Interia Group | Polish DPA | October 2021

The Polish DPA, the UODO, issued its maiden decision regarding cookies after a data subject filed a complaint against a company for not providing her with all the information requested.

Summary: The data subject requested a copy of her personal data and information on data processing; on profiling and automated decision making, most importantly, the marketing categories, or behaviour profiles that were assigned to her using cookies and other information about her combined with her processed data. This was after she had browsed the company, Interia Group’s website and later noticed advertisements related to the information allegedly collected by the company. Unsatisfied with the response to her two requests, the data subject complained against the company.

Outcome: The Polish DPA shared the data subjects view that the response was not sufficient or in line with the GDPR. It found that

1. Relevant ads are tailored at an individual by creating a behaviour profile which is done by using the persons online behaviour and making inferences about them. This collection of information is ‘inextricably linked’ to profiling. 2. The company is obliged to share the information on the marketing categories or behavioural profile assigned to the data subject through cookies and other data combined with that information 3. The company’s statements about personal data being used to create behavioural profiles obliges the company to recognise that the processing alleged by the data subject exists, even if there is difficulty in reconstructing the steps and compiling the information comprehensively. 4. If the company does not process data with the intention of creating a behavioural profile, it should notify the data subject of the same, including how the data is processed and what the processing consists of. 5. If the company permits scripts from other organizations in the website code, which could be used to create behavioural profiles by the other organizations, it should inform the data subject of the process and how it works.

Key Takeaways: The Polish DPA found that the collection of data for creating behavioural profiles is very closely linked to profiling and involves personal data processing. Such information, assigned based on cookies and information combined with the data from cookies does actually constitute personal data under the GDPR

Link to full resource: Disclosing information on behavioral profiles: the Polish cookie case (iapp.org)

Google LLC | Spanish DPA | May 2022

Post investigation, the Spanish DPA, the AEPD imposed a fine of 10mil euros on Google for violating the GDPR by transferring data to a third party without legitimacy and hindering the consumer's right to delete

Summary: Google transferred the removal of content requests from its various platforms such as Google Search Engine and YouTube to a third party, the Lumen Project. This included their identification, email address, reasons stated, and the URL claimed. Further, the forms used for the submission of the request to remove content did not provide any facility or option to exercise the right to erase personal data or oppose its transfer

Outcome: The investigation found that 1. The requestors were not informed of the transfer of information to the Lumen Project and subsequently rejected their ‘Legitimate interests’ claim, especially considering Google’s privacy policy which states that the company does not share information outside of Google unless consented. 2. The company did not provide facilities to exercise the right to erase personal data 3. The company did not provide facilities to oppose the transfer of personal data.

The company was fined and ordered to hereby comply with the privacy regulations and delete the personal data so requested by the users.

Key Takeaways: Data transfer to third parties cannot occur without a legitimate basis and proper informed consent. Adequate facilities must be provided to oppose the transferring of personal data to a third party, and the facility to exercise the right to erase information from third-party databases.

Link to full resource: The AEPD sanctions Google LLC for transferring data to third parties without legitimacy and hindering the right of deletion | AEPD

German Federal Labour Court| April 2021

The German Federal Labour Court held employers need not provide employees with 1. copies of their entire email correspondence and 2. emails mentioning them (the employee) by name

Summary: An individual submitted a DSAR to his former employer, requesting a ‘copy of personal data undergoing processing’. The employee found that the employers response containing a copy of his personal information and some emails were not sufficient. The employee claimed that the employer failed to provide a copy of his entire email correspondence and email correspondence mentioning him by name

Outcome: The court of appeals ordered that the employee be provided with their emails, however, only those containing his personal data as this is what is covered by the right to access under the GDPR. The court based its decisions on civil proceedings laws. The court held that

1. The employer is not required to provide a full copy of the entire email and document data. It held the GDPR only mentions a ‘copy of the personal data undergoing processing’ and therefore does not include the entire data set. 2. The GDPR also requires certain information about the data from the data subject, further, data subjects are to specify which copies are to be provided. 3. Emails wherein the data subject is the recipient or the author, may be withheld as the GDPR does not cover information already known to the data subject.

