Datatilsynet (Denmark) - 2021-31-5085
From GDPRhub
| Datatilsynet - 2021-31-5085 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 12(5)(b) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 18.05.2021 |
| Decided: | 27.06.2022 |
| Published: | 27.09.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 2021-31-5085 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | Vadym Kublik |
The Danish DPA held that the access request was excessive because it concerned over a million documents and related mainly to information about the work function and not the data subject as an individual. Therefore, the controller didn't have to act on the request according to Article 12(5)(b) GDPR.
English Summary
Facts
The data subject previously served as a board member and a managing partner in two companies (controllers). After the sale of the companies, the acquiring entity initiated a civil lawsuit against, among others, the data subject. The dispute concerned alleged manipulation of accounting and thus overrated value of the acquired businesses.
On 16 February 2021, the data subject exercised their right under Article 15 GDPR and requested access to information about them from the controllers. The request related information about the data subject's work and the ongoing legal proceedings. The controllers first extended the request processing time by two months because of the high volume and complexity of the requested information.
Later, on 18 May 2021, the controllers provided the data subject with 66 documents relating to travel planning, practical matters related to the board meetings, KYC information, separate documents with e-mail logos and a few personal e-mails regarding dinner and sports. Unsatisfied with the response, the data subject complained to the DPA on the same day.
Holding
The DPA limited its decision to the content of the controller's reply to the data subject access request and did not consider whether they replied within the time limits in Article 12(3) GDPR.
Then, the DPA held that the large number of documents which could contain information about the data subject essentially related to the controllers where the data subject worked as a board member and a managing partner, as well as to ongoing legal proceedings. In this respect, the DPA assumed that any personal information from those documents appeared to be an "accessory" to the processing purpose (in this context, business operations) and thus must be considered as describing the function that the data subject performed.
Moreover, the data subject did not specify their request enough for the controller to reduce the number of documents to check. As a result, responding to the request would require the identification, collection, review and assessment of more than one million documents distributed among different controllers to determine whether personal data about the data subject would have to be handed over.
Consequently, the DPA held that the controllers were not obliged to search for and review the documents to identify and hand over information about the data subject because the request was excessive, according to Article 12(5)(b) GDPR.
Comment
This case follows previous decisions about the employer's ability to refuse to act on access to information requests (see 2019-812-0035 and 2021-32-2438). Earlier, the Danish DPA established that the information about the data subject, e.g. the name, which may appear in a letter, note or e-mail that they signed or received in connection with the performance of their tasks, only appears as an "accessory" to the function that they performed and the purpose of the processing. Therefore, such information per se does not say anything about the data subject, nor is it recorded for processing information about them. Although, the DPA added that there might be cases where such information not only describes a function that the data subject performed but also contains information "about" them.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Company was not required to review extensive material in connection with a request for insight
Date: 27-06-2022
Decision Private companies No criticism Complaint The right to access Handled by the Data Council
In a specific case, the Danish Data Protection Authority has taken a closer look at the extent to which, as a data controller, you are obliged to review material in order to meet a request for access, when it concerns a very large number of documents, which were essentially prepared in connection with the insight seeker's work tasks.
Journal number: 2021-31-5085
Summary
The complainant had requested access in connection with a pending court case.
The request for insight would make it necessary to identify, collect, review and assess more than one million documents distributed among different companies in order to determine whether personal data about complaints that may appear from these documents should be handed over.
The large amount of documents that could contain information about complaints related essentially to company Q, where the complainant was a board member, and company Z, where the complainant was a managing partner, as well as to ongoing legal proceedings, including against the complainant, following a business transfer .
Under these circumstances, the Danish Data Protection Authority found – after the case had been dealt with by the Data Council – that the data controllers were not obliged to search for and review the documents in order to identify and hand over information about complaints. On that basis, the Danish Data Protection Authority found no basis for criticizing the data controller's handling of the complainant's request for access.
The Danish Data Protection Authority emphasized that the complainant had not specified his request in such a way that the amount of material that had to be reviewed to identify any information about him was reduced.
The Danish Data Protection Authority then emphasized that there was a large number of documents which could contain information about complaints, but where one had to assume that any information about complaints would only appear "accessory" in relation to the purpose of the documents (in this context business operations).
The case is thus a continuation of previous cases on the same subject, including cases about employers' ability to reject requests for insight, which are available here.
Decision
The Danish Data Protection Authority hereby returns to the case where A on 18 May and 2 June 2021 approached the Danish Data Protection Authority with a complaint about X and Y's response to his request for access in accordance with Article 15 of the Data Protection Regulation.
A ("complainant") has been represented in the case by the law firm Kromann Reumert.
X and Y ("the defendants") have been represented in the case by the law firm Gorrissen Federspiel.
1. Decision
The Norwegian Data Protection Authority finds – after the case has been dealt with by the Data Council – that the defendants were not obliged to search for and review the documents in order to identify and provide information about complaints, cf. the data protection regulation[1] article 12, subsection 5, letter b, and the Danish Data Protection Authority, taking this into account, finds no basis for criticizing the defendant's handling of the complainant's request for access.
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
2.1.
On 18 May 2021 (the first time), the complainant addressed the Danish Data Protection Authority with a complaint about the defendant's response to the complainant's request for access. It appears from this:
“…
On behalf of our client A we hereby submit a complaint to the Danish Data Protection Agency in relation to infringement of A's right to gain access to his personal data within the mandatory time limit, cf. article 15 and article 12 (3) of the EU General Data Protection Regulation (GDPR).
On 16 February 2021 Kromann Reumert requested on behalf of A access to his personal data processed by the following data controllers: X, Y and Q. The letters are attached as appendix 1.
On 15 March 2021 Kromann Reumert received a letter from the law firm Gorrissen Federspiel on behalf of the above mentioned data controllers stating that it was necessary to extend the mandatory response period by two further months, taking into account the complexity and number of the requests, and specifically due to the large scale of the material to be reviewed in order to provide access to the data subject's personal data. The letter is attached as appendix 2.
On 16 March 2021 Kromann Reumert reserved the right to complain to the Danish Data Protection Agency due to non-compliance with art. 12(3). The e-mail is attached as appendix 3.
As of today, 18 May 2021, neither Kromann Reumert nor A personally have received a response to the submitted data subject access requests.
Taking into consideration that the mandatory maximum time limit for the response, including any necessary extensions, to a data subject access request is three months, X, Y and Q as data controllers have clearly infringed A's right to gain access to his personal data.
In the light of the above, we hereby submit a complaint to the Danish Data Protection Agency regarding X, Y and Q's infringement of article 15 and article 12 (3) of the GDPR..."
Attached as an annex to the complaint was the request for access made by the complainant dated 16 February 2021, the defendant's postponement of the response deadline of 15 March 2021 and the complainant's comments thereon dated 16 March 2021.
2.2.
On 26 May 2021, the defendants submitted comments on the case of their own initiative. It appears from this:
“…
By letter of 18 May 2021, Kromann Reumert has lodged a complaint with the Danish Data Protection Authority on behalf of A ("..."). The complaint concerns a request from A for access pursuant to GDPR art. 15, cf. § 22 of the Data Protection Act, in personal data about A, which is processed by X, Y and Q (the "data controllers"). According to the complaint, the request for access was not answered in a timely manner.
