Pursuant to Articles 12 and 15 of the GDPR, any data subject is entitled to request access to the personal data concerning him or her processed by a legal entity.
In the context of public authorities, there exists another right of access: the right of access to administrative documents. This right has existed prior to the GDPR and is a constitutional right. Since 1993, Article 32 of the Constitution[1] provides that every person has the right to consult any administrative document and to obtain a copy thereof, except in the cases and under the conditions laid down by law, decree, or the rule referred to in Article 134. For Flemish public authorities (including local authorities), the modalities are set out in the Administrative Decree of 7 December 2018, Chapter 3: access to administrative documents.
In recent years, citizens have become increasingly aware of their rights under the GDPR. We are seeing more situations where individuals, after receiving a response they consider unsatisfactory to a request for access to administrative documents, subsequently submit a data subject access request under Articles 12 and 15 of the GDPR, hoping to obtain additional information … but does this actually lead to more disclosure? Can individuals access more information by relying on their GDPR rights? And is a public authority required to respond to a GDPR access request if the citizen’s prior request under the rules on public access to administrative documents has been refused?
Purposes of both legislative frameworks
What is public access to administrative documents?
Citizens have the right to information regarding decisions taken by public authorities, such as their municipality, the Flemish Government, or an intermunicipal cooperation entity. Transparency in public administration may be either active or passive.
Active transparency means that the public authority itself makes administrative documents available to the public, for example through its website, a newsletter, or the local newspaper, etc. Passive transparency means that citizens have the right to access any administrative document and may submit a request to obtain access to such documents.
Why would a citizen seek access to an administrative document?
For example, a municipality may have decided to cut down a forest in order to construct a swimming pool on that site. A citizen may then wish to ascertain whether sufficient alternative options were considered. In such a case, he or she may submit a request for access to the relevant documents to the municipality.
In that case, the municipality is obliged to grant access to the requested administrative documents or to provide a copy thereof.
Another example is a citizen requesting information regarding the amounts spent on safer cycling infrastructure and green roofs, compared to the amount allocated for these purposes in the budget.
These documents must already exist
a citizen cannot request to collect data from different files and to compile it into a new document in order to respond to his/her request.
By requesting access to administrative documents, the citizen obtains transparency regarding the government’s reasoning for locating the swimming pool specifically at that site, or can verify whether public funds are being used in accordance with the approved budget.
What is the purpose of the GDPR?
The title of the GDPR states that it regulates the protection of natural persons with regard to the processing of personal data. This reflects a different underlying principle from that of public access to administrative documents. The GDPR grants individuals control and rights in relation to organisations that process their personal data. The GDPR applies to all organisations, including public authorities, banks, internet service providers, Facebook, hospitals, Natuurpunt, football clubs, and so on.
Article 15 GDPR grants data subjects the right to obtain confirmation as to whether or not their personal data are being processed. Where this is the case, they are entitled to know which data are being processed and for what purposes.
For example, if you suspect that your bank is sharing your personal data with commercial partners so that they can spam you with advertising, you can request access to the personal data held by the bank about you and to the purposes of the processing. If your data are indeed being shared for commercial purposes, you may request that this processing be stopped. However, the bank is not obliged to comply in every case!
What can you obtain a copy of?
Under ‘public access to administrative documents’.
Article II.31 of the Administrative Decree provides that:
“Public authorities, as referred to in Article II.28, §1, are obliged to make the requested administrative documents available to any person who so requests, by granting access to them, providing a copy thereof, or offering an explanation of their content.”
In other words, a citizen may obtain a complete copy of all administrative documents that he or she requests.
The question that arises in this context is: what exactly qualifies as an administrative document? Does this refer solely to documents signed by the highest-ranking official within the administration? Or can it also include other materials, such as minutes of meetings or even emails?
Article I.4.3° of the Administrative Decree defines the term “administrative document” as follows:
all information, regardless of its form or medium, held by a public authority.
Administrative documents therefore include both official documents and non-official documents, such as emails, held by a public authority.
Can a citizen simply request any administrative document? No. There are a number of exceptions, which are discussed further under Section 3 about the grounds for refusal of disclosure.
The right of access to administrative documents is to be interpreted broadly. A citizen may request access to official decisions, preparatory documents, emails, minutes of meetings, and similar records relating to a specific subject, provided that no personal data are contained therein.
Under Article 15 GDPR.
Article 15(1) of the GDPR provides that data subjects have the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed and, where that is the case, to access those personal data. The data controller is also required to provide information including the purposes of the processing, the recipients or categories of recipients of the personal data and the retention period of the data. In other words, Article 15(1) means that every person is entitled to access his/her own personal data, but not those of another person.
Article 15(3) further provides that the data controller shall provide the data subject with a copy of the personal data undergoing processing. Does this provision mean that a data subject is entitled to receive a copy of the documents in which his or her personal data are included? Can anyone, under Article 15 GDPR, obtain a copy of emails in which his/her personal data appear?
