News and developments
THE RIGHT OF ACCESS TO PERSONAL DATA BY INDIVIDUALS UNDER REGULATIONS OF THE EUROPEAN UNION, TURKEY, & SWITZERLAND
In the last three decades, the ongoing digital (r)evolution and the growth in (cross-border) flows of personal data among and between public and private actors have increased the need to safeguard the fundamental rights of individuals. As a result, laws protecting most notably the right to privacy have been enacted in the EU and beyond and although the contents may vary, such legislation typically saves the same purpose: to protect fundamental rights and freedoms of people with respect to the processing of personal data and to outline obligations, principles, and procedures for natural or legal persons who process such data.
In this regard, EU legislation (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals concerning the processing of personal data and on the free movement of such data [Dir 95/46/EC] and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with a view to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Reg 2016/679]) deserves a special mention as it exerts great influence not only on Member States but also on personal data protection laws of non-EU (or EEA) Members such as Turkey or Switzerland. However, given the absence of direct applicability and transposition requirements of EU law in Turkey and Switzerland, their national legislations differ in certain aspects from EU law and show notable discrepancies between themselves.
Considering the ongoing concerns about data protection and recent legislative developments in this field, the following will target to examine one of the essential pillars of the personal data protection architecture, namely, the right of individuals to access their personal data and its limitations.
Access to personal data in EU Regulations
Dir 95/46/EC
Under the EU’s personal data protection legislation, the right of access is fundamental; but it is not absolute. This was already enshrined in Dir 95/46/EC stating that any person must be able to exercise the right of access to personal data, which is being processed, and that, this right must not adversely affect third-party rights such as trade secrets or intellectual property (Recital 41). It was further recognized that Member States could – in the interest of the data subject or to protect the rights and freedoms of others – restrict the rights of access to information (Recitals 41-43). Nevertheless, such considerations should not result in the data subject being refused all information (Recital 41). Accordingly, the Directive detailed the right of access and possible exceptions and restrictions to pose the frame in which Member States could legislate.
Precisely, Article 12 of Dir 95/46/EC held that the right to access personal data is guaranteed for every data subject without constraint at reasonable intervals and without excessive delay or expense. This included the right to obtain information from the controller information as to whether data relating to the data subject was being processed and the purpose of such processing, communication in intelligible form of data undergoing processing, as well as the details on the logic involved in case of automatic data processing (Article 12(a)).
Article 13 of Dir 95/46/EC set out an exhaustive list of exemptions and restrictions through which Member States could limit the scope of, inter alia, the right of access through legislative measures. Specifically, Member States could apply such limitations in their national legislation to safeguard:
Importantly, such restrictive legislative measures should not be enacted arbitrarily but must be considered necessary to safeguard these interests, thus, implying that the respective legislature carries out some form of balance of interest (Article 13(1)). Moreover, the right of access could be further restricted by legislative measures when data are processed solely for purposes of scientific research or are kept in personal form for a period that does not exceed the period necessary for the sole purpose of creating statistics (Article 13(2)). This presupposed, on the one hand, that necessary legal safeguards were put in place. On the other hand, limitations were conditioned on such data not being used for taking measures or decisions regarding any particular individual.
Reg 2016/679
At the EU level, the contours of the right of access were sharpened in 2016 with the enactment of Reg 2016/679, which – unlike its predecessor – is directly applicable in Member States (Art. 288 Treaty on the Functioning of the European Union). To counteract the fragmentation within Member States and address the differences in the level of protection concerning personal data, Reg 2016/679 seeks to forge a harmonized regime that is consistent and homogeneous in all Member States. However, this does not prevent Member States to introduce further national legislation to specify the rules introduced at the European level (Recital 10).
In respect of the right of access, Reg 2016/679 restates the underlying considerations already included in Dir 95/46/EC and holds that the exercise of the right should be easy and possible at reasonable intervals to be aware of, and verify, the lawfulness of data processing (Recital 63).
