IDPC data protection decision – right of access

IDPC data protection decision – right of access

January 2025

The Commissioner issued a reprimand to a controller for not granting a data subject access to internal emails exchanged among the controller's employees that included the data subject's personal data, as well as information relating to the processing activity.

The Commissioner ruled that the right of access applies to all personal data processed by the controller, irrespective of whether such data is found in internal communications among employees.

Furthermore, the Commissioner noted that the controller did not adequately inform the data subject in its response that it was withholding access to the personal data contained within the internal emails. As a result, the controller's response lacked the necessary elements of transparency and fairness.

Consequently, the Commissioner ordered the controller to provide the data subject with information regarding the processing activity in accordance with article 15(1)(a) to (h) of the Regulation, and access to the emails containing his personal data after redacting the personal data of the employees of the controller and other non-personal data.

To read more about this decision click here

Skip to content