Datatilsynet (Denmark) - 2021-32-2438

From GDPRhub
Datatilsynet (Denmark) - 2021-32-2438
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12(5)(b) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 31.03.2022
Published: 26.04.2022
Fine: None
Parties: n/a
National Case Number/Name: 2021-32-2438
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA held that an access request by a data subject asking his previous employer to provide all emails, notes and letters sent or signed by him was excessive according to Article 12(5)(b) GDPR, since it comprised a very large amount of personal data predominantly connected to his duties and not personal attributes.

English Summary[edit | edit source]

Facts[edit | edit source]

After the termination of employment, a former municipality employee requested access to all communications in connection with his duties, in order to collect evidence against the municipality concerning his dismissal.

After providing some information under the rules on access to documents, the municipality tried to get the former employee to clarify and limit his request. It explained that the desired material was extensive after several years of employment. However, the data subject failed to clarify the scope of his request.

The municipality subsequently refused to provide additional material. It referred to the fact that the requested material constituted a vast amount of information in the form of notes, letters and e-mails which the former employee had prepared or sent in connection with the performance of his duties.

Holding[edit | edit source]

The Danish DPA held that in principle, under Article 15 GDPR, the data subject has a right to access his personal data processed by the controller, but that this rights is not absolute. The DPA stated that pursuant to Article 12(5)(b) GDPR, a data controller may refuse to comply with an access request if it is manifestly unfounded or excessive.

The DPA also emphasized that although the information contained in such communications should be considered personal data, this information was first and foremost related to the data subject's functions, and not information about the data subject himself or his personal attributes. The DPA held that in some cases, information which might include a description of a course of action which is a personal choice made by the data subject may thus be subject to his right of access, and that this would be an assessment that the controller would have to carry out.

The DPA therefore held that it had no basis for overriding the municipality's assessment since the information requested spanned over several years, and was only related to his duties during that time.

Comment[edit | edit source]

Tellingly, in addition to concluding on the excessive nature of the requested information, the DPA also commented on whether the communication conducted when performing work duties should constitute personal information (information "about" the work function vs. information "about" the data subject).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Previous employer could refuse to comply with request for insight

Date: 31-03-2022

Decision Public authorities

In a specific appeal case, the Danish Data Protection Agency has not found grounds to override a municipality's rejection of a former employee's request for insight on the grounds that the request was excessive.

Journal number: 2021-32-2438

Summary

In the case, a former employee of a municipality had, after termination of employment, requested insight into all communication in which the former employee was mentioned.

The municipality then tried to get the former employee to specify his request, as the desired material after several years of employment was extensive. However, this was rejected by the former employee.

It is the opinion of the Danish Data Protection Agency that a data controller may refuse to provide a registered insight into information about letters, notes and e-mails, etc., which have been signed by or sent to the data subject in connection with the person's duties, with reference to the inquiry being excessive.

In the assessment, the Danish Data Protection Agency emphasizes that, even though it may be personal data (information that the data subject in a given situation has signed a letter, sent an e-mail, etc.), first and foremost a function is described which the person in question has taken care of.

Decision

On 12 August 2021, you contacted the Danish Data Protection Agency regarding [X] Municipality's handling of your request for insight.

The Danish Data Protection Agency has understood your inquiry as a complaint that [X] Municipality has refused to give you insight into notes and e-mails, etc., which have been signed by or sent to you in connection with your previous employment with the municipality.

After reviewing the case, the Danish Data Protection Agency finds that the Authority has no basis for overriding [X] Municipality's assessment that the processing of your request for access has taken place in accordance with the rules in Article 15 of the Data Protection Regulation [1], cf. 5, letter b.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

It appears from the case that on 26 July 2021 you requested [X] Municipality for access to all communications in connection with your personnel case, all information regarding your person in [X] Municipality and "access to documents for your access".

[X] On 2 August 2021, the municipality provided a number of pieces of information in accordance with the rules on access to documents, and then stated on 4 August 2021 that the remaining part of your request - regarding material created in connection with your employment - would be processed in accordance with the rules in the Data Protection Regulation.

On 9 August 2021, you emphasized that your request should be understood as: "all my communication through [X] municipality's means of communication".

