The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to their former employer (a public health
organisation), who provided services in Home Support.

The organisation provided a response to the access request within the statutory period of one month of the date of the receipt of the request. In that response, the organisation had informed the individual that whilst it had endeavoured to comply with the access request, in so far as possible, there were some potential redactions under Article 15(4) of the GDPR that it would be seeking to rely on. The organisation provided the individual with some personal data which contained redactions.

 
Article 15(4) provides that the right to obtain a copy of personal data undergoing processing should not adversely affect the rights and freedoms of others. 

The individual submitted a complaint to the DPC in relation to their concern regarding the organisation’s reliance on Article 15(4) of the GDPR. The individual also indicated their concern that the organisation had not released all the personal data. 

The DPC advised the organisation that a balancing of rights exercise needed to be conducted by them to balance the right of access of the individual to their personal data against the identified risk to the third party that may be brought about by the disclosure of the information prior to seeking to rely on said exemption. Under the GDPR, organisations should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.

The DPC engaged with the organisation and requested it to release the personal data records to the individual that it had re-examined. The DPC also requested the organisation to confirm to the individual that it was not withholding any other documents containing personal data relating to them.

The organisation, subsequently provided the DPC with a copy of its correspondence addressed to the individual confirming it had now released  the personal data records in partially redacted format, which it had initially  withheld. The organisation also confirmed to the individual that it held no further records relating to them. The individual was satisfied that all matters  had been sufficiently resolved.

Following the intervention of the DPC, the organisation confirmed to the DPC that it had re-examined the records that it had initially released in fully redacted format, and following the review had released parts of the records, redacting data that was third party data.