Subject access requests: what do you need to provide?

Posted on | by Robin Hopkins

Dear Sir/Madam, I hereby make a subject access request, please give me copies of documents and specify everyone you gave my data to, yours sincerely.

Response: okay, you can have some data, but no documents and we only need to tell you about ‘categories’ of recipients, not specific recipients.

Reply: not good enough, Article 15 GDPR entitles me to more detail.

Who is right? The CJEU has had a busy few months shedding some light on these kinds of issues, thanks mainly to a slew of Austrian referrals, with its latest contribution coming last week.

In January 2023, judgment was given in RW v Österreichische Post AG (Case C‑154/21) on the meaning of Article 15(1)(c) of the GDPR, which entitles a maker of a SAR to be informed of “the recipients or categories of recipient to whom the personal data have been or will be disclosed”. The CJEU’s answer was that, generally speaking, it is the data subject who has the option of receiving the answer on a category or specific recipient basis. If they want the latter, they should get it, except if (a) it is impossible to give them that detail, or (b) their request for specific recipients is manifestly unfounded/excessive (in which case the controller need only answer on a category of recipient basis).

More recently, in May of this year, judgment was given in FF v Österreichische Datenschutzbehörde and CRIF (Case C‑487/21) on the requirement under Article 15(3) GDPR to “provide a copy of the personal data undergoing processing”. FF wanted copies of documents containing his personal data – specifically, copies of emails and database extracts. CRIF gave him a summary only.

The CJEU’s answer was that the data subject must be given “a faithful and intelligible reproduction of all those data”. Article 15(3) “entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation (my emphasis), although that right can be curtailed to protect the rights and freedoms of others.

In the course of its analysis in FF, the CJEU included a pithy summary of its principles on the scope of ‘personal data’: a wide concept, with the ‘relates to’ and ‘identifiable’ limb being summarised at paras 23-25.

So, plenty of SAR case law coming out at an EU level, with a firm pro-data subject line (albeit hedged about with caveats and so on). What about us in non-EU Britain? Never fear, I’ll have a post up shortly with some domestic SAR nuggets.

Robin Hopkins