Denmark: Datatilsynet finds Municipality's rejection of subject access request lawful
The Danish data protection authority ('Datatilsynet') published, on 26 April 2022, its decision in Case No. 2021-32-2438, as issued on 31 March 2022, in which it found that a Municipality's assessment to reject a former employee's request for access to personal data lawful and in accordance with Articles 12(5)(b) and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint to the Datatilsynet.
Background to the decision
In particular, the Datatilsynet stated that it had received a complaint on 12 August 2021, regarding a Municipality's handling of an access request by the complainant, a former employee of the Municipality. More specifically, the Datatilsynet specified that the complainant's request from the Municipality, made after the termination of their employment, was to access all communications in which they were mentioned. In this regard, the Datatilsynet noted that the Municipality had asked the complainant to specify their request as the desired material was extensive, which the complainant refused to do.
Findings of the Datatilsynet
Notably, following its investigation, the Datatilsynet found that there were no grounds for overriding the Municipality's assessment of the complainant's request and, as such, found that it had taken place in accordance with Article 15 of the GDPR. In this regard, the Datatilsynet also emphasised that even though the information requested by the complainant, which included letters and emails that have been signed or sent by the complainant, could be considered personal data, the information was first and foremost a description of the function the complainant performed during employment and thus is not, to a great extent, information 'about' the complainant.
Ultimately, the Datatilsynet expressed that it had found the Municipality's assessment of the information access request by the complainant adequate and in accordance with Articles 12(5)(b) and 15 of the GDPR.