The Regulation further takes into consideration technological developments by stating that controllers should provide, where possible, remote access to a secure system that allows accessing personal data directly. Specifically, Article 15 of the Regulation sets out the right of access by the data subject regarding:
Further, the Regulation provides detail concerning the exceptions and restrictions to the right of access to personal data. Notably, the exhaustive list in Article 13 of Dir 95/46/EC was replaced by a non-exhaustive list of exemptions in Article 23 of Reg 2016/679. Precisely, Member States may restrict by way of legislative measure the scope of the right of access for reasons of:
Importantly, this catalogue is wider than the exemptions included in Dir 96/46/EC and leaves Member States with a significant margin of appreciation, especially regarding measures to safeguard its public interest (Art. 23(1)(e) Reg 2016/679). Nevertheless, Article 23 also suggests a restrictive application of relevant legislative measures by Member States. This is evidenced by the fact that the scope of the right of access may only be restricted ‘when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the aforementioned interests’ (Art. 23(1)).
Furthermore, a restrictive legislative measure by a Member State shall contain specific provisions, where relevant, as to the purpose of the processing or categories of processing, the categories of personal data or the scope of restrictions introduced, among others (Article 23(2)).
Whenever personal data falling within the scope of Reg 2016/679 is not covered by exceptions or restrictions concretized by a Member State, a data subject has the right to request information. The controller, on the other hand, is under a duty to take appropriate measures to provide any information that is covered by the Regulation. However, even where a request for data covered by the right of access is made, there are certain situations in which a data controller is under no obligation to act.
First, a controller may refuse to act on requests of the data subject for exercising his/her rights if it can demonstrate that it is not in a position to identify the data subject (Article 12(2)).
Second, in a situation where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the controller may simply refuse the request (Article 12(5)(b)). Third, requests may be manifestly unfounded or excessive, in particular, because of their repetitive character, but instead of refusing the request, the controller may deviate from charge a reasonable fee which considers the administrative costs associated with the request (Article 12(5)(a)). Accordingly, a controller could justifiably refuse a request in case such a fee is not paid.
In any circumstance, the controller bears the burden of demonstrating the impossibility of identifying the data subject or the manifestly unfounded or excessive character of a request and should the rights guaranteed under Reg 2016/679 and appropriate national legislation be infringed, for instance in case of an undue decline of a request of personal data, Member States should ensure that a data subject can make a complaint before a supervisory authority.
The investigation following the complaint and the ensuing (administrative or judicial) decision of the supervisory authority should be subject to effective judicial remedy in the relevant Member State (Recitals 129, 141 and 143; Articles 58(5), 77-78). Notwithstanding the possibility to lodge a complaint before a supervisory authority, data subjects shall further have the right to an effective legal remedy directly against the controller for infringements of the rights guaranteed under the Regulation (Article 79).
Access to personal data in Turkey
In Turkey, the processing of personal data and the related rights and obligations of entities and individuals dealing with personal data are regulated by the Personal Data Protection Law No. 6698 (Kişisel Verileri Koruma Kanunu [KVKK]). The law came into force a couple of weeks before Reg 2016/679 on April 7, 2016 and was fundamentally modelled after Dir 96/46/EC to bring Turkish legislation on data protection in line with EU law. Consequently, the legislative developments on data protection currently in force in the EU are mostly reflected in the KVKK.
Right of Access
Under the KVKK, each natural person whose personal data are processed can lodge an application (in writing or via other methods specified by the Personal Data Protection Board, including e-mail address which has been previously recorded in the data controller’s system) to the controller to exercise his/her right of access (Articles 2, 11 and 13 KVKK; Article 5 Communiqué on the Principles and Procedures for the Request to Data Controller [Communiqué]). Specifically, the right to access personal data under this law includes, inter alia, the right to:
Limitations
General restrictions to the right of access can be found in the exceptions clause which limits the scope of the KVKK. Pursuant to Article 28(1), the KVKK does not apply in cases where personal data is processed:
This provision is complemented by Article 28(2) which foresees further circumstances in which the right of access (along with the right data controller’s obligation to inform [Article 10] and the enrolment requirement for data controllers in a public registry [Article 16]) does not apply, provided that a respective measure is proportionate and compliant with the purpose and fundamental principles of the KVKK (i.e., Article 4). Accordingly, the right of access is inapplicable where personal data processing:
Unless an exception applies, processed data falling within the scope of KVKK can be requested by the data subject. The controller is bound to act on such requests and communicate its response to the data subject in writing or by electronic means (Article 13 KVKK; Article 6 Communiqué). However, the controller may also decline a request ‘on justified grounds’ by issuing a reasoned decision where it finds the demand inadmissible (Article 13(3); Guideline İlgili Kişinin Hak Arama Yöntemleri).