On behalf of the data controllers, Gorrissen Federspiel must draw attention to the fact that the access request from A was answered precisely on 18 May 2021, i.e. on the same day that the complaint was submitted to the Data Protection Authority, cf. attached. It is our opinion that the date of 18 May was timely in relation to the absolute 3-month deadline for responding to access requests according to GDPR art. 15. It is noted in this connection that it is not clear from GDPR or practice thereafter how the 1- and 3-month period in GDPR art. 15 must be calculated in more detail, including in relation to e.g. holidays/holidays, February with only 28 days, inquiries received after normal office hours end, etc.
Even if it is assumed that the deadline expired at the absolute earliest, i.e. on 17 May 2021, there is only a delay of one day, which cannot have led to any legal loss for A.
The complaint from Kromann Reumert gives Gorrissen Federspiel an opportunity to draw the Data Protection Authority's attention to another – and significantly larger and more fundamental – problem in connection with requests for access pursuant to GDPR art. 15.
The case that has given rise to the access request from A relates to a larger pending legal case complex, where one of the data controllers, Y, has summoned, among other things, A in continuation of Y's takeover of Q d. […]. The case concerns whether a number of persons, including A, deliberately manipulated accounting information about Q prior to the takeover, and whether the companies these persons represented are liable for this.
The seller of Q,[…], was sentenced in […] by an arbitration court to pay […] back to Y, because the court found it proven that a number of people, including represented the holding company, had carried out accounting manipulation.
The pending trial against, among other things A includes more than 1.1 million documents. The access request from Kromann Reumert on behalf of A pursuant to GDPR art. 15 thus necessitates a review of more than a million documents in order to be able to assess whether personal data about A that may be contained in these documents must concretely be handed over.
It is our firm opinion that the GDPR and the right to personal data are thereby being misused to circumvent the general edition rules in the Administration of Justice Act, drag out the court case unnecessarily and impose a disproportionately large resource consumption and thus disproportionate costs on the other party in the case for processing requests under the GDPR, which really add nothing new and significant to the trial in relation to what the general civil procedural rules in the Administration of Justice Act lead to.
Unfortunately, it is our impression that Kromann Reumert and their client's behavior in this case is an expression of a more general tendency for the GDPR to be misused in very extensive litigation complexes in the manner described and for the purposes described. This may contribute to undermining the legitimacy and intent of the fundamental legal principles that the GDPR upholds. It can also make the conduct of legal proceedings so expensive that many will refrain from it altogether - to the detriment of the "access to justice", which is fundamental for every state governed by the rule of law and protected under both the European Convention on Human Rights art. 6 and the EU's Charter of Fundamental Rights art. 47.
Against this background, we must request the Danish Data Protection Authority's, or possibly the Data Council's, principled position on how requests for access should be handled in more detail - including in relation to the depth of the processing - in complex legal proceedings that include an extraordinarily large number of documents, and where the data subject's rights are to a very large extent is already protected by rules in other sets of regulations, including the Administration of Justice Act…”
2.3.
On 2 June 2021, the complainant addressed the Danish Data Protection Authority with a renewed complaint in the case. It appears from this:
“…
We kindly refer to our complaint of 18 May 2021 submitted on behalf of our client A.
We can inform the Data Protection Agency that we have subsequently received a response from the data controllers in relation to the data subject access requests, including limited material made available to our client. The response letter is attached as appendix 4.
No response within the mandatory time limit
As the data subject access requests were set forward on 16 February 2021, the three-month mandatory response period expired on 16 May 2021.
Neither Kromann Reumert nor A had, however, received any response to the data subject access requests before the complaint to the Data Protection Agency was submitted on 18 May 2021. A copy of the complaint to the Data Protection Agency was also sent to the law firm Gorrissen Federspiel in accordance with the Code of Conduct for the Danish Bar and Law Society, and approximately three hours after the submission of the complaint to the Data Protection Agency, Kromann Reumert received the response letter and a link to a folder with a limited number of documents. A’s right to gain access to his personal data was therefore clearly not provided in due time and in compliance with the mandatory maximum time limit as stipulated in art. 12(3) of the GDPR.
Moreover, based on the limited material made available to A and the nature of such material, it seems obvious that the material could have been provided within the usual response period of one month and the two-month extension was unfounded under the given circumstances.
The material received
A received access to only 66 documents, relating to travel planning, practical matters related to the conduction of board meetings, KYC-information (i.e., copy of driver's license and copy of passport), separate documents with only e-mail logos on and a few personal e-mails regarding dinner and sports.
The data controllers have not provided any personal data or documents related to the pending legal claims between the data controllers and inter alia A, including ongoing legal proceedings, and nothing of material substance related to A’s position as a board member of the data controller Q from the period […] have been provided, even though such material undisputedly is in the possession of the data controllers. In fact, it is quite significant that the data controllers in their response letter have informed that they process personal data of A related to the period […] but at the same time only have provided access to 66 - irrelevant and futile - documents.
The legal proceedings
One of the data controllers Y (a holding company within D) purchased V, including the wholly owned operating company Q and its subsidiaries (“…") T. (a holding company within the Z group) (the "Seller") by way of a Share Sales and Puchase Agreement of […] and […] as transaction date ("Closing").
Shortly after Closing, the Q Group and its auditors discovered alleged irregularities in the records of Q, which according to Y significantly reduced the value of the group, and ultimately Y instigated an arbitration case against the Seller on […], claiming breach of warranties and a purchase price adjustment.
On 20 December 2019 Y furthermore initiated a court case against four entities within the Z group, A, the former CFO of Q and the former CEO of Q (collectively "the Defendants"), claiming payment of its loss related to the purchase of the Q Group.
The court case is scheduled to take place in Q1 2023 and so far, the proceedings has included submission of i) statements of defence on 1 September 2020, ii) reply on 16 November 2020, iii) a motion for discovery (edition) on 1 March 2021 and a request for a court appointed expert process to be initiated at a later point in time to assess the value of Q. The VP Engineering at Q and Q itself were joined as third party defendants, in September and December 2020, respectively.
Y and Q have claimed that the motion for discovery must be declined in its entirety.
Inapplicable exemptions invoked by data controllers
The data controllers have exempted personal data from A’s right of access with reference to the exemptions following from GDPR article 15(4) and the Danish Data Protection Act section 22 (2), no. 9 and 10. However, the conditions for the said exemptions are not met.
Art. 15(4) of the GDPR can be applied where the right of access may adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software (recital 63), and as such it is of no relevance in this case. Further, it is specifically stated in recital 63 that the result of the considerations to exempt the material from the data subject's right of access should not be a refusal to provide the information to the data subject. Thus, even if the conditions of art. 15(4) of the GDPR had been met, the data controllers should apply redactions in terms of specific information and provide the rest of the information to the data subject, avoiding to withhold whole documents.
