Legal Ruling On Data Subject Access Requests – High Court Decision

Harrison v Cameron and another company [2024] EWHC 1377 (KB)

Case background

The Claimant (C) is a private individual working in the property investment industry. The First Defendant (D1) is a landscape gardener who owns and operates the company that is the Second Defendant (D2).

On 7 May 2022, C and D1 spoke on the telephone several times. D1 recorded two of the telephone conversations during which C threatened him. C made comments such as:

D1 shared the recordings of the telephone conversations with 12 people including, 5 employees of D2, 2 members of family, and 5 friends.

On 6 July 2022, C sent a Data Subject Access Request (DSAR) to D1 and asked for disclosure of “the names of all the individuals to whom [he] has disclosed the Recordings”. On 24 August 2022, C sent a DSAR to D2 and asked for all his personal data together with confirmation of the recipients to whom the personal data had been disclosed.

A solicitor instructed by D1 responded to C’s DSAR arguing that the UK GDPR did not apply as the data was processed in the course of a purely personal or household activity.

C issued proceedings seeking an order requiring D1 and/or D2 to comply with his DSAR. The question to be determined by the Court was whether the Defendants were required in response to the DSARs to disclose the names of the 15 people whom the recordings were shared with.

The decision

The first issue to be determined was whether D1 was a data controller in his personal capacity. The judge took the view that D1 had recorded the calls in his capacity as a director of D2 and therefore the recording was made for business reasons. The recordings would therefore constitute personal data collected and held by D2 and not D1 in his personal capacity.

Article 15(1)(c) of the UK GDPR confirms that a data subject shall have the right to obtain from a data controller details of the “recipients or categories of recipients to whom the personal data have been or will be disclosed”. The second issue to be determined by the judge was whether C was entitled to the identities of the recipients in accordance with Article 15(1)(c).

D1 did not want to give the names of family and friends voluntarily as he explained in his evidence:

In relation to the disclosure of his employees’ details, D1 obtained written confirmation from each of them that they would not disclose the recordings to anyone. Furthermore, C had instructed his solicitors to send various letters to two dozen employees of D2 in which he threatened to issue legal proceedings against them. The judge described these letters as “intimidating and unwarranted in circumstances where [D2] had accepted it was the controller”. In these circumstances, D1 did not want to provide the identities of the employees to whom he had disclosed the recordings and risk them being unreasonably approached by C in the future.

Ds sought to rely on the “protection of the rights of others” exemption present within the UK GDPR. This exemption confirms that:

The judge ultimately concluded that D2 had acted reasonably in not disclosing the identities of the recipients to C. The judge confirmed that this was within D2’s discretion as the controller and that the protection of the rights of others exemption did apply. It was determined that it was reasonable for D1 to give weight to his desire to protect family, friends, and colleagues from hostile litigation beyond the exercise of rights under the UK GDPR. C was therefore unsuccessful in his claim.

Comment

This case confirms that company directors (acting in their capacity as director) who process personal data for their company are not controllers; only the company is a controller.

This case is also a helpful reminder that the motive behind a DSAR is relevant when considering how to respond.