However, neither the KVKK nor its corresponding by-laws and Guidelines published by the Personal Data Protection Authority elaborate what grounds could be considered justified to refuse an application for personal data. Likewise, the publicly available Board Decisions have not brought much clarification in this regard yet.
Taking into consideration the Communiqué outlining the principles and procedures for a request to the data controller, the first reason that could constitute a justified ground for refusal may be an application lodged in another language but Turkish. Precisely, Article 4 of the Communiqué holds that data subjects may benefit from the right to request personal data provided that such requests are made in Turkish; a contrario, it will be up to the controller’s discretion whether to accept an application that is non-compliant with this requirement.
Second, the non-observance of form requirements of the application (i.e., the absence of a signature in case of a written application) as set out by the law and the Communiqué may also be considered a justified ground for refusal (Article 13(1) KVKK; Article 5 Communiqué). However, a data controller may not restrict the data subject’s right to request data by imposing higher burdens to the application procedure (i.e., notary authentication) than those foreseen by the law and the Communiqué (see Board Decision 2019/296 of 01/10/2019). Conversely, the data controller is also bound by the form requirements applicable to its response and not observing them can lead to administrative sanctions inflicted by the Board (see Board Decision 2019/277 of 18/09/2019).
Third, although the request for personal data is generally free of charge, the data controller may request a fee if the action in question incurs another cost (Article 13(2) KVKK). Such fees may occur when a request is to be responded in writing (1 Turkish Lira per for every page exceeding 10 pages) or shall be charged to cover the cost of the medium (i.e., CD, flash memory, etc.) through which the requested data is transmitted (Article 7 Communiqué). Accordingly, a request involving unpaid fees is likely to be declined.
In case a data subject’s request for information is unduly refused or the right of access is violated in another way laid out by the law, the data subject can lodge a complaint before the Personal Data Protection Board (Article 14 KVKK). The complaint procedure and the relevant modalities, including the mandatory exhaustion of other remedies, are detailed in Article 15 KVKK and the corresponding guidelines. According to official communication, a data subject whose request has been refused implicitly or explicitly may both lodge a complaint with the Board and resort directly to the judicial or administrative jurisdiction. In any event, the administrative decision issued by the Board can be subject to judicial redress before the competent administrative courts based on Article 40 (2) and 125 of the Constitution of the Republic of Turkey and the Procedure of Administrative Justice Act No. 2577. Moreover, the provisions regarding crimes and misdemeanors for failure to comply with the KVKK are applicable (Articles 17 and 18).
Access to personal data in Switzerland
In Switzerland, the processing of personal data through private persons and federal entities is centrally dealt with in the Federal Act on Data Protection Act (FADP) (except in limited circumstances, data processing by cantonal authorities is governed by cantonal law).
The FADP came into force on 1 July 1993 and is currently undergoing a total reform (including a reform of the corresponding Ordinance to the Federal Act on Data Protection [FDPO] and other related legislative acts). The main aim of the total revision is to assure compatibility with EU legislation, thus allowing Switzerland to uphold its duties arising from the Schengen/Dublin cooperation agreement. Moreover, the new law aims to increase transparency in data processing with notable effects on mandatory information duties of data controllers and the data subjects’ right of access. The new Federal Act on Data Protection (nFADP) is expected to enter into force within 2022.
Right of access
Under the law currently in force, the right of access to personal data is regulated by Article 8 FADP. Like the legislation in other jurisdictions, it foresees – upon request – the notification of, inter alia, available data, the purpose of and applicable legal basis for the processing of data as well as the categories of processed personal data (Art. 8(2)).
