According to the Data Protection Agency, an insurance company was justified in not providing access to an internal working document as well as the names of the company’s employees to a former customer.
The GDPR states that a data subject can request the data controller for access to all personal data held by the controller about him or her. Certain information may, however, be exempt from the right to access data, for instance if a substantial private or public interest overrides the interests of the data subject. In this case, the Data Protection Agency had to decide whether an insurance company was obligated to provide a former customer access to, among other things, an internal working document drawn up by the insurance company.
The case concerned an insurance company that terminated a customer’s insurance cover. Prior to that, the insurance company had collected information on the former customer via the internet and through physical surveillance.
The former customer was not happy about the situation and requested the insurance company for access to all information registered about the customer. The former customer also wished for access to internal working documents, the names and job titles of the employees at the company who had been involved in the case, as well as the name of a medical consultant who had made an assessment of the former customer’s condition. At the same time, the former customer informed the insurance company that proceedings would be issued against it.
The insurance company handed out all data processed about the former customer. The insurance company did, however, refuse to provide access to the names of the employees and medical consultant. Likewise, it would not provide access to an internal working document containing legal assessments and correspondence between the insurance company and its lawyer. These exceptions caused the former customer to lodge a complaint with the Data Protection Agency.
Right of access does not cover all internal working documents
The Data Protection Agency stated that the names of the insurance company’s employees and the medical consultant did not constitute personal data on the former customer within the meaning of the data protection legislation. Consequently, the former customer’s right of access did not comprise such information.
As regards the internal working document, the insurance company argued that it contained personal data about the former customer but that this information had also been contained in other documents to which the former customer had been provided access. The document also contained legal assessments written by the insurance company, some of which composed as preparation for the legal proceedings announced by the former customer.
The Data Protection Agency further stated that internal working documents containing, for example, a legal assessment of whether a data controller may expect a favourable outcome in ongoing or expected legal proceedings may be exempted from the right of access on grounds of the data controller’s private interests. The Data Protection Agency found that the internal document could be exempted from the right of access and attached weight to the fact that the former customer had already been provided access to all personal data held about him or her, which was contained in the working document, in other documents and that such material did not otherwise contain data covered by the right of access. The same applied to the correspondence between the insurance company and its lawyer.
On that basis, the Data Protection Agency found that the insurance company’s handling of the access request was in accordance with the rules on the right of access.
that the decision of the Data Protection Agency shows that internal working documents as well as correspondence with lawyers may in most cases be exempt from the right of access to personal data.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.