26/03/2025
Briefing

One of the most common challenges faced by controllers, and consistently the most complained about topic to the Data Protection Commission (“DPC“), is the right of access. Controllers are often frustrated about the broad scope of the right of access, the expansive definition of personal data and the seemingly boundless resources expected to be deployed in responding to these requests. Until recently there has been relatively little guidance available to controllers as to how they can balance the right of access with other often competing rights, which can include the rights of third parties to privacy, confidentiality, security and safety.

Article 15(3) GDPR provides a right to individual data subjects to obtain a copy of their personal data from any controller that processes it. Article 15(4) GDPR limits the scope of a data subject access request (“DSAR”) in circumstances where this would “adversely affect the rights and freedoms of others”.  While Article 15(4) is a short and sensible restriction, applying it to practical situations has proven challenging, as illustrated by the fact that the DPC is receiving over 1,000 complaints a year from data subjects specifically on this topic. Determining if and how the restriction applies often involves a nuanced analysis in light of the particular context, information or documents concerned and the third-party rights or freedoms that may be adversely affected through the potential disclosure.  In this briefing, we examine recent guidance on this topic.

Background

The Article 15(4) GDPR restriction commonly arises where a controller receives a DSAR that relates to documents that contain both the requestor’s personal data and the personal data or confidential information of other third parties (as has been the subject of recent discussion in Ireland).  As we shall see, the available guidance weighs very heavily in favour of the data subject seeking to exercise their right of access, which reflects the reality that data protection supervisory authorities often perceive their role as one of championing the vindication of fundamental data subject rights (and Article 57 GDPR largely endorses such an approach).

Unfortunately, there is no corresponding supervisory authority that is charged with guiding controllers on how to balance DSAR rights with other rights and freedoms. As a result, controllers frequently find themselves struggling to apply the guidance issued by the European Data Protection Board (“EDPB”) and the DPC to common practical scenarios where competing rights and interests collide.

Core Principles – EDPB DSAR Guidelines

The EDPB considers the application of the Article 15(4) GDPR restriction in its Guidelines 01/2022 on data subject rights – Right of access (1,409 KB).  Key insights from the EDPB’s Guidelines include:

  • Scope of Protected Rights: in principle, any right or freedom based on European Union or Member State law may be considered in the context of the Article 15(4) GDPR restriction, however, the particular weight or priority of the conflicting right or freedom will be relevant to the application of the balancing test by the controller when considering whether to withhold or redact the information or document in question;
  • Threshold for Reliance: a general concern that the rights and freedoms of others may be affected by the disclosure of the relevant information or documentation is not enough to rely on Article 15(4) GDPR, rather the controller must be able to demonstrate that “in the concrete situation, rights or freedoms of other would, in fact, be impacted”;
  • Assessment Process & Balancing Test: the EDPB outlines the following 3-step assessment process for controllers considering the application of Article 15(4) GPDR:
    • the controller should firstly assess if complying with the DSAR will have an adverse effect on the rights or freedoms or others;
    • the controller should then weigh the rights and freedoms of the parties concerned, in light of the specific circumstances of the matter and the severity of the risks to each party, and attempt to reconcile the competing rights, including through mitigation measures such as redaction of certain information (i.e. the balancing test); and
    • only where reconciliation is impossible should the controller determine which of the competing rights and freedoms prevails;
  • Provision of Reasons to Data Subjects: where a controller refuses to act in whole or in part on a DSAR pursuant to Article 15(4), it is required to inform the relevant data subject of the reasons for such refusal without delay and in any case within one month (in line with Article 12(4) GDPR). The explanatory statement provided by the controller must refer to the “concrete circumstances” that justify the refusal to allow the data subject to assess whether they should take action against it.

More recently, on 16 January 2025 the EDPB adopted a report on the Implementation of the right of access by controllers (644 KB).  While the EDPB report focuses more on the manner in which the right of access has been understood and implemented in practice, it underlines the importance of controllers assessing the application of Article 15(4) GDPR on a case-by-case basis and of properly documenting the rationale for any restrictions of the right of access on the basis of Article 15(4) GDPR.

Protection of Third-Party Personal Data under Article 15(4) GDPR – Recent DPC Guidance

Following media reports documenting the concerns of a housing charity that abusers were seeking to use DSARs to access details of domestic abuse victims, the DPC published a blog on its website entitled Handling of Subject Access Requests which contains specific commentary on the application of the Article 15(4) restriction in circumstances where third-party personal data is also contained in documents that fall within the scope of a DSAR. Key takeaways include:

  • any restriction on the right of access to information must be justified by controllers on an evidential basis, by reference to the specific context of the case concerned;
  • where a document contains both the personal data of the requestor and that of other third parties “it is clear” that an identified risk of harm to the relevant third parties arising from the disclosure of their personal data can justify the withholding of such information (i.e. under Article 15(4) GDPR);
  • in “highly sensitive situations” where the release of third-party personal data is highly likely to result in significant harms and risks to other persons, there is a general presumption that the requestor’s right of access can be restricted; and
  • in all cases, decisions taken to restrict the right of access should be properly documented by controllers. In this regard, controllers should record: (a) the reasoning for why the restriction of the right of access was applicable, (b) details of how the decision was reached, and (c) the efforts made by the controller to consider the rights of all parties involved.

Conclusion

The DPC’s recent blog post brings very welcome comfort to controllers who harbour genuine concerns about the consequences of disclosing vast quantities of documentation (even redacted documentation) to data subjects in circumstances where there may be a harmful motivation behind the request. While the guidance fairly requires controllers to carefully document the rationale behind their reliance on Article 15(4), it is also important that confidentiality is preserved around the controller’s decisions. In serious cases such as those involving a potential risk to the safety, security or privacy of other persons, controllers should consider obtaining legal advice to guide them through the specific context.

Legal advice is itself exempt from disclosure under Section 162 of the Data Protection Act 2018 (“DPA 2018”) and it should help to support a defensible position in light of Article 15(4) and the other restrictions and exceptions to the access right that exist under Sections 60 and 162 of the DPA 2018. While the DPC will routinely challenge a controller’s reliance on those exceptions on receipt of a complaint from the data subject, it is helpful that there is now publicly available guidance that controllers can point to in support of their decisions.

The authors would like to thank Julie O’Brien for her contribution to the article.