The modalities to make a request are set out in Article 1 FDPO (in writing or online). Under Article 25 nFADP, the right of access to information is strengthened, notably in that certain information must be transferred to a data subject in any circumstance if so requested (Article 25(2) nFADP). This information includes, inter alia, the identity and the contact details of the responsible for the processing, details of the specific personal data and details concerning the uprose of processing (the list provided in Article 25(2) nFADP is non-exhaustive). Importantly, however, the new law states that such information must be provided only to the extent it is necessary to enforce the rights guaranteed under the present law. The request of data for other interests such as the procurement of evidence in civil proceedings would therefore be considered unlawful and may be rejected accordingly (BBI 2017 6941 pp. 7066 f).
Limitations
The right of access is limited to data that is collected outside of the scope of the FADP. Notable limitations in this sense concern personal data processed by a natural person exclusively for personal use and which is not disclosed to outsiders as well as deliberations of the Federal Assembly and parliamentary committees (Article 2(2)(a) and (b) FADP).
These and other ‘carve-outs’ are still present in Article 2 nFADP, although the modified Act enjoys a partially widened scope of application through certain amendments introduced for reasons of compatibility with EU legislation (see especially personal data in civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law; BBI 2017 6941 pp. 7013-7015).
Aside from the limitations of the scope of application, both the FADP and the nFADP include an explicit provision regulating the limitations of the right of access. Specifically, Article 9 FADP holds:
The reasons stated in Article 9 are considered exhaustive; any ground that does not conform to the catalogue of exceptions is inapplicable (i.e., the absence of the data subject to state the reasons for its request—except where there is suspected abuse of law) and full information must be provided. Generally, the five reasons for limitation have been interpreted as follows (see SHK-DSG Husi-Stämpfli, Art. 9 N 15-39):
The tenets of the limitations to the right of access outlined in Article 9 FADP have been incorporated in the nFADP. Accordingly, the exceptions in Article 26 nFADP are the only valid reasons for refusal of access (BBI 2017 6941 p. 7070). Aside from slight differences in drafting, Article 26 nFADP reflects Article 9 FADP in all essential aspects; but it also adds an entirely new element inspired by the relevant provision in EU legislation (see Art. 12(5) Reg 2016/679). Under Article 26(1)(c) nFADP, access to information can be refused, restricted, or deferred when: the request is manifestly unfounded, namely when it serves an objective that is contrary to data protection, or when it is manifestly querulous (non-official translation).
According to the official message accompanying the total revision of the FADP, this proviso is to be applied narrowly given the serious limitation of a fundamental right that it entails. Thus, a data controller who is faced with a request must not refuse the right to access lightly but – as far as possible – adopt the most advantageous course of action for the data subject (i.e., restricted access or deferral instead of refusal) (BBI 2017 6941 p. 7069).
Against this backdrop, a manifestly unfounded request can only be assumed where there is a (reasonable) suspicion of abuse of rights (i.e., use of the right of access exclusively to obtain evidence for court proceedings, so-called ‘fishing expeditions’), which manifests in that the data subject forwards a reason for the request which is untenable even without in-depth assessment. The simple absence of a special interest in obtaining the information shall not suffice to limit the right, although some form of motivation can be requested by the data controller to dissipate allegations of abuse of rights (BGE 138 III 425 E. 5.4). Similarly, a manifestly querulous request is one that, for instance, is repeated excessively without plausible reasons or which is directed at a data controller of which the data subject knows that it does not have relevant data. It should not be lightly assumed, either.
Like the requirements in data protection legislation of other jurisdictions, a data controller in Switzerland must provide the reasons for applying a limitation in the sense of Article 9(5) FADP (or Article 26(4) nFADP). In any circumstance, a limitation must obey the principle of proportionality as enshrined in Article 4(2) FADP (or Article 6(2) nFADP) and 36(2) Federal Constitution of the Swiss Confederation, which mandates a balance of interest between, on the one hand, the data subjects right of access and its interest in transparent processing of data and, on the other hand, the reasons for the limitation in case at hand.
