IDC Names Securiti a Worldwide Leader in Data Privacy


DSARs may include internal communication

By Securiti Research Team
Published August 19, 2021 / Updated April 10, 2023

Are you ready to respond to DSARs asking for internal communications?

When you respond to data subject access requests, as per Article 15 of the GDPR, you no doubt review databases of information- so called “Structured Data” - on your systems and in the cloud, compile all the personal data you have on the data subject (probably a customer record) and send it to the requestor along with additional information about processing activities being carried on the data.

But a recent ruling by the German Federal Court of Justice (Bundersgerichtshof) has potentially extended that to include all information known about the data subject, including any previous correspondence, internal communications and notes.

This ruling makes clear that data collected and shared via internal processes is covered under the right to access as per Article 15 of the GDPR, potentially expanding the breadth of information many people thought was covered in a data subject access request.

To help operationalize this, imagine a customer serially calls your customer support team for help. The customer is identified in every instance and the call is recorded for quality assurance purposes by your organization. If that customer is protected under the GDPR and makes an access request under Article 15 - it won’t be enough to just provide him access to his file, you also need to attach all those recorded calls!

This ruling also states that internal communications about the data subject should be released as part of a DSAR, we have to think whether it would be embarrassing, or worse, if all internal communications were released. In that regard, we make two recommendations that flow from this ruling:

  1. Explain and train your staff not to write anything about a customer / prospect or fellow employee that they don’t want to be seen now or in the future by the data subject.
  2. Have a system that can discover and collect data on data subjects across all systems, including unstructured systems such as email, Slack, standard office documents and all other internal communication systems.

It is also important to note that the ruling did recognize that any documentation or internal communication which contains legal analysis can be excluded from an access request as it does not constitute personal data since it is information about the assessment and application of the law to the data subject’s situation. A summary of the personal data information which was considered for the legal analysis can be provided but the analysis and the results of the analysis are exempt.

Security can help you enable swift and accurate DSR fulfillment from our sensitive data intelligence models.

We can give you data discovery across more than 200 apps to find data assets, and discover personal data in structured and unstructured data systems, across on-premises and multi-cloud and automatically discover and build a relationship map between personal data and its owner.

View More

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Here’s a short video explaining sensitive data intelligence

Bedrock of your Privacy & Security

A Comprehensive Platform

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend