IDC Names Securiti a Worldwide Leader in Data Privacy


DSARs may include internal communication

Published August 19, 2021 / Updated February 12, 2024

Listen to the content

Are you ready to respond to DSARs asking for internal communications?

When you respond to data subject access requests, as per Article 15 of the GDPR, you no doubt review databases of information- so called “Structured Data” - on your systems and in the cloud, compile all the personal data you have on the data subject (probably a customer record) and send it to the requestor along with additional information about processing activities being carried on the data.

But a recent ruling by the German Federal Court of Justice (Bundersgerichtshof) has potentially extended that to include all information known about the data subject, including any previous correspondence, internal communications and notes.

This ruling makes clear that data collected and shared via internal processes is covered under the right to access as per Article 15 of the GDPR, potentially expanding the breadth of information many people thought was covered in a data subject access request.

To help operationalize this, imagine a customer serially calls your customer support team for help. The customer is identified in every instance and the call is recorded for quality assurance purposes by your organization. If that customer is protected under the GDPR and makes an access request under Article 15 - it won’t be enough to just provide him access to his file, you also need to attach all those recorded calls!

This ruling also states that internal communications about the data subject should be released as part of a DSAR, we have to think whether it would be embarrassing, or worse, if all internal communications were released. In that regard, we make two recommendations that flow from this ruling:

  1. Explain and train your staff not to write anything about a customer / prospect or fellow employee that they don’t want to be seen now or in the future by the data subject.
  2. Have a system that can discover and collect data on data subjects across all systems, including unstructured systems such as email, Slack, standard office documents and all other internal communication systems.

It is also important to note that the ruling did recognize that any documentation or internal communication which contains legal analysis can be excluded from an access request as it does not constitute personal data since it is information about the assessment and application of the law to the data subject’s situation. A summary of the personal data information which was considered for the legal analysis can be provided but the analysis and the results of the analysis are exempt.

Security can help you enable swift and accurate DSR fulfillment from our sensitive data intelligence models.

We can give you data discovery across more than 200 apps to find data assets, and discover personal data in structured and unstructured data systems, across on-premises and multi-cloud and automatically discover and build a relationship map between personal data and its owner.

Frequently Asked Questions (FAQs)

A Data Subject Access Request (DSAR) should include a clear request for access to personal data, specifying the data you want to access or information you need. It should also include your contact details for the response and any details that can help the organization identify your data. DSARs should be in writing, and the organization is required to respond within a specific timeframe under GDPR.

Yes, the GDPR applies to internal communications within organizations. Any personal data processing that occurs within the context of employment or organizational activities is subject to GDPR. Employers must comply with GDPR when handling employees' personal data in areas such as HR, payroll, and internal communication systems.

An example of a DSAR is when customers request access to their purchase history and personal data stored by an online retailer.

View More

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Here’s a short video explaining sensitive data intelligence

Your Data+AI Command Center

Enable Safe Use of Data and AI

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You