Finally, the right of access can be limited under the FADP for reasons of freedom of press. Accordingly, Article 10 FADP provides that the access of information can be restricted for data that is used exclusively in the edited section of a periodically published medium, for instance, where the personal data reveals the sources of the information or where freedom of the public to form its opinion would be prejudiced (Article 10(1)(a) and (c) FADP). This provision has been adopted in the nFADP without material changes (Article 27).
In case a data subject’s request for information is unduly limited in the sense outlined by the FADP (or the nFADP), the course of action will depend on whether the relevant data controller is a private person or a federal authority. If the limitation emanates from a private person, the data subject can lodge a civil claim against him/her based on Article 15 FADP (or Article 32 nFADP) in conjunction with Articles 28, 28a and 28g-28l of the Swiss Civil Code. If the data processing entity is a federal body, the limitation to the right of access will be issued in form of a decision that can be reviewed on the basis of Article 25 FADP (or Article 41 nFADP) in conjunction with Articles 44 et seq Federal Act on Administrative Procedure. Moreover, the criminal provisions regarding the breach of obligations to provide information under the FADP (or the nFADP) are applicable (Article 34 FADP; Article 60 nFADP).
Observations & Conclusion
Under the legislation of the EU, Turkey and Switzerland, the right of access to personal information is guaranteed and includes in large parts the same elements. This may be partly due to a convergence of legislation and – in the case of Turkey and Switzerland – is furthered by the influence and (indirect) regulatory force of EU law. The analyzed legislations all include circumstances which fall outside the scope of protection granted by the relevant data protection and privacy laws. Especially when it comes to public authorities, such exceptions and restrictions are potentially wide and may have far-reaching consequences, particularly concerning the safeguard of public interests such as national security or economic and financial stability. Considering the political turmoil, threats of terrorism and economic hardship with which several European countries and Turkey have been faced in the last five years, the tendency to safeguard maximum public policy space in this context is likely to persist.
While public authorities may frequently benefit from some form of exemption to the duty to provide information, the considerations surrounding the right of access and its limitations are arguably most relevant where the data controller and the data subject are in a horizontal relationship. For instance, questions may arise as to the lawfulness to withhold certain information between an employer that dismissed its employee and is subsequently faced with a request for personal data. Perhaps such data include information that could be used by the dismissed employee to lodge a claim based on infringements to labor law. In Switzerland, such circumstances have been the object of scholarly debate (i.e., Suter-Sieber, Stutz, Wirz [2021], Datenschutzzweckwidrige Auskunftsbegehren im Arbeitsverhältnis, AJP) and have been analyzed by appropriate juridical organs (i.e., BGE 138 III 425, BGer 4A_277/2020).
There is a scarcity of scholarly and judicial comment on limitations of the right of access in Turkey for the moment. As announced in paragraph 479.1 of the Eleventh Development Plan (2019-2023), an update of the KVKK based on Reg 2016/679 is foreseen in the years to come. Court precedent and such reform may bring some further clarification in due time.
The right of access to personal data is fundamental in the legislative framework governing data protection and privacy in the EU, Turkey, and Switzerland. It is a central element and a necessary condition for the enforcement of other statutory guarantees such as the correctness of data or the lawfulness of the processing. Limitations to the right of access in areas that are covered by the scope of relevant data protection and privacy laws are addressed differently in these jurisdictions. While legislation and secondary sources in the EU and Switzerland show efforts to provide greater detail regarding the circumstances in which requests for personal data can be rejected (i.e., ‘manifestly unfounded’ requests), the approach towards refusal as endorsed in Turkish legislation is wider (‘justified grounds’) and currently lacks concrete guidance. This latter situation is unsatisfying for both data controllers and data subjects as the absence of foreseeability and security of law could translate to more complaints being lodged before the Board to elucidate the lawfulness of a possible refusal.
Given the different personal, material, and territorial scopes of application in data protection and privacy laws, data controllers may be subject to more than only their home State’s legislation. To assure compliance and avoid possible judicial and/or administrative injunctions, they have an interest in informing themselves on the intricacies surrounding the right of access and its limitations in the jurisdictions relevant to their operations.