Section 22 (2), no. 9 and 10 of the Danish Data Protection Act, is clearly inapplicable, as this provision requires that with-holding information takes place due to essential considerations of public interests, such as exercise of powers of official authorities or carrying out actions in relation hereto. As all three data controllers are private entities not carrying out any such tasks in public interest, the exemption in question cannot justify limitations in A’s right of access to his personal data.
In case the right of access indeed has been restricted due to essential considerations of private interests which are deemed to override the data subject's interest in obtaining the information, see section 22 (1) of the Danish Data Protection Act, any exemptions used in this context must be applied restrictively and thus have a narrow scope. In accordance with the preparatory legal works to section 22 (1) of the Danish Data Protection Act, "essential considerations of private interests" must be interpreted as obvious high risk that disclosing the personal data to the data subject would lead to considerable material or immaterial damage for the data controllers. Therefore, this exemption requires a concrete assessment in relation to each category of personal data.
The provision can clearly not be (mis)used to withhold relevant information, based on the reason that it will impair the data controller's possibility of having a successful outcome of a court case vis-à-vis the data subject if relevant material is provided. Moreover, the data controllers should apply redaction techniques if specific information can be omitted, and provide redacted documents to the data subject, rather than withholding the material completely.
In the light of the above, we hereby submit a supplementary complaint to the Data Protection Agency regarding X, Y and Q’s infringement of article 15 and article 12 (3) of the GDPR…”
Vedlagt denne klage var de indklagedes besvarelse af 18. maj 2021 af den fremsatte anmodning. Det fremgår heraf:
”…
Scope of the request
[…]
Y has informed us that it processes personal data on A in connection with the ongoing legal claims against, inter alia, A.
X has informed us that it processes personal data on A in connection with the ongoing legal claims against, inter alia, A (and Z, where A was managing partner at the time of the purchase of Q from funds managed by Z.
The personal data relates only to the above-mentioned period up until late […] where A left the board of Q. Personal data which has been processed before this period has been deleted in accordance with X’s privacy policy and thus no longer exist.
A number of documents containing personal data on A has been found to be exempted from the right of access in accordance with the exceptions following from GDPR article 15(4), the Danish Data Protection act § 22, sect. 2, no. 9 and 10 (with appurtenant preparatory legal works) and guidelines from Datatilsynet based on its practice.
The exceptions concern situations where the data subject’s interest in the information is found to be overridden by essential considerations of private interests, including, inter alia, essential considerations regarding investigation and prosecution of legal claims, confidentiality obligations and protection of trade secrets etc. ..“
Foruden denne besvarelse var besvarelsen af 18. maj 2021 vedlagt informationer i henhold til databeskyttelsesforordningens artikel 15, stk. 1, og en række dokumenter.
2.4.
Den 9. juni 2021 fremkom de indklagede af egen drift med bemærkninger til Datatilsynet i anledning af klagers fornyede klage. Det fremgår heraf:
”…
Ved brev af 2. juni 2021 har Kromann Reumert på vegne af A (”Klager”) indgivet en supplerende klage til Datatilsynet i forlængelse af den oprindelige klage af 18. maj 2021. Klagerne vedrører en begæring om indsigt efter GDPR art. 15, jf. databeskyttelseslovens § 22, i personoplysninger om Klager, som behandles af vores klienter, X, Y og Q (herefter ”de Dataansvarlige”).
Mens den oprindelige klage vedrørte, at indsigtsbegæringen ikke skulle være blevet besvaret rettidigt, vedrører den supplerende klage, at indsigtsbegæringen ikke skulle være behandlet korrekt i henhold til GDPR og databeskyttelsesloven.
På vegne af de Dataansvarlige skal vi afvise begge dele af klagen. Vi skal samtidig på ny udtrykke vores beklagelse og generelle bekymring over et forsøg som det foreliggende på at misbruge GDPR og persondataretten til at omgå de almindelige editionsregler i retsplejeloven, trænere retssager unødigt og påføre modparter i sådanne retssager et uforholdsmæssigt stort ressourceforbrug og dermed uforholdsmæssige omkostninger til behandling af anmodninger efter GDPR.
Vi henviser her i det hele til vores brev til Datatilsynet af 26. maj 2021, hvori vi tillige anmoder om Datatilsynets, eventuelt Datarådets, principielle stillingtagen til, hvordan indsigtsanmodninger nærmere skal behandles – herunder i forhold til dybden af behandlingen og det afledte medgåede ressourceforbrug – i verserende retssagskomplekser, der omfatter et ekstraordinært stort antal dokumenter, og hvor den registreredes rettigheder i meget vid udstrækning i forvejen er beskyttet af regler i andre regelsæt, herunder ikke mindst retsplejelovens almindelige regler.
For så vidt angår den påståede fristoverskridelse i nærværende sag henviser vi i det hele til det i brevet af 26. maj 2021 anførte. For så vidt angår påstanden om, at indsigtsbegæringen ikke skulle være blevet behandlet korrekt, bemærkes, at den verserende retssag mod bl.a. Klager på de Dataansvarliges side involverer tre selskaber og i alt mere end 1,1 mio. dokumenter. Indsigtsanmodningen fra Klager i med før af GDPR art. 15 har således nødvendiggjort identifikation, indsamling, gennemgang og vurdering af mere end én million dokumenter fordelt på forskellige selskaber, for at kunne afgøre, hvorvidt personoplysninger om Klager, der måtte være indeholdt i disse dokumenter, konkret har skullet udleveres.
This has resulted in a particularly extensive collection and analysis work, which includes has required assistance from a leading consultancy within "Forensics Services". This is of course also the reason why it has been necessary to make use of the extended 3-month deadline.
When processing and assessing the documents, the Data Controllers have very carefully proceeded according to the procedure embedded in GDPR art. 15 and Section 22 of the Data Protection Act, and according to which the data subject must be given access, unless the interest of the data subject in gaining knowledge of the information is concretely found to give way to decisive considerations of private interests.
According to the GDPR, Section 22 of the Data Protection Act and its preamble as well as the Danish Data Protection Authority's practice, it is possible, after a specific assessment, to be exempted from the right of access in a number of situations, including a) if access would be contrary to a duty of confidentiality, b) if access would significantly damage trade secrets, c) if insight will damage the data controller's pursuit of a legitimate interest, including in connection with a current or potential court case, and d) if the person in question is an employee and is only referred to by virtue of his employment function - not as a private person.
The information that the Data Controllers have provided in the present case is thus a result of the prescribed assessment and balancing of the consideration of the registered, Complainant, against the consideration of the Data Controllers. In this assessment, the Data Controller's safeguarding of its legitimate interests in connection with the pending legal proceedings against, among other things, Complaints are obviously weighed heavily. In this connection, it must be remembered that the right to "a fair trial" according to ECHR art. 6 and the EU's Charter of Fundamental Rights art. 47, is a fundamental right on an equal footing with the right to privacy and personal data protection according to ECHR art. 8 and the EU's Charter on Fundamental Rights art. 7 and 8.
The Complainant's supplementary complaint that the Data Controllers should not have processed and answered the access request from the Complainant correctly is thus clearly unfounded and must therefore be clearly rejected. On the contrary, the Data Controllers have carefully followed – and with significant costs as a result – the procedure for processing access requests prescribed by the GDPR and the Data Protection Act.