[X] The municipality subsequently refused to provide additional material, in accordance with Article 15 of the Data Protection Regulation, in accordance with Article 12 (1). 5, with reference to the fact that the requested material constituted a comprehensive amount of information in the form of notes and e-mails, etc., which you had prepared or sent in connection with your performance of tasks in [X] Municipality.

It appears from the [X] Municipality consultation response of 25 October 2021 that the municipality also tried to guide you in relation to your request, especially about how your request could possibly be clarified, but that you did not return the municipality's inquiry.

2.1. Your comments

You have generally stated that all material should be handed over, and that the municipality, by rejecting it, deprives you of the opportunity to obtain evidence against the municipality in connection with your dismissal.

2.2. [X] Municipal comments

[X] Municipality has generally stated that the remaining material involves a very large amount of e-mails that you have sent in connection with your assignment in [X] Municipality. In this connection, the municipality has stated:

”[X] Municipality initially considers that this is an excessive request, as it is a disproportionate, large amount of information in the form of all the complainant's communication through [X] Municipality's means of communication for several years. [X] The municipality is therefore aware of the guidance obligation that follows from section 7 of the Public Administration Act, and informs complaints that the request must be understood as limited to the year 2020 (cf. request for access to documents of 26 July 2021) and that complaints must be made if this restriction is not the case. [X] Municipality no longer hears from complaints.

The complainant's request to have all his communications handed over through [X] Municipality's means of communication involves a very large amount of e-mails that complainants have sent in connection with his performance of duties in [X] Municipality. [X] The municipality therefore rejects the request for access, on the grounds that the request is excessive, cf. Article 12 (1) of the Data Protection Regulation. 5. ”

The municipality has thereby maintained its refusal of your request for insight.

Justification for the Danish Data Protection Agency's decision

It follows from Article 15 (1) of the Data Protection Regulation 1, and para. 3, that the data subject as a starting point has the right to access and information about the processing of the personal data that the data controller processes about the data subject.

However, the right to receive a copy of the personal data processed is not absolute.

It therefore follows from Article 12 (1) of the Data Protection Regulation 5, letter b, a data controller may refuse to comply with a request for insight if the request from a data subject is manifestly unfounded or excessive.

3.1.

In this connection, the Danish Data Protection Agency is of the opinion that a data controller in accordance with Article 12 (1) of the Data Protection Regulation 5, letter b, may refuse to provide a registered insight into information about letters, notes and e-mails, etc., which have been signed by or sent to the person in question in connection with the person's duties, with reference to the fact that the inquiry is excessive.

In assessing this, importance is attached to the fact that, even though it may be personal data (information that the data subject in a given situation has signed a letter, sent an e-mail, etc.), first and foremost a function is described which the person in question has taken care of.

However, in the opinion of the Danish Data Protection Agency, there may exceptionally be cases where such information not only describes a function that the person in question has performed, or merely establishes the person's presence, but where the registration to a greater extent contains information "about" the person, e.g. . a description of a course of action which is a personal choice made by the person concerned and which may thus be subject to his right of access under Article 15 of the Data Protection Regulation.

The application of the above provision, according to which the data subject's right of access is restricted, therefore presupposes that the data controller makes a specific assessment.

3.2.

It appears from the information in the case that [X] Municipality has provided a number of information about you in accordance with the rules on access to documents and has tried to have your request for access clarified and, if possible, limited.

The Danish Data Protection Agency has therefore understood the case in such a way that [X] Municipality has given you the widest possible access to the information that the municipality processes about you, and has only failed to accede to your request for access with regard to notes and e-mails, which are signed by or sent to you in connection with your previous assignment at the municipality.

After reviewing the case, the Danish Data Protection Agency therefore finds that the Authority has no basis for overriding [X] Municipality's assessment that the processing of your request for access has taken place in accordance with the rules in Article 15 of the Data Protection Regulation, cf. 5, letter b.

In the decision, the Danish Data Protection Agency has emphasized that you have, as stated, requested insight into a comprehensive amount of information that extends over several years, and that information that is included in notes and e-mails, etc., which is signed by or sent to you in connection with your previous performance at the municipality, must first and foremost be assumed to describe the function that you performed during your employment, and thus is not to a greater extent information "about" you.





[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).