Burn After Reading - recorded personal data and processing

For many, it has been a long held wisdom that the application of data protection law applies only to information which is held in recorded form.

Those with prior experience of dealing with subject access requests know only too well that any complaints about a colleague or a customer should be made verbally and never in writing. It appeared then to be a natural extension of that reasoning that data protection law did not apply to any disclosures which were made verbally as opposed to in any written form, whether email, direct message or letter.

A recent case heard in the European Court of Justice has, however, clarified the law as it currently stands (at least in the EU).

Endemol Shine Finland, a Finnish TV production company requested information from a Finnish District Court which included information about ongoing or concluded criminal proceedings involving an individual linked to a competition which Endemol was organising. Such disclosure, if made in writing, would clearly fall within the scope of the General Data Protection Regulation but, in this case, the disclosure was to be made verbally.

After the Court refused to provide the information, citing the absence of a legal basis in terms of GDPR, the company argued that a verbal disclosure would not be caught by GDPR. The case was referred to the ECJ for a ruling on whether GDPR would apply. The ECJ ruled that as the source of the information was a written record held by the court, that data would still be subject to the principles of GDPR and despite the fact that the disclosure would be made only verbally, that disclosure was still a form of processing of personal data for the purposes of GDPR.

As such a legal basis for disclosure did have to be established under GDPR and in the absence of that basis, the information could not be provided even if only discussed in a telephone call.

The decision is interesting in that there may yet still be scope for distinction between information which is held in recorded form (a relevant filing system) and subsequently verbally disclosed, and information which is never held in recorded form and is only ever communicated verbally – the latter being far less likely to be caught by GDPR.

While the UK has long since left the EU, much of UK case law since 2018 is based on decisions of the ECJ and data protection law continues to closely follow progress on the other side of the Channel. It is therefore very likely that the ECJ ruling would feature prominently in any UK decision on the issue.

Subject access requests, of course, involve the provision of a copy of the data held. That inevitably entails a written record of the data requested being kept and copied, at least in part. For the time being that will still mean that any data discussed about a third party is unlikely to be recovered by a subject access request. However, it should now be borne in mind that data held in recorded form but disclosed verbally will very likely be covered by UK data protection law, and care should be taken to ensure that there is a sound basis for sharing that data, even if only verbally.

STAY INFORMED