GDPR

Adatvédelem mindenkinek / Data protection for everyone

The interpretation of the right of access in the practice of the Hungarian DPA

2019. szeptember 16. 08:00 - poklaszlo

The right of access is an important guarantee in the GDPR to ensure the transparency of data processing for data subjects. However, it is an open question to what extent this right can be exercised. In the past months, several interpretations became available, mostly from German data protection authorities and courts (see for example the decision of Cologne Regional Court summarised by Dr. Carlo Piltzthe judgment of the Higher Labour Court of Baden-Württembergthe annual report of the Data Protection Authority of Hessen).

The Hungarian Data Protection Authority (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság, the "Hungarian DPA") also issued several decisions that interpreted the rules of GDPR regarding the application of the right of access.

First of all, the Hungarian DPA declares that the right of access is an important means to ensure transparency (NAIH/2019/167/13, in Hungarian):

Transparency should prevail throughout the whole data management process. According to the principle of transparency, it should be transparent for data subjects how their personal data are processed, by which data controllers. One way to check this is to exercise the right of access, that makes it possible for data subjects to verify the lawfulness of the data processing.

In this decision, the Hungarian DPA adds that

[...] it is not sufficient to provide information on the data contained in certain databases. The information should cover all personal data held by the data controller in relation to the data subject, irrespectively of the place and form of data storage (register of complaints, backup, paper or electronic accounting documents, correspondence) and the data processing activities performed on such data (e.g. storage, archiving, etc.)

In a decision issued in May (NAIH/2019/1859, in Hungarian), the data controller refused to fulfill the request of the data subject to provide a copy of the camera footage on the grounds that it contained business secrets as well as portraits of third parties. At the same time, the data controller would have provided an opportunity to the data subject to view the camera footage at the data controller's premises. In this case, the Hungarian DPA concluded that:

The possibility to view the recordings provides a different type of access to personal data and business secrets than providing a copy of the recordings to the data subject containing the same. As the applicant [data subject] was present when the recordings took place and he could meet presonally with the third parties, the viewing of the recordings is less likely to restrict the rights of third parties to the protection of their personal data, especially if they are blurred, than to provide the applicant [data subject] with a copy of the recordings.

However, the data controller stated in the proceedings that even during the viewing of the recordings at his premises, the applicant (data subject) would not have access to the original unmodified recordings, only those where the data and information to be protected had already been blurred. In the course of blurring the recordings, the data controller may also have the possibility to blur those information that he considers as business secrets.

By blurring information that can be regarded as business secrets, the recordings shall not be deemed as business secrets anymore as the applicant's movement in the bank office is not a business secret, since this information is of no financial value. The layout of the part of the premises open for the public and the location of the cameras monitoring the space open for the public shall not be regarded as business secrets since this information is easily accessible to other economic operators conducting similar business activities.

The conclusion of the Hungarian DPA was that given that the access to protected data and information could have been prevented by properly blurring the recordings, the data controller violated Article 15 (3) of the GDPR by refusing to release a copy of the blurred recordings.

In the above decision (NAIH/2019/1859, in Hungarian), the Hungarian DPA defined some limitation to the right of access. The data subject (who was the applicant in the proceedings before the Hungarian DPA) requested, besides some voice recordigns that were recorded during the phone conversations between the data subject and the call center of the data controller, a list of voice recordings organised on the basis of the criteria defined by the data subject in his request. The Hungarian DPA found that such request goes beyond the boundaries of right of access:

[...] in the course of exercising the right of access, the data controller shall disclose only those data and information that are at his disposal, and shall not be obliged to produce or generate data that the data controller does not dispose of. The data controller shall not be obliged to carry out further processing activities of personal data within the framework of the exercise of the data subject's rights.

The data subject also requested information on the general data processing practice of the data controller. However, the Hungarian DPA found such request as too excessive since

[...] within the framework of the right of access, the data subject may be informed whether and under what circumstances his personal data are being processed and therefore the right of access cannot be expanded in a manner to request information only on the data controller's general data processing practices.

The Hungarian DPA also made clear that if the data controller provides the data subject with a copy of the personal data, providing access to the original document is not necessary: 

[...] if the data controller gives a copy of the document to the data subject, [...] he grants the data subject's right of access fully, which means that the data controller shall not be obliged to provide the data subject with access to the original document under the provisions of the GDPR, except where such access is specifically required by law.

In a procedure where the non-fulfillment of the right of access request by an employee against his employer was the subject matter of the case (NAIH/2019/133, in Hungarian), the Hungarian DPA's conclusion seems to be favorable to the data subjects (i.e. provides a more excessive interpretation of the right of access):

For the applicant's [data subject's] request for access, the applicant [data subject] should have been provided not only with the information he provided to the data controller but also the copies of the documents available to the data controller, since the fact that the data controller provided certain data previously to the applicant [data subject] as required by the law does not exempt the data controller from the obligations to be fulfilled in accordance with the rules of right of access pursuant to Article 15 of the GDPR.

It appears from the above that many open questions and differing interpretations of the scope and limits of the right of access still appear in the decisions of data protection authorities and courts. It is likely that sooner or later the European Court of Justice will interpret the rules of right of access in the GDPR. Further clarification regarding the application of the right of access may help to achieve more unified application of this data subject right within the EU.

(A shorter version of the above post is also available at LinkedIn.)

Szólj hozzá!

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr7215092488

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása