Fulfilling Data Access Requests under Article 15 GDPR

Fulfilling Data Access Requests under Article 15 GDPR

Ensuring legally compliant fulfilment of a data access request under Article 15 General Data Protection Regulation (GDPR) presents considerable practical challenges for employers, particularly in long-standing employment relationships. Eight years after the GDPR came into force, key aspects remain unresolved by case law. In crucial areas, differing views persist in jurisprudence and legal literature.

This article provides an overview of questions that have already been decided as well as those that remain open, and offers recommendations on how employers can handle data access requests. Whether a delayed or omitted response gives rise to a claim for damages has been explained in greater detail in this article .

Purpose of the data access request is irrelevant

In the past, employers and courts attempted to limit the right of access by refusing requests that were clearly aimed at purposes unrelated to data protection, such as gathering information for other legal proceedings. This objection is no longer tenable since the judgment of the European Court of Justice (ECJ) of 26 October 2023 (file no. C-307/22). In this decision, the ECJ clarified that the data subject does not need to justify their data access request under Article 15 GDPR, and therefore the response cannot be made dependent on the intended purpose.

Can the employer require the data subject to specify the request?

It remains unresolved to what extent the right of access under Article 15 GDPR must be specified. The background is Recital 63 of the GDPR. According to sentence 7 of this recital, the controller may request that the data subject specifies the information or processing activities to which the request relates before providing the information, if the controller processes a large quantity of information concerning the data subject. This is particularly relevant in employment law, as a long-term employment relationship generates an almost unmanageable volume of personal data.

Based on decisions by the Labour Court of Bonn (judgment of 16 July 2020, file no. 3 Ca 2026/19) and the Higher Labour Court of Hesse (judgment of 10 June 2021, file no. 9 Sa 861/20), a convincing view has emerged that, in light of the recital, there is a graduated obligation to fulfil the data access request, whereby only the information specifically requested must be provided. If a general, unspecified data access request is made in a long-standing employment relationship, it should suffice to provide only the master data along with the information listed in Article 15 paragraph 1 letters a to h GDPR. The Labour Court of Heilbronn recently adopted this view (judgment of 27 March 2025, file no. 8 Ca 123/24). Accordingly, in the case of general data access requests, the employer may require the employee to specify the request. The less specific the request, the less the employer can reasonably be expected to provide comprehensive information.

Stricter than this pragmatic labour court jurisprudence was, for example, the Higher Regional Court of Nuremberg, which rejected the requirement to specify the data access request in the case of a former board member (judgment of 29 November 2023, file no. 4 U 347/21).

It remains unclear whether the labour court jurisprudence will stand in light of the recent ECJ case law. The ECJ interprets the right of access broadly and does not recognise any limitations of the wording of Article 15 GDPR based on the recitals with regard to the intended purpose. However, it is still open whether this reasoning also applies to the specification requirement under sentence 7 of Recital 63.

No data access if overriding legitimate confidentiality interests exist

According to section 29 paragraph 1 sentence 2 of the Federal Data Protection Act (BDSG), the right of access under Article 15 GDPR does not apply to data that must be kept confidential by law or by their nature, particularly due to overriding legitimate interests of a third party. To invoke on this provision and reject data access requests, employers must specifically demonstrate, for each piece of data withheld, which rights, freedoms and confidentiality interests outweigh those of the data subject and why. For example, employers are not obliged to disclose the identity of whistleblowers. Employers may also invoke their own confidentiality interests, particularly with regard to business secrets, intellectual property rights and confidential legal correspondence.

The right of access includes copies of personal data

For a long time, the prevailing view was that Article 15 GDPR comprises two separate rights: a right of access and a right to receive a copy of the data. This understanding was reflected in the judgment of the Federal Labour Court of 16 December 2021 (file no. 2 AZR 235/21). However, the ECJ clarified in its judgment of 4 May 2023 (file no. C-487/21) that it is a single right. The right to receive a copy under Article 15 paragraph 3 GDPR merely regulates the modalities of fulfilling the right of access.

According to the ECJ, “copy of the data” does not mean the provision of documents as such, but rather the personal data contained in those documents and subject to processing. These data must be reproduced completely and accurately. A contextless reproduction is insufficient if context is necessary to ensure comprehensibility and to enable the data subject to effectively exercise their rights under the GDPR.

Handling extensive data access requests

If unspecified data access requests are made by (former) employees, the legally safest approach is to provide all available personal data. However, this is often associated with considerable effort in practice, and “hidden” personal data may make full disclosure nearly impossible. Therefore, for employers willing to accept manageable legal risks, it is advisable to provide, in addition to the information under Article 15 paragraph 1 letters a to h GDPR, all personal data that can be identified with reasonable effort. These include master data such as name, address, e-mail address, telephone number, bank details, tax and social security numbers, and health insurance membership. It is also advisable to include the contents of the personnel file, payroll records and any information on occupational pension schemes. At the same time, the employee should be asked to specify which additional data they wish to receive. Further personal data would then only be provided upon a specified request.

E-mails, in particular, can pose a significant challenge, as thousands of e-mails to, from and about the data subject may accumulate during the course of employment, containing personal data. To provide copies of all relevant e-mails, employers must compile the e-mails concerning the data subject, review them manually, redact them if necessary, or refuse disclosure in individual cases due to overriding confidentiality interests. These situations cannot be resolved without a certain degree of pragmatism. Employers should insist on the greatest possible specification of the request and reject general demands, such as the release of all e-mails concerning the data subject, as insufficiently precise.

As a last line of defence, employers may invoke unreasonableness under section 275 of the German Civil Code (BGB). For example, the Regional Court of Heidelberg (judgment of 21 February 2020, file no. 4 O 6/19) considered it unreasonable to review approximately 10,000 e-mails and redact individual names, and therefore rejected the access request under Article 15 GDPR.
Copies of the data must be provided without undue delay and at the latest within one month of receipt of the request, in accordance with Article 12 paragraph 3 GDPR. In employment law, it will often be possible to use the full one-month period. Furthermore, this period may be extended by up to two additional months if necessary, taking into account the complexity and number of requests. In such cases, the employer must inform the data subject within one month of receipt of the request about the extension and the reasons for the delay. An extension is particularly appropriate if the data subject is not asked to specify the request or if, despite specification, a very large volume of personal data is affected.

Conclusions

Fulfilling data access requests under Article 15 GDPR remains demanding and legally uncertain for employers. This highlights the importance of reviewing one’s own data inventory and implementing data deletion concepts. This not only ensures compliance with GDPR obligations but also means that deleted data cannot be provided in response to data access requests.

Until case law provides final clarity, it is advisable to carefully review data access requests, respond to them with reasonable effort, and ask data subjects to specify their requests where appropriate. At the same time, employers should document which data were provided and which were withheld for legitimate reasons. This helps to minimise legal risks and meet the requirements of the GDPR in a practical manner.