The complainant's supplementary complaint, on the contrary, seems to clearly illustrate the more fundamental issue that the Data Controllers expressed in the application to the Data Protection Authority of 26 May 2021, namely that the case reflects a worrying trend that seems to be towards the GDPR being attempted misused to circumvent the edition rules in major lawsuits.
The case that has given rise to the access request from A relates to a larger pending legal case complex, where one of the data controllers, Y, has summoned, among other things, Complainant (A) following Y's takeover of Q on […].
The case concerns whether a number of persons, including the Complainant, deliberately manipulated accounting information about Q prior to the takeover, and whether the companies these persons represented are liable for this.
The seller of Q, […], was […] ordered by an arbitration court to pay […] back to Y, because the court found it proven that a number of people, including represented the holding company, had carried out accounting manipulation. The pending trial against, among other things Complaints have been filed in continuation of this arbitration.
The present case shows with all clarity that the access request under the GDPR is only used as an alternative to the ordinary edition under the Administration of Justice Act. It thus appears expressly from the supplementary complaint that the Complainant in the pending court case on 1 March 2020 requested an edition according to the Administrative Procedure Act; a request that the court has not yet ruled on. Instead of waiting for the outcome of the edition request, Klager is thus trying to circumvent the edition rules and instead abuse the right of access under the GDPR. In this connection, it should be noted that the seller of Q (and thus indirectly the Complainant) during the arbitration proceedings, prior to the pending court case, was given access to approx. 1,200 documents in response to edition requests.
It is also striking that Klager is never previously seen to have filed any request for access during the otherwise long period he was a board member of Q, nor in the time thereafter, while the arbitration case was pending. The request for access only now comes in connection with the pending court case.
In relation to the relationship between the GDPR and the edition rules, it should be particularly noted that one of the basic purposes of the rules in the Administration of Justice Act, including the edition rules, is precisely to find the right balance between the interests of the parties involved in the trial, so that both parties achieve "a fair trial ” in accordance with the fundamental right to this, which is protected under both ECHR art. 6 EU's Charter on Fundamental Rights art. 47. It is not – and has never been – the intention of the GDPR and the right to personal data to upset this balance.
As stated in the request to the Danish Data Protection Authority of 26 May 2021, the tendency that appears to be for the GDPR to be misused to circumvent the general edition rules in major legal proceedings may contribute to undermining the legitimacy behind and the intention of the fundamental right to privacy, which GDPR takes care of. It can also make the conduct of legal proceedings so expensive that many will refrain from it altogether - to the detriment of the "access to justice", which is fundamental for every state governed by the rule of law and is also protected under both the European Convention on Human Rights art. 6 and the EU's Charter of Fundamental Rights art. 47.
Against this background, we, on behalf of the Data Controllers, must once again request the Danish Data Protection Authority's, or possibly the Data Council's, principled position on how access requests should be processed - including in relation to the depth of the processing - in complex legal proceedings that include an extraordinarily large number of documents, and where the The rights of data subjects are, to a very large extent, already protected by rules in other sets of rules, including in particular the general rules of the Administrative Procedure Act…”
2.5.
In response to the Data Protection Authority's request for an opinion of 18 June 2021, the defendants appeared on 6 July 2021 with an opinion on the case. The opinion states:
“…
By letter of 18 June 2021, the Danish Data Protection Authority has requested an opinion in the above-mentioned case, where Kromann Reumert has approached the Danish Data Protection Authority on behalf of A (Complainant). The requested information follows below, referring at the same time to our previous letters in the matter of 26 May and 7 June 2021.
Ad categories of information
The Danish Data Protection Authority has asked for information on which categories of information about the Complainant, X and Y ("the Data Controllers") are processed in relation to the present case.
We can inform you that the Data Controllers process the following categories of information about Complainants:
Identity information such as name, initials, e-mail, address, photo, copy of passport, etc. Complainant's title and role in connection with Y's purchase of Q […], including as a member of the board of Q […] and managing partner of Z. Personal information related to the ongoing civil claims, i.a. against the Complainant, in continuation of the purchase of Q on […]. Ad types of information
We can state that the information collected and processed is not sensitive information covered by GDPR art. 9.
As mentioned in our previous letters, the information has been collected and processed for use in a pending lawsuit against, among other things. Complaints. The lawsuit is a civil compensation case, and the Data Controllers thus do not treat the information as information about criminal matters covered by GDPR art. 10.
However, it cannot be ruled out that the police or others will treat the information as information about criminal matters covered by GDPR art. 10. In this connection, we refer to what was stated in our previous letters that the pending court case concerns whether a number of people, including the Complainant, deliberately manipulated accounting information about Q prior to Y's takeover of Q, and about the companies that these persons represented are liable for this. In an arbitration award from […], of which the pending litigation is an offshoot, the seller of Q, […] managed by Z, was ordered to pay […] back to Y, because the court found it proved that a number of people , which i.a. represented the holding company, had carried out accounting manipulation.
It is also not about information that is considered confidential according to other rules, and where special protection needs may be important in the application of the data protection rules (cf. e.g. Section 152 of the Criminal Code in conjunction with Section 27 of the Public Administration Act). In other words, it is exclusively about general data, cf. that under section 1 stated.
Reasons for not handing over personal data
As mentioned in our previous inquiries in the case, the pending lawsuit against, among other things, Three companies and a total of more than 1.1 million complain on the Data Controller's side. documents. The access request from the Complainant pursuant to GDPR art. 15 has thus necessitated the identification, collection, review and assessment of more than one million documents distributed among different companies in order to be able to determine whether personal data about the Complainant, which may be contained in these documents, actually had to be disclosed.
It is not possible to manually review and assess more than 1.1 million documents. It has therefore been necessary to use an approach that is both operational and sound in terms of resources, and which at the same time meets the requirements of the GDPR and the Data Protection Act, including the time requirements. The method has been developed together with Deloitte's department for "Forensics Services", which as a basis for the pending trial has established a special database (hereafter "the Database") to collect and structure the many documents.
The method used reflects the system in GDPR art. 15 and Section 22 of the Data Protection Act, according to which the data subject must be given access, unless the data subject's interest in gaining knowledge of the information is concretely found to give way to decisive considerations of private interests.
In this connection, it is important to emphasize that all 1.1 million documents - and the personal data contained therein - which, as mentioned, relate to the trial against, among other things Complainant (any other personal data about the Complainant is deleted according to the general rules of the GDPR and the companies' internal guidelines on deletion). This is therefore information that is presumably of decisive importance to the Data Controller's safeguarding of its legitimate interests in connection with the pending court case. Since the documents relate to a very large company takeover, it is also about information that is "born" extremely business-critical and thus has the character of business secrets.
