In a new ruling, the European Court of Justice has established that log files generally constitute personal data covered by the right of access. The decision thus entails a change in the Danish Data Protection Agency's previous practice, as individuals who request access to the processing of their personal data now also have the right to gain access to log files from posts about them.
This decision means that the scope of a company or authority's response to an access request is now broader, as not only the personal data itself in a register or database is covered by the right of access, but also log files about access to it.
The right of access
Under the General Data Protection Regulation ("GDPR"), every person has the right to obtain certain information about how a data controller processes their personal data and a copy of the personal data being processed. This right is called the data subject's right of access.
The right of access to personal data collected and processed about an individual is primarily intended to enable the individual to ascertain and verify the lawfulness of the processing. It follows from this right that every person should have the right to know and be informed, in particular, of the purposes for which the personal data is processed, the duration of the processing, any recipients of the personal data and the logic involved in processing the personal data. The right of access thus also aims to create transparency in the processing of personal data.
The data controller or authority is thus obliged to establish procedures for how access requests are handled and answered to ensure that access requests are answered correctly. In addition, the data controller must make sure to use systems that have standard settings and configuration that support data protection - including that the systems are designed so that it is possible to provide access to and copies of processed personal data.
Finally, it is also a fundamental prerequisite for complying with an access request that the data controller or authority has a full overview of what personal data has been collected and how it is processed.
What logs constitute personal data
A log is a file in which an IT system stores information about its operation and usage. The nature of the log can vary, and in some cases may constitute personal data. Until now, the Danish Data Protection Agency has considered log files to be merely a system security facility that was not covered by the right of access.
However, the aforementioned new ruling from the CJEU has established that logs from paging and searches must be considered personal data covered by the right of access in the GDPR. The CJEU states that the broad definition of the term "personal data" includes not only the data collected and stored by the controller, but also all data resulting from the processing of personal data, including, for example, logs relating to an identified or identifiable natural person.
When logs contain information about when a given person's data has been accessed, what the purpose of the access was, and who made the access, the logs themselves constitute personal data. These logs constitute personal data because they result from the processing of personal data relating to an identified or identifiable person.
This also means that it is a prerequisite that the log files are linked to a related processing of personal data and other personal data in the form of a customer profile, personnel file or similar. If employees' movements to and from the workplace are logged, however, such logs will not constitute personal data about the individuals whose data is processed or stored at the workplace. Such access logs of employees' arrival and departure times at the workplace are of a general nature and the information cannot be attributed to an identifiable or identified person. Access to the workplace does not mean that the employee in question has accessed personal data about the person requesting access.
The importance of the new practice
When an individual requests access to logs relating to lookups and searches of their personal data, the controller is obliged to provide a copy of the personal data recorded in the log, including when searches were made and for what purpose, and generally also the identity of the employee who conducted the search.
However, there are certain exceptions to the right of access, according to which the requesting person is not entitled to access the data, especially if the access would result in a violation of the rights of other persons or if other decisive considerations justify the exception. The latter should be of particular concern to the data controller or authority when assessing whether a specific request for access should include information about who has accessed a log file.
Thus, a written assessment must be made as to whether the identity of the employee who conducted the search should be excluded from the copy of the log to the requesting person. The requester may have an interest in obtaining the identity if they suspect that an unauthorized search has taken place, which argues against the exemption of the information. However, the disclosure of the employee's name cannot be made if, after a specific assessment, it turns out that this would mean a violation of the employee or their rights.
The Danish Data Protection Agency has established a rule of thumb according to which the employee's identity must be disclosed if the requesting person has stated a specific purpose for learning the identity of the employee. On the other hand, the employee's interests may justify an exception if the requesting person has only wanted general access to the log without having a specific need to know the identity of the employee who conducted the searches.
CLEMENS' comments
For most companies and authorities, access requests are a resource-intensive and demanding exercise. The new ruling from the European Court of Justice points in the same direction and extends the right of access to search and lookup logs.
It is therefore important to establish appropriate procedures for handling access requests to make the best use of resources or review existing procedures to consider logs.
At CLEMENS, we help you create and update procedures for how your organization handles access requests in the best possible and compliant way.
In addition, we are also available if your organization has received an access request and needs assistance in handling it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
