The Bottom Line
- Simply providing a summary of personal data is no longer sufficient to comply with a GDPR access request.
- Companies may now be required to provide copies of the actual documents—such as emails, reports, and internal notes—that contain an individual’s data.
- Claiming that a full response is a “disproportionate effort” requires concrete proof; a simple assertion is not a valid defense and can lead to court-ordered penalties.
The Details
In a significant ruling for corporate data governance, the District Court of The Hague has clarified the expansive nature of the GDPR’s “right of access.” The case involved an individual who requested a full copy of their personal data from a company. The company responded by providing an overview of the data categories it held but refused to provide the underlying documents, such as emails or internal memos, arguing it would be a disproportionate effort. The court firmly rejected this approach, ordering the company to provide a complete copy of the data, including the documents themselves, within four weeks or face financial penalties.
The court’s reasoning leans heavily on recent interpretations of Article 15 of the GDPR by the Court of Justice of the European Union (CJEU). It reiterated that the right to a “copy” means providing a faithful and intelligible reproduction of the personal data. To be intelligible, data often requires context. An isolated piece of information from a database might be meaningless without the email or report it came from. Therefore, providing the source document itself may be necessary to fulfill the spirit and letter of the law, ensuring the individual can effectively verify the lawfulness of the data processing.
For businesses, this ruling is a critical operational warning. The defense of “disproportionate effort” is not a get-out-of-jail-free card. The court made it clear that the burden of proof lies entirely with the company. A business cannot simply state that a request is too difficult to fulfill; it must provide specific, substantiated evidence detailing why the effort is excessive. This decision signals that courts are taking a subject-centric view of data access and expect companies to have robust systems in place to locate, collate, and produce personal data, regardless of where it is stored. CEOs and legal counsel must now urgently review their internal procedures for handling data subject access requests to ensure they can meet this higher standard of transparency.
Source
Rechtbank Den Haag (District Court of The Hague)