The procedure used is the following:
On the basis of the access request from the Complainant, a search is made in the Database for documents in which the Complainant is mentioned or is the sender, receiver or cc. Gorrissen Federspiel reviewed and then manually assessed approx. 25% of the documents (randomly selected) according to the procedure prescribed in the GDPR and the Data Protection Act, i.e. carried out a concrete assessment of the right of access against the exceptions to this applicable according to law, procedures and practice (cf. more about the legal basis below under point 4). For the documents and information that were found not to be handed over, the relevant legal exception (to the main rule on access) was listed in the Database. On the basis of the manual review and qualification, a number of keywords and word combinations were defined that would most likely lead to information in a given document being either subject to insight or covered by an exception. On the basis of the defined keywords and word contexts, an automated filtering of the other documents in the Database containing personal data about the Complainant is then carried out. The documents were then divided into 3 categories: 1) documents and information that had to be disclosed in accordance with the access request, 2) documents that did not have to be disclosed, and 3) documents where the assessment was uncertain and therefore required a closer assessment. For those documents where the assessment was found to be uncertain, Gorrissen Federspiel manually carried out the final legal assessment. The documents and information which, after going through the entire method, were subject to insight, a total of 100 documents, were then handed over to the Complainant's lawyer in encrypted form.
When no more than a total of 100 documents were handed over to the Complainant, it is thus due to the fact that, in the case of the other documents, on the basis of the procedure described, it has been assessed that decisive considerations for the Data Controller speak for not handing over the information to the Complainant, cf. Section 22, subsection of the Data Protection Act. 1.
In this assessment and balancing of considerations, it must be included that the Complainant's interest in gaining insight as previously described must be assessed in the context of the fact that the Complainant - because the request for insight is inextricably linked to a larger pending court case in which the Complainant is the defendant - has the opportunity via the general edition rules of the Administrative Procedure Act to be provided with the information that is relevant to the Complainant in order to protect his legal interests in a fair and balanced manner. See more about the legal basis immediately below.
On the legal basis
For the majority of the information that the Data Controllers have about the Complainant, as stated, it applies that this information has been found to be covered by one or more of the exceptions to the right of access according to GDPR art. 15.
According to the GDPR, Section 22 of the Data Protection Act and its procedures and the Danish Data Protection Authority's practice, the right of access can thus be exempted in a number of situations, including a) if access would conflict with a duty of confidentiality, b) if access would significantly harm trade secrets, c) if access would harm the the data controller's pursuit of a legitimate interest, including in connection with a current or potential court case, and d) if the person in question is only referred to by virtue of his employment function (i.e. the performance of the task itself) - not as a person.
In relation to the latter exception, which has been developed in the Danish Data Protection Authority's practice (cf. guidance of December 2020 on Data protection in connection with employment), it should be noted that real reasons must speak for board members being treated according to the same principles as actual employees, as board members on the same way in which other persons in the company carry out a function which can be separated from the person in question himself. It should also be noted that, when applying this exception, no specific balancing of interests must be carried out, as the information in question, because it is linked to the person's function and not the person himself, does not constitute personal data in the sense of the GDPR, cf. art. 4, No. 1.
As the Complainant in the present case has largely received the documents in copy, without being either the sender or the addressee of the document in question, the Complainant is to a large extent only referred to by virtue of his function, not by virtue of his person.
As far as the exception regarding trade secrets is concerned, it should be noted, as previously mentioned, that the documents relate to a very large business takeover, which is why these are documents, including personal data, which are "born" extremely business-critical and thus have the character of trade secrets.
In relation to the exception regarding safeguarding a legitimate interest, as also mentioned, it applies that all 1.1 million documents in the present access case relate to the trial against i.a. Complaints. This is therefore information that is presumably of decisive importance to the data controller's safeguarding of its legitimate interests in connection with the pending court case.
In addition, as mentioned, the Complainant, because a court case is pending, has the opportunity to use the general edition rules in the Administration of Justice Act to gain access to the documents and information that are relevant for the Complainant to safeguard his legitimate interests in the case. As previously mentioned, one of the basic purposes of the rules in the Administration of Justice Act, including the edition rules, is precisely to find the right balance between the interests of the parties involved in the trial, so that both parties gain access to "a fair trial" in accordance with the fundamental right to which is protected under both ECHR art. 6 of the EU's Charter of Fundamental Rights art. 47. It is not - and has never been - the intention of the GDPR and the right to personal data to upset this balance.
As stated in the request to the Danish Data Protection Authority of 26 May 2021, the present insight case is an expression of a worrying trend towards the GDPR being misused to circumvent the general edition rules in large court cases. This could undermine the legitimacy behind and the intent of the fundamental right to privacy that the GDPR safeguards. It can also make legal proceedings so expensive that many will refrain from them altogether - to the detriment of "access to justice", which is fundamental to every rule of law and which is also protected under both the European Convention on Human Rights art. 6 and the EU's Charter on Fundamental Rights art. 47.
In relation to Section 22 of the Data Protection Act, it appears from the preparations for the provision (cf. Bill L 68, FT 2017-18) that the balance according to Section 22 (on restrictions on the data subject's rights) must be carried out for each individual piece of information, with the effect that , that if there is information that can be exempted from the right of access, access to the other information must be given upon extraction.
These rules, which, according to the drafters of the law, are modeled on the Act's access to documents rules, make excellent sense in access cases where a relatively manageable number of documents are involved. However, in large litigation complexes such as the present one with millions of documents, the rules are clearly disproportionate, at least if it is a prerequisite in the rules that the assessment of the documents and information must be done exclusively manually. Here, the rules will lead to such a significant increase in the cost of legal proceedings that, as mentioned, many will refrain from this altogether to the detriment of the fundamental right to "access to justice", cf. the European Convention on Human Rights art. 6 and the EU's Charter on Fundamental Rights art. 47.
The disproportionality of the rules is only strengthened by the fact that the general edition rules of the Administration of Justice Act in such large litigation complexes serve the same interests as the right of access under the GDPR. It is noted in this connection that the edition rules can perfectly accommodate the necessary data protection considerations, cf. for example UfR 2007.196 H. The right of access according to the GDPR should therefore not be able to be used in connection with a court case to "go fishing" for information that you are not allowed to be entitled to according to the edition rules. This would undermine the balance built into the edition rules, cf. also the principle of "equality of arms" according to ECHR art. 6.
In relation to the legal comments referred to Section 22 of the Data Protection Act, which, as mentioned, has a model in the Act on access to documents, it must also be noted that they seem to lack the necessary basis in the GDPR. GDPR art. 15 does not prescribe an invariable, concrete "document-by-document" assessment with a built-in obligation to extract. On the contrary, the GDPR everywhere emphasizes the principle of proportionality and the principle of reasonableness, cf. art. 5, just as a request for access can be completely rejected if it is obviously groundless or excessive, cf. art. 12, subsection 5.
This speaks in favor of an interpretation of Section 22 of the Data Protection Act, according to which access requests in extensive litigation complexes with enormous amounts of documents can be processed and answered as happened in the present case, i.e. by a partially automated approach based on manual inputs and continuous manual validation of the results.
In this connection, we would like to remind you that the rules in GDPR chapter III on the rights of the data subject in general are an expression of total harmonisation. According to GDPR art. 22, Member States may limit the data subject's rights under GDPR Chapter III, but may not extend them. It must therefore be considered doubtful whether the requirements laid down in the legal comments to Section 22 of the Data Protection Act - if they are to be understood as very rigid and inflexible, cf. above - are in accordance with the GDPR.
Summary
In summary, it is therefore our opinion that the above - partially automated - procedure for processing access requests, which in itself is quite time- and cost-consuming, fully meets the requirements of the GDPR in large litigation complexes such as the present one. Should the Danish Data Protection Authority take a different view, please - and taking into account the principle scope of the case - request the Danish Data Protection Authority to explain this in more detail. We must also request that the matter be submitted to the Data Council for an opinion…”
2.6.
On 18 August 2021, complaints appeared with comments on the case. From the comments it appears:
“…
The arbitration court did not criticize A
The Data Controllers state that it cannot be ruled out that the police or others will treat the collected and processed information as information about criminal matters and refer to the lawsuit brought by Y against, among other things. A relates to the question of whether a number of people in Q, including A, have manipulated accounting information. The Data Controllers further refer to the fact that the seller of the shares in […] was ordered by an arbitration ruling from […] to pay a larger amount to Y, because the arbitration court found it proven that a number of people had carried out accounting manipulation. A was precisely not one of the persons whom the arbitration court believed had carried out accounting manipulation. On the contrary, the arbitration court did not criticize A, despite the fact that Y - as is also described in the Data Controller's letter - had apparently gone through more than 1.1 million documents and e-mails and, in general, completely unheard of efforts were made to pin A on the alleged irregularities.
The number of documents cannot justify rejection
As part of the justification for not handing over information, the Data Controllers refer to the fact that more than 1.1 million documents to be reviewed. However, neither the access rules in the GDPR nor the exception provisions in the Data Protection Act make it possible to withhold personal data that access is sought due to the extent of the material to be reviewed in connection with an access request. Court case complexes can of course contain large amounts of documents, but the same can apply, for example, to cases with a municipality that can potentially process information about the data subject in different administrations, a parent company in a larger group, where a number of group companies may be involved in the relevant processing activities, or a bankruptcy estate, where a large amount of information can be transferred at very short notice to a receiver who has no knowledge of it. The consequences of including such considerations in a personal data law assessment in a digital age are of course worrying and unsustainable. The justification regarding the extent of the documents also appears by its nature without credit when it is taken into account that the Data Controllers have failed to review and extract documents, despite the fact that the Data Controllers are apparently fully aware that this is a requirement according to (the processors to) Section 22 of the Data Protection Act, which they believe is simply in breach of EU law, and that the Data Controllers have also only provided an extremely limited number of documents.
It is not current practice that information can be exempted because it relates to a "function"
In relation to the remarks about a person's actions in a professional context, a former board member cannot be equated with an employee, i.a. because a board member is elected by the general meeting and takes actions, makes decisions and has a (personal) responsibility that cannot be compared to that of employees. Furthermore, it does not follow from the Danish Data Protection Authority's practice that information which is processed under an employment relationship and relates to actions carried out in connection with the performance of one's tasks, should not be considered personal data as defined in GDPR, art. 4, no. 1. Such information will in many cases undoubtedly constitute information about an identified or identifiable natural person. There is therefore no automatic exclusion of such information from the right of access, simply because the information relates to a (job) function or acting in a professional context. Finally, as part of handling a request for access, there cannot and should not be a clear separation of the person of the data subject and his "function". As also appears from the Danish Data Protection Authority's guidance on data protection in connection with employment (December 2020), it is important whether, for example, it is a description of a course of action which is an expression of a personal choice made by the person in question or a reaction from his page. Actions, decisions and assessments in a professional context, including especially for board members, can definitely be an expression of a more or less personal choice, preference or reaction, and the Data Controller's mention and subsequent assessment thereof must clearly be considered to be covered by the right of access, unless the information specifically can be exempted on the basis of the relevant exemption provisions.
Claimed trade secrets
The Data Controllers point out that the relevant documents relate to a large business transfer, which is why they are documents that are "born" business-critical and have the nature of business secrets. However, the justification does not harmonize well with the fact that the information is also excluded with reference to the fact that it relates to A's work as a board member and that he has largely received copies of the documents. A was a board member of Q from [...] and right up until the completion (closing) of the mentioned business transaction in […], and he is therefore presumptively familiar with - and has potentially participated in the development of - certain documents requested by the Data Controllers classified as "trade secrets". For that reason alone, the Data Controllers cannot make a (general) refusal to access the personal data that may be contained therein.
The Data Controller's interest in the pending court case does not precede A's right to access
The Data Controllers refer to the fact that the information is "presumably of decisive importance for the data controller's safeguarding of its legitimate interests in connection with the pending legal proceedings". The Data Controllers have not explained in detail why the information should have such decisive importance, and the Data Controllers have rather explained why this consideration - a consideration of own interests in a lawsuit initiated by one of the Data Controllers himself against A in particular - should weigh heavier than A's right to gain insight into the information processed about him, and in particular how it could lead to a de facto complete rejection of insight. As also appears from the preparations for the Data Protection Act § 22, subsection 1, the provision does not give access to generally exempt certain types of processing of information from the right of access, and such a practice must also be considered to go against the main purpose of the right of access, namely to ensure transparency with the processing of personal data. The Data Controller's comments that A has the option of using the administration of justice's edition rules as part of the pending court case do not take into account that the edition rules and the GDPR take care of different considerations, purposes and functions. While the edition rules potentially concern all types of information and documents, but require a statement of purpose and significance for a legal case, the GDPR does not require a statement of purpose or justification, but only concerns personal data. There is also no question that A has requested insight into other or more than the personal data that is processed about himself. Neither the edition rules nor the right of access are otherwise intended to limit the right to information, but rather to ensure access to it under specified circumstances. The Data Controllers state that it is not the intention of the GDPR to intervene in the administration of justice's edition rules and the right to "a fair trial" according to ECHR art. 6 and the EU's Charter on Fundamental Rights art. 47. However, just as little is the intention of the edition rules to interfere with the right of access according to the GDPR and the right to respect for privacy and protection of personal data according to ECHR art. 8 and the EU's Charter on Fundamental Rights art. 7 and 8. There is thus no basis for the view that the existence of a court case, and the fact that a data subject has the opportunity to make use of the edition rules as part of this, should limit the right of access under the GDPR. The request is therefore also not an expression of a "worrying tendency" for the GDPR to be "abused to circumvent" the edition rules. This is the inclusion of extraneous and unreasonable considerations in the processing of a perfectly legitimate request for access. If anything is to cause concern, it is rather the Data Controllers' attempt to limit the right of access with reference to a legal proceeding that one of the Data Controllers himself has initiated against the data subject…”
2.7.
On 20 September 2021, the defendants came forward with further comments on the case. It appears from this:
“…
The Danish Data Protection Authority has requested the Data Controllers' possible comments on Complainant A's statement of 18 August 2021 in the above case. On this basis, we must note the following on behalf of the Data Controllers, as we otherwise refer to our previous statements and explanations in the case.
Ad types of information
The complainant claims that he was not one of the persons whom the arbitral tribunal believed had carried out accounting manipulation. It should also be noted that the arbitration case, which we have previously stated, was a civil case that concerned the question of whether the accounting dispositions made provided a basis for liability for damages against the company which, among other things, Complainant represented. The arbitral tribunal found this to be the case. The arbitral tribunal thus did not take a position on possible criminal liability in the case, including whether there is a basis for individual liability against the management personnel involved, i.a. Complaints.