Key Takeaways: Data subjects submitting requests under the German law will have to be aware of the limited scope of the data subject rights especially in matters dealing with emails and correspondence within the company

Link to full resource: DSAR – No copy of work emails required in Germany | Data Protection Report

FREE | CNIL | November 2022 A €300,000 fine was imposed on French phone operator FREE by CNIL (French DPA) for not respecting the privacy rights of users and security of their information

Summary: The French data protection authority received several complaints from users highlighting the difficulty experienced in receiving responses to requests (right to access, right to delete) submitted. The investigation further found weak data security (weak passwords, storage and transmission of passwords in clear text)

Outcome: Upon investigation, the CNIL found the following breaches of the GDPR by FREE

1. A failure to respect the right of access of individuals – for not responding to the requests of users and for not providing complete answers regarding the source of their data 2. A failure to respect the right to erasure of individuals – for not responding to the requests to erase data in time 3. A failure to ensure the security of personal data 4. A failure to comply with the obligation to document a personal data breach For the violations, the CNIL imposed a €300,000 fine and further a penalty of €500 for each day overdue with regard to responding to requests.

Key Takeaways: Requests should be respected and responded to in a timely and efficient manner and measures to strengthen data security should be implemented and followed.

Link to full resource: Data security and individual rights: FREE fined 300,000 euros | CNIL

Controller | Belgian DPA | November 2022 

The Belgian DPA ordered an employer to erase the data of a former employee after she filed a complaint.

Summary: More than 6 months after her dismissal, a former employee (data subject) made a request to her former employer (controller) to have her picture and details removed from the company website. When the company did not respond to her request, she filed a complaint with the DPA.   Outcome: The DPA found that her data remained on the website for 7 months (between the dismissal and filling of the complaint), which was deemed excessive by the DPA.  

The DPA found that the purpose of processing of the data subject’s data was no longer necessary after her dismissal and hence had to be erased and should have been done on the controller’s own initiative.  

The DPA stated that when an employee leaves the job, information such as the identity, function and photographs of the individual should be erased from controller websites/social media pages.  

Additionally, processes should be kept in place to address requests made by data subjects on such matters and should, at the very least, effectively follow up on claims within the required time period.   

The DPA issued a warning against the controller to implement the appropriate changes in order to avoid violating the GDPR on such matters in the future.  Key Takeaways: Processes should be implemented to erase data of staff members after their leaving the office of the controller, to address erasure requests within the time frame and to follow up on claims made by data subjects.   Link to full resource: APD/GBA (Belgium) - 159/2022 - GDPRhub

CCPA

Under CCPA, it is important to note that the California Office of the Attorney General, who is responsible for enforcing CCPA, has provided feedback based on current enforcement actions.

1. Summary: An online event sales company did not provide the privacy notice to its consumers regarding their rights under the CCPA, or the methods in place to exercise said rights. Post receiving notice of noncompliance from the OAG, the company updated its privacy policy and introduced processes to submit DSARs
   

2. Summary: Users of a Social Media App complained about not receiving timely responses to requests to know and delete PI, and that they weren’t being notified as to whether their requests were received or being processed. Post being notified of alleged non-compliance; the company responded to the outstanding requests and updated its DSAR processing system to ensure timely responses in the future.
   

3. Summary: A Grocery Chain failed to include information regarding authorized agents submitting requests on behalf of consumers. However, the chain updated its policy to include this information as well as the information required to fulfill such requests.
   

4. Summary: Data Broker violated the CCPA by providing a ‘Do Not Sell My Personal Information’ link that was not functioning and mandating consumer verification in the form of government identification and consumer's address and making an account in order to process the request. After being notified of noncompliance, the company made changes to its privacy policy addressing all these issues
   

5. Summary: Video Game Distribution Company violated the CCPA by not providing notice of consumer rights, the categories of information that it disclosed, and whether or not it had sold PI in the past 12 months. Moreover, the company gave incorrect instructions to consumers on the process to exercise their rights under CCPA. The company corrected these issues after being notified by the OAG of noncompliance

The Attorney General has also recently taken an expansive view of the CCPAs ‘right to know’ and concluded that a covered business is required to disclose if requested, the internally generated inferences about the consumer. The source of the information is irrelevant, whether directly from the consumer, inferences from internal processes, or from a third party, it must be included and disclosed under the ‘right to know’

Key Takeaways: Compliance with the Data Subject Requests, under the CCPA has a wide scope, and includes certain requirements like

1. Ensuring the consumers are made aware of the company’s privacy policy, their rights, how they can exercise the same as well as the requirements and procedures for an agent or family/friend to make the request on their behalf. 2. Implementing a data subject request processing system that is easy, functional, and does not mandate additional information such as verification in the form of government identification 3. The system should ensure that data subjects are notified of the progress of their request 4. Responses should occur in a timely manner 5. The company must disclose whether or not it sold personal information in the past 12 months

Link to full resource: CCPA Enforcement Case Examples | State of California - Department of Justice - Office of the Attorney General

California AG Issues First CCPA Opinion: Consumers’ “Right to Know” Includes Businesses’ Internally Generated Inferences | Morrison & Foerster (mofo.com)