The DPC received a complaint from an individual regarding the withholding of records containing personal data in response to an access request. The individual had made an access request under Article 15 of the GDPR to a financial service provider, following the sale of the individual’s mortgage to the organisation. 

The organisation advised that personal data was being withheld from the customer in line with Section 60(3)(b) of the Data Protection Act 2018 (DPA 2018). The organisation stated that “securitisation documents did not constitute [the complainant’s] personal data”. 

The DPC informed the organisation as to the definition of personal data under Article 4(1) of the GDPR and that if any of the stated documents being withheld contained the individual’s personal data, clarification would be required as to the reliance on the restrictions applied. The DPC received a response from the organisation confirming that no personal data existed in the securitisation documents with additional reference to a “final response letter” that it issued to the individual. Subsequently, the DPC requested a copy of this “final response letter” and requested a list of alleged outstanding personal data or any further information as to the location of records containing personal data from the individual. The DPC also requested the organisation to outline specifically each record containing personal data being withheld and the legislative basis for  doing so. 

The organisation initially advised it was relying on sections 60(3) and 60(7) of the DPA 2018 for not releasing the documents. The DPC further probed the restrictions being applied by the organisation. On foot of this engagement, the organisation confirmed to the DPC that it would no longer be relying on any part of Section 60 of the DPA 2018 to withhold the individual’s personal data. In light of the DPC’s intervention, the organisation furnished the individual with their personal data, which had previously been restricted.  Following this release of documents, the individual specified the existence of additional personal data and requested copies of mortgage statements from a specific year. The DPC queried this with the organisation, which then released this further personal data to the individual. The DPC determined that the organisation had failed to respond to the access request within the specified timeline under Article 12(3) of the GDPR.