When to Refuse a Data Subject Access Request
The Federal Act on Data Protection (FADP) grants every person the right to access information about the processing of their personal data. As a rule, the information must be provided within 30 days and free of charge (Article 25 FADP).
The right of access may be restricted under certain circumstances
Article 26 FADP governs the circumstances under which the right of access may be restricted, delayed or refused.
An important reason for a restriction is the protection of legitimate interests of third parties. This concerns situations in which the provision of information would disclose sensitive data of third parties.
Overriding interests of the controller may also justify a restriction on the provision of information. This may be the case, in particular, if the disclosure would require the disclosure of business secrets or other confidential information of the data controller.
Information may be refused in the event of abusive requests
As a rule, a request for access may be asserted without any evidence of legitimate interests or justification. Even mere curiosity constitutes a valid ground. However, the necessary weighing-up of the opposing interests may require applicants to set out their interests.
If a request for access is obviously unjustified or frivolous, the provision of information may be refused. Requests for access that are made repeatedly without good reason, for example, are frivolous.
Information may also be refused in the event that the request constitutes an abuse of legal process. According to settled case law, an abuse of legal process is the improper use of a legal instrument to realize interests that this instrument is not intended to protect. An example of this would be a vexatious exercise of rights without any real interest in the information, merely with the intention of harming the data controller.
The Swiss Federal Supreme Court has ruled that a request for information constitutes an abuse of legal process if it was made solely in order to gain information about another party and obtain evidence that a party would not be able to obtain in civil proceedings.
There is an indication of an abuse of legal process if a data access request is asserted at the same time as another claim under civil law.
Procedure in the event of a restriction or refusal to provide information
If the controller restricts the information or refuses to provide information, it must inform the person making the request and give reasons for doing so.
As far as the protection of third-party rights is concerned, it must always examine which measures could be used to safeguard third-party rights without completely refusing to provide information. This will usually be possible by anonymizing or redacting sensitive third-party data.
Finally, it should be noted that Swiss law provides for different legal consequences in the event of a breach of the right to access under the FADP. While the deliberate provision of false or incomplete information may be punished with a fine of up to CHF 250,000, an unjustified refusal to provide information primarily has consequences under civil law.
Every data controller should therefore get any uncertainties in relation to a specific request for information checked, before the information is provided or refused.