The Court of Justice of the European Union (CJEU) has already clarified this issue for us. In its judgment C-487/21 of 4 May 2023 (CRIF), the Court ruled on the interpretation of the term “copy” in Article 15(3) of the GDPR.
The court held in its judgment[2] that the controller is required to provide a reproduction of the processed personal data. However, the controller is not obliged to provide a copy of the documents in which those personal data appear.
The right under Article 15 GDPR to obtain access to and a copy of personal data must be interpreted narrowly. It concerns solely your own personal data and a reproduction of those data, and not a copy of the documents in which those personal data are included.
Can a request for access be refused?
3.1 Under ‘public access to administrative documents’.
There are a number of exceptions to public access to administrative documents. These are set out in Articles II.33 to II.39 of the Administrative Decree. A public authority may, for example, refuse access if an excessive number of documents are requested, if the requested administrative documents are not yet finalised, or if the request concerns internal communications. A citizen may lodge an appeal against a refusal decision with the Administrative Appeals Body for Access to Public Information.
Internal emails qualify as administrative documents. However, access to them may be refused.
Other exceptions include, for example, cases involving confidential commercial or industrial information, situations where public order or public safety would be jeopardised, and cases where the protection of his/her privacy would be affected. In order to assess whether the protection of his/her privacy is at stake, public authorities often seek the assistance of their Data Protection Officer (DPO). It is important for a DPO to understand that this does not concern the application of GDPR principles. The right at issue here is a constitutional right: the right of every person to respect his/her private and family life.[3]
If an administrative document includes personal data, the public authority will assess, on a case-by-case basis, whether the disclosure of those personal data would infringe his/her privacy. In which cases is there no infringement of his/her privacy? For example, when individuals are mentioned in a professional context, there is usually no ground for refusing access.
As is often the case, there is an exception to this exception. Article II.36, §1, 1° of the Administrative Decree provides that where a request for access concerns environmental information, access may still be granted if the person concerned consents to the disclosure.[4]
The Administrative Decree takes into account the provisions of the Aarhus Convention. This Convention aims to grant citizens the right to participate in decision-making on environmental matters, as well as access to environmental information. Public authorities must, for example in the context of environmental permits, have procedures in place to obtain the consent of the person concerned.
Under Article 15 GDPR.
At present, the GDPR itself provides only a limited number of grounds for exception.
Practice shows that there are data subjects who abuse their rights under Article 15. Enzo Marquet wrote a blog in response to CJEU case C-526/24, on the question of whether a request for access under Article 15 GDPR can be refused. The conclusion is that a data controller may refuse an excessive request. However, the threshold remains high. You have to be able to provide concrete evidence of an underlying hidden motive, and document this carefully, before a data controller can lawfully refuse a request.
The Digital Omnibus, as currently proposed, aims to give data controllers the possibility to refuse “excessive” access requests. The coming months will show whether this provision will ultimately be retained.
Conclusion
Under public access to administrative documents, a citizen can obtain more extensive information than under a data access request pursuant to Article 15 GDPR. The citizen may receive copies of entire documents, rather than merely a reproduction of his or her personal data.
However, the number of exceptions to public access to administrative documents are more strictly defined than under the GDPR. The concept of a manifestly unreasonable request has already been further clarified through decisions of the competent appeals body.
Practice shows that when access requests under public access to administrative documents are refused, citizens sometimes submit a request under Articles 12 and 15 of the GDPR instead. In doing so, they are sometimes disappointed, as they do not receive a copy of the full documents, but only of their personal data.
It is important for public authorities to be aware that when a request under public access to administrative documents is refused, a subsequent request under the GDPR may be submitted. Refusing such a GDPR-based request is more difficult.
To avoid being engaged in lengthy proceedings by persistent applicants, it is advisable to work closely with the Data Protection Officer (DPO), who can involve the supervisory authority from the beginning. If the citizen decides to lodge a complaint, it is ultimately the supervisory authority that has the final say.
[1] https://codex.vlaanderen.be/portals/codex/documenten/1006998.html
[2] CJEU 4 May 2023, Case C-487/21, F.F. v Österreichische Datenschutzbehörde and CRIF GmbH, ECLI:EU:C:2023:369.
[3] Article 22 of the Belgian Constitution: Everyone has the right to respect for his or her private and family life, except in the cases and under the conditions provided for by law.
Article 8 of the European Convention on Human Rights (ECHR): Right to respect for private and family life.
[4] This provision is a direct consequence of the Aarhus Convention of 25 June 1998, i.e. the “Convention on Access to Information, Public Participation in Decision-making and Access to Justice in Environmental Matters” of the United Nations Economic Commission for Europe (UNECE). The European Union ratified the Convention on 17 February 2005 and incorporated its provisions into European legislation. On 21 January 2003, the Convention was approved in Belgium by the federal and regional parliaments.
