European Union: Some Useful Clarifications On Right Of Access Under GDPR

What happened?

One might think that the GDPR¹, in force for five years, would have revealed all its secrets by now, but there are still a number of points raised in practice that need(ed) to be clarified.

The year 2023 has already seen a number of clarifications with respect to the right of access under the GDPR:

• Clarification by the Court of Justice of the European Union (the "CJEU") of the notion of "copy" to be provided to the data subject

How far to go in responding to an access request? This is a recurring question in practice when controllers prepare their answer to an access request made under Article 15 of the GDPR. Contrary to the Directive 95/46/EC (GDPR's predecessor), Article 15(3) of the GDPR provides that "the controller shall provide a copy of the personal data undergoing processing". It was not clear whether it was enough for the controller to produce a full summary of those data in an intelligible form (as judged by the CJEU² under the Directive 95/46/EC) without producing a copy of the underlying document(s) containing the concerned data.

On 4 May 2023, the CJEU provided the long-awaited confirmation³: "the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others."

Therefore, the underlying document containing the concerned data does not necessarily have to be provided and if the decision is made to produce the entire document, it may be necessary to anonymise the parts involving third parties.

• EDPB's final version of Guidelines 01/2022 on data subject rights - Right of access

One year after the end of the public consultation, the European Data Protection Board (the "EDPB") adopted on 28 March 2023 the final version of its Guidelines 01/2022 regarding the right of access (the "Guidelines").

These Guidelines are an essential tool for controllers and data subjects to better understand the aim and the scope of the right of access, the methods of reply and the existing limits of a right that is more and more used by data subjects. Further to the public consultation, the Guidelines were updated to clarify several aspects, among which are:

(i) personal data processed by the processor

The EDPB clarifies that in the event the data controller uses a processor for its data processing activities, the reply must also include personal data processed by the processor.

(ii) information with respect to recipients or categories of recipients

The Guidelines incorporate recent case law from the CJEU with respect to the question as to whether the controller, in the context of an access request, is entitled to provide only the name of the categories of recipients of the concerned personal data and not the name of the specific recipients. Indeed, the EDPB recalls that on 12 January 2023, the CJEU⁴ indicated that, in the absence of choice of the data subject, a controller must "provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject's requests for access are manifestly unfounded or excessive (...), in which cases the controller may indicate to the data subject only the categories of recipient in question."

An important clarification to come: can data subjects request access to their personal data on the basis of the GDPR for purposes other than those relating to data protection?

The right of access has been granted to data subjects to allow them to verify the lawfulness of the processing activities carried out by a controller. The EDPB mentions in the Guidelines that controllers should not assess "why" the data subject is requesting access, but only "what" the data subject is requesting and whether they hold personal data relating to the data subject. Therefore, if a controller suspects a data subject of exercising his/her right of access to gather evidence against the controller or to assess a potential liability of the controller, the controller must nonetheless comply with the access request.

In the coming months, we will see whether the CJEU adopts the same approach since the German Federal Court of Justice decided to refer the question above to the CJEU⁵ for a preliminary ruling. On 20 April 2023, the Advocate General published his opinion in which he suggests that the CJEU answer the question in