26
Tue, Nov
52 New Articles

Are Questions on a Test Considered Personal Data?

Are Questions on a Test Considered Personal Data?

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In German case law the stance was taken recently that questions on a test undertaken by a specific individual do not constitute personal data within the meaning of the General Data Protection Regulation (“GDPR”). The court’s position is that these questions, therefore, should not be included in the copy of data issued or provided in accordance with Article 15(3) of the GDPR (right to access to personal data undergoing processing).

Factual background

A candidate took an entrance exam at a university for admission to medical studies. After the test, he sent an email to the university’s competent authority requesting a copy of his file, in accordance with Article 15(3) of the GDPR, citing the judgment of the Court of Justice of the European Union C-434/16 (Peter Nowak v Data Protection Commissioner), as the file contains his personal data.

In response to the request, the candidate received an overview of the personal data undergoing processing, including a copy of the entrance test with his answers and notes, while the questions themselves were redacted.

The candidate then requested a copy of the test with uncensored, visible questions, to which he did not receive a response. He subsequently filed a lawsuit claiming that although the questions themselves do not constitute personal data, the selected answers reflect personal choices, and therefore the questions should also be considered personal data.

On the other hand, the university defended its response to the lawsuit by arguing that the candidate’s request was fully met by providing a copy of the data with redacted questions, emphasizing that not only do the questions not constitute personal data, but their disclosure could lead to their misuse by the candidate.

Position of the court

The court sided with the university, finding that the plaintiff, i.e., the candidate, does not have the right to an uncensored copy of the test questions, as the questions in question do not constitute personal data within the meaning of Article 4(1) of the GDPR.

The court particularly emphasized that the purpose of the right of access established by Article 15 of the GDPR is to inform about the processing of personal data and to verify the lawfulness of the processing, and therefore it is irrelevant that the plaintiff seeks access to questions for interpreting the results. Additionally, the court pointed out that the plaintiff does not have the right to a copy of the questions in terms of preserving confidentiality, stating that the questions constitute a trade secret of the defendant university under the German Trade Secrets Act.

Right of access to data in domestic regulations

The Law on Personal Data Protection of the Republic of Serbia (Official Gazette of RS no. 87/2018) (“Law”) provides that the data subject has the right to request information from the controller about whether it processes his personal data, access to such data, and the information prescribed by law.

Additionally, if personal data is transferred to another country or international organization, the data subject has the right to be informed about the appropriate safeguards relating to the transfer.

Furthermore, the Law stipulates that the controller is obliged to provide the data subject, upon his request, with a copy of the data it processes. The controller may request reimbursement of necessary costs for making additional copies requested by the data subject. If the request for a copy is made electronically, the information is provided in the usual electronic format, unless the data subject has requested otherwise.

However, the Law explicitly states that the exercise of the rights and freedoms of other individuals cannot be compromised by exercising the right to receive a copy, and the aforementioned provisions do not apply to processing carried out by competent authorities for specific purposes.

The Law also provides for the limitation of the right of access, stating that it may be restricted, in whole or in part, only to the extent and for the duration necessary, and represents a proportionate measure in a democratic society, respecting the fundamental rights and legitimate interests of the data subject, in order to achieve the effects prescribed by law.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.

By Ivana Ruzicic, Partner, and Lara Maksimovic, Senior Associate, PR Legal

Serbia Knowledge Partner

SOG in cooperation with Kinstellar is a full-service business law firm in Serbia that provides foreign and domestic clients with premium-quality legal advice and assistance across a wide range of key areas of corporate law. The firm was founded in 2015 by a group of seasoned, internationally-trained lawyers. SOG has developed a distinctively dynamic culture, bringing together top talent, fostering entrepreneurship, and maintaining exceptional relationships with its clients.

SOG has achieved consistent growth in the volume of its business, accompanied by an exponential increase in the number of hired associate lawyers and the firm’s network of business contacts. SOG has a robust client base of multinationals, investment and private equity firms, and financial institutions. Clients praise SOG for being commercially minded, very responsive and knowledgeable.

Establishing permanent cooperation with Kinstellar is part of realising SOG's long-term development strategy to be the leading provider of legal services in the Western Balkans market.

Firm's website: https://www.kinstellar.com/

 

Our Latest Issue