GDPR - a fine balancing act
Articles 12-15 of the General Data Protection Regulation (GDPR) list the obligations of a data controller to provide the data subject, among others, with clear and transparent information on its personal data that is being processed. This obligation ties into the cardinal principles of lawful data processing as described in Article 5 of the GDPR, including the data subject's right to "transparency".
Article 23, however, allows EU or national law to provide for "restrictions" of this right "when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard paramount interest" such as national security, defence, public security and a limitative list of other interests including "the protection of the data subject or the rights and freedoms of others".
The latter basis for restriction echoes the old adage that one's personal rights and freedoms end where those of others commence.
In a recent Dutch court case, the data controller refused access to a whole series of e-mails on the basis that these would be "internal notes that contain personal thoughts of employees and are only intended for internal consultation and deliberation". The privacy of those employees would be endangered by sending those e-mails to the applicant (in line with the exception of Article 23). The court found that the e-mails in question did in fact contain personal data of the applicant. However, the court did not follow the data controller in invoking the exception of Article 23 GDPR because the privacy of its employees would be at risk.
The court clearly states that the exception can only apply after a balancing of interests and if there are “important interests” that justify an exception to the basic right of access by the data subject.
Those important interests must be clearly motivated and have sufficient weight, and that was not the case here. The conclusion is that the controller has wrongly (or at least without sufficient motivation) refused access to a number of e-mails containing personal data of the applicant.
This court ruling once again demonstrates how data privacy law is always a balancing act between data subject's (fundamental) rights and economic interests, whereby the former will prevail unless convincing arguments of paramount legitimate interests can be brought.