It must therefore be maintained that it cannot be ruled out that the police or others will treat the information about the Complainant as information about criminal matters covered by GDPR art. 10.
The complainant's remark that the Data Controllers "on the whole [have] made completely unheard of efforts to pin A on the alleged irregularities", does not belong in an otherwise factual and serious correspondence.
Reasons for not handing over personal data
The complainant states that the number of documents, more than 1.1 million, cannot justify rejection. This is completely correct, and the Data Controllers have not rejected the request for insight either. On the contrary, the data controllers have developed a procedure for processing such extensive access requests in light of the fact that it is not possible to manually review such large amounts of documents document by document.
The method used, which is a partially automated method based on manual inputs and continuous manual validation of the results, complies with the requirements of GDPR art. 15 and Section 22 of the Data Protection Act, at the same time as it makes it practically possible to review such large amounts of documents in a legal and responsible manner.
The procedure is described in detail in our statement to the Danish Data Protection Authority of 6 July 2021, to which reference is made throughout.
Current Practice Regarding Information Relating to a "Function"
It is maintained that there must be real reasons for board members to be treated according to the same principles as actual employees, as board members, in the same way as other persons in the company, carry out a function which can be separated from the person concerned.
In the Danish Data Protection Authority's guidance on data protection in connection with employment (December 2000), no distinction is made between whether the person in question occupies a high or low position in the company. The only decisive factor is whether it is information about the person in question himself (i.e. personal data), or about information that primarily describes the function that the person in question performs or has performed. That this fundamental distinction should not include cases of access requests, as the Complainant seems to believe, is without evidence in the guidance or the Data Protection Authority's practice in general.
The trade secret exception
The Complainant disputes that the documents on the business transfer can be of the nature of trade secrets when the Complainant - in his capacity as a board member of the acquired company - has received copies of the documents at the same time. It is difficult to fully understand this - somewhat outlandish - argument. It is obvious that a document does not lose its character as a trade secret because it is sent to selected key persons, including board members - quite the opposite.
At the same time, it seems somewhat contradictory that the Complainant is seeking insight into documents which the Complainant now claims to be in possession of "to a large extent" himself.
Taking care of the Data Controller's legitimate interests in connection with a court case
The Complainant states that the Data Controllers have not explained in detail why the information should be of decisive importance for the pending court case, and why the consideration of the Data Controllers should weigh more heavily than the consideration of the Complainant.
In addition, it should be noted that it should be obvious that a court case that is an offshoot of an arbitration case, where the arbitration court awarded the Data Controllers compensation of […] as a result of accounting manipulation committed in connection with a business transfer, is of decisive importance to the Data Controllers . There is also no requirement in the GDPR or the preambles to Section 22 of the Data Protection Act that a data controller's legitimate interests in connection with a court case must be justified beyond what - as in the case here - is completely obvious.
The fact that the consideration for the Data Controllers concretely exceeds the consideration for the Complainant is due, among other things, to The Complainant's option to apply the general edition rules of the Administration of Justice Act, cf. our report to the Data Protection Authority of 6 July 2021. In addition, the Complainant himself has now stated that he is already in possession of the majority of the documents, cf. the above. The complainant is thus fully able to protect his own interests in the trial.
We also refer throughout to our previous letters in the case…”
2.8.
On 22 October 2021, complaints appeared with further comments on the case. It appears from this:
“…
It does not follow from the Danish Data Protection Authority's guidance or practice that personal data is exempt from the right to access because it is considered to relate to a "function"
The Data Controllers indicate that there is a current (and possibly general) practice that personal data is exempt from the data subject's right of access if it is personal data that relates to a work function, and that some general principles apply to employees in that connection. As the Norwegian Data Protection Authority is of course aware, this is not correct. On the contrary, it is only a matter of stating a specific example in the Danish Data Protection Authority's guidance on data protection in connection with employment, which simply illustrates how an employer in a specific case can justifiably refuse to give a former employee insight into, for example, letters, notes and e-mails , which is signed, drawn up or sent by the person in question in connection with the performance of his tasks, with reference to the fact that the inquiry is excessive, cf. GDPR art. 12, subsection 5. In the same example, it is stated that when assessing this, importance can be attached to whether the personal data in the given situation primarily describes a function that the person concerned has performed at the workplace. Similarly, it appears from the guidance that a specific assessment must always be made as to whether access can be refused, and an employer cannot therefore generally cut off certain types of information from the right to access. A is not a former employee of the Data Controllers, which is why the example is not applicable in the given situation and for this reason alone should not be given special importance. The relevant interpretive contribution, on the other hand, must be that the exception to A's right to access in the Data Protection Act § 22, subsection 1 must be applied restrictively, and the Data Controllers must make a concrete assessment which justifies an exception to his right of access. If the Data Controllers thus wish to exclude personal data from access due to the person concerned's work function, it must naturally be included in the assessment, which position the person concerned has held, and how this can concretely justify an exception from the right of access. The specific work function can therefore have an impact on the possibility of using the exception § 22, subsection of the Data Protection Act. 1, but it is obviously not possible to make a general assumption that personal data which may relate to a function must or can be exempted from the right of access.
A is not in possession of the personal data that access is sought
The Data Controllers state that "The Complainant is seeking insight into documents which the Complainant now claims to be "largely" in possession of himself" and that "The Complainant has now stated that he is already in possession of the majority of the documents". This is incorrect and based on a misunderstanding or distortion of the views expressed. In a letter of 18 August 2021 to the Danish Data Protection Authority on behalf of A, it was noted that the Data Controller's refusal to provide insight into information with reference to claimed "trade secrets" does not harmonize well with the fact that the information is at the same time exempted with reference to the fact that it relates to A's work as a board member and that he has largely received copies of the documents. It is apparently the latter remark that A has received documents in duplicate, which the Data Controllers have particularly attached themselves to and are now using as a basis for a claim that A himself is in possession of the documents. However, the remark is merely a reference to the views of the Data Controllers expressed in a letter of 6 July 2021, where the Data Controllers stated that "As the Complainant in the present case has largely received the documents in copy, without being either the sender or the addressee of the relevant , Klager is largely referred to only by virtue of his function, not by virtue of his person" (our emphasis). As stated in the letter of 18 August 2021, this is important because the Data Controllers cannot make a (general) refusal of access with reference to claimed "trade secrets" that A is presumptively aware of, e.g. through his board work in Q and/or because he - that is, according to the Data Controllers themselves - has received copies of certain documents. The fact that A has at one time received copies of certain documents does not, of course, mean that he is (still) in possession of such documents or the information contained therein. On the contrary, it is important to emphasize that A is not in possession of the information sought to be accessed.
The Danish Data Protection Authority's practice shows that the Data Controller's interest in a court case does not precede A's right to access
The Data Controllers state that the consideration for the interests of the Data Controllers, the lawsuit that the Data Controllers have brought against, among other things, A, exceeds consideration for A's right of access. This has been persistently contested and continues to be contested, and the point of view is also contrary to the Danish Data Protection Authority's practice. Thus, in a decision of 6 September 2021 (j.nr. 2020-31-3586), the Danish Data Protection Authority expressed serious criticism of an insurance company which had refused to give a former customer insight into surveillance material, citing that the customer would use the material in a possible lawsuit against the insurance company. The Norwegian Data Protection Authority states, among other things, in the decision:
[…]
The decision thus shows that the fact that personal data could be included in a legal dispute to the detriment of the data controller does not constitute such a decisive consideration for the interests of the data controller that the personal data can be exempted from access pursuant to § 22 of the Data Protection Act. The decision thus emphasizes, that the Data Controllers have not been entitled to reject A's request for access to personal data with reference to the Data Controllers' own interests in the legal proceedings brought against, among other things A…”
2.9.
On 8 November 2021, the defendants presented closing remarks in the case. It appears from this:
“…
To the Norwegian Data Protection Authority's guidance on data protection in connection with employment
The complainant claims again that the Data Controllers should generally have excluded information about a person's work function from the right of access. This is not correct. As described in our previous correspondence in the case, including our statement to the Data Protection Authority of 6 July 2021, the Data Controllers have not generally withheld any types of information from the right of access, but have developed a partially automated procedure that complies with the requirements of GDPR art. 15 and Section 22 of the Data Protection Act, at the same time that it makes it practically possible to review and assess such large amounts of documents as is the case here.
It is also maintained that there must be real reasons for interpreting the Danish Data Protection Authority's guidance in such a way that board members are treated according to the same principles as regular employees, as board members must, like other persons in the company, carry out a function which can be separated from the person in question himself.
A's own possession of the relevant personal data
The Complainant now asserts - in direct contradiction to the Complainant's previous submission in the case - that the Complainant is not in possession of the personal data sought to be accessed anyway. From the Complainant's previous submission it appears: "A was a board member of Q from [...] onwards for the implementation (closing of) the mentioned business transaction in […], and he is therefore presumptively familiar with - and has potentially participated in the development of - certain documents that the Data Controllers seek to classify as "business secrets". The statement agrees well with the natural fact that a board member is either himself involved in the preparation of documents of relevance to the board, or at least regularly receives copies of such documents. This applies to a particular extent if it is a question of documents of a business-critical nature, which are in question in relation to the pending court case relating to a significant business transfer.
The Danish Data Protection Authority's practice
In support of the view that the Data Controller's interest does not precede the Complainant's right to access, the Complainant refers to the Data Protection Authority's decision of 6 September 2021 (j.no. 2020-31-3586). However, this case differs in crucial respects from the present one.
First of all, the present case is to the highest degree a concrete and pending legal case (with a very significant subject matter), whereas in the aforementioned decision it was only a matter of a potential legal case.
Secondly, it concerned a type of personal data - a surveillance material consisting of observation reports, photos and videos - which the Danish Data Protection Authority naturally found did not have content that could cause imminent danger that private interests would be harmed.
The information in question was predominantly of a factual nature and would undoubtedly in any case be presented as evidence in a possible court case. In the present case, on the other hand, it is largely about information that may be of significant importance for the Data Controllers' organization and handling of the pending court case, including in relation to questioning themes and procedure. Here, the Data Controllers have assessed that this may lead to an imminent danger that the legitimate interests of the Data Controllers in the legal proceedings may suffer significant damage, cf. Section 22, subsection of the Data Protection Act. 1.
We also refer throughout to our previous letters in the case…”
3. Reason for the Data Protection Authority's decision
3.1. Delimitation of the case
The Danish Data Protection Authority has limited its investigation to the question of the content of the respondent's reply to the complainant's request for access, and the Danish Data Protection Authority has thus not considered whether the reply was made within the time limits set out in Article 12, paragraph 1 of the Data Protection Regulation. 3, including whether there was a basis for extending the deadline for responding to the complainant's request for access by two months.
3.2. The general rules
It follows from the data protection regulation article 15, subsection 1, that the data subject has the right to obtain the data controller's confirmation as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and the information set out in letter a-h of the provision.
Of the data protection regulation, article 15, subsection 3, it follows that the data controller provides a copy of the personal data that is processed.
The detailed rules for the exercise of the data subject's rights, including requests for access pursuant to Article 15 of the Data Protection Regulation, appear in Article 12 of the Data Protection Regulation. It follows from Article 12, subsection 5, that any notification and any action taken pursuant to Article 15 shall be free of charge. If requests from a data subject are obviously groundless or excessive, especially because they are repeated, the data controller can either, cf. Article 12, para. 5, letter a, charge a reasonable fee, taking into account the administrative costs of providing information or notifications or taking the requested measure, or, cf. letter b, refuse to comply with the request.
It follows from the Danish Data Protection Authority's practice (2019-812-0035 and 2021-32-2438[2]) that a data controller - citing that the request is excessive, cf. the data protection regulation's article 12, subsection 5, letter b – as a starting point can refuse to search for and review a large amount of letters, notes and e-mails, etc., which have been signed by or sent to the data subject in connection with the performance of the tasks in question, in order to identify and hand over any information about the concerned, which may appear from this.
The background for this is that it is presumed that information about the registered person, e.g. the name of the person in question, which may appear in a letter, note or e-mail that the person in question has signed or received in connection with the performance of his tasks, only appears accessory in relation to the function that the person in question has performed and the purpose of the treatment in question. Information such as this does not in itself say anything about the person in question, nor is it registered for the purpose of processing information about the person in question.
However, in the Data Protection Authority's opinion, there may be cases where such information not only describes a function that the person in question has carried out, but where the registration also contains information "about" the person in question.
3.3. The specific case
It appears from the case that the access request from the complainant would necessitate the identification, collection, review and assessment of more than one million documents distributed among different companies in order to determine whether personal data about complaints that could be contained in these documents would concretely have to be handed over.
In addition, it must be assumed that the large amount of documents which could contain information about complaints essentially relate to Q, in which the complainant was a board member, and Z, where the complainant was a managing partner, as well as to ongoing legal proceedings, including against complaints, following a business transfer.
In these circumstances, the Danish Data Protection Authority finds that the respondents were not obliged to search for and review the documents in order to identify and hand over information about complaints, cf. the data protection regulation's article 12, subsection 5, letter b, and the Danish Data Protection Authority, taking this into account, finds no basis for criticizing the defendant's handling of the complainant's request for access.
In this connection, the Danish Data Protection Authority emphasized that the complainant did not specify his request in such a way that the total number of documents that had to be reviewed in order to identify any information about him was reduced.
The Danish Data Protection Authority has then placed emphasis on the fact that there is a larger number of documents which potentially contain information about complaints, combined with the fact that the information about complaints which may appear from this must, in the main, be assumed to only appear accessory in relation to the purpose (business operation) and thus must be assumed to describe a function that the complainant performed.
On the basis of the above, the Danish Data Protection Authority has found no occasion to further assess the respondent's approach in connection with the response to the complainant's request for access.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).
[2] The decisions are available on the Danish Data Protection Authority's website
