The right to issue data copy
In principle, the General Data Protection Regulation (GDPR) gives every person the right to request information from a company or an authority (person responsible), whether and which personal data the person responsible processes about the person concerned. The person responsible is obliged to provide the person concerned. The person responsible is also obliged to provide the data subject with a copy of the personal data available from them.
Several courts now had to deal with the question of whether a data subject can, as a result, request that they are made available to them copies of all e-mails and internal notes that are available from the person responsible.
So far no fundamental decision
The Federal Labor Court dismissed the corresponding lawsuit by an employee against his former employer. In the specific case, the court was of the opinion that the employee had not already specified which emails the former employer should grant copies. The Federal Labor Court refrained from submitting the matter to the European Court of Justice. It is a procedural question that can only be assessed according to German procedural law as to whether a request for a lawsuit is sufficiently specific.
The Federal Court of Justice, on the other hand, condemned an insurance company to copy the complete e-mail correspondence with a policyholder, including all internal notes. According to the Federal Court of Justice, it was apparently so clear that such a comprehensive claim for data copy is without further ado was that the Federal Court of Justice was so clear that the Federal Court of Justice saw no need to submit the matter to the European Court of Justice.
Observe reluctant interests, recognize differentiating criteria
It may be obvious that there can be such a extensive claim for information in an (insurance) customer relationship. However, the situation should be assessed more critically if a person who was previously involved as an employee, as a managing director or as a board member in the company-internal processes as required to provide their data copies of all emails or notes that contain the information about you. The situation will be similarly critical in the event of an external consultant. Emails or internal notes regularly contain not only information about the person in question, but also information about other people or business secrets or company interna. Such e-mails or notes can also be misleading from the context. The question is how the partly opposite interests of the people and companies involved must be taken into account in individual cases.
Is all a question of individual case?
Data processing companies can certainly not be entitled to a complete data copy only because of disproportionate effort or permanently let the desire of a data subject to run in the event due to the supposedly insufficient concretization of the emails to be copied. On the other hand, affected persons will not always be entitled to data copies without taking any other interests of the person responsible or regardless of the rights of third parties who are mentioned in such emails or notes.
Even after more than two years of application of the GDPR, a lot is still in need of clarification. Those responsible threaten sharp sanctions, both if they wrongly refuse information or copies, as well as if they wrongly disclose data on persons or business secrets to third parties. Compliance and good advice are still the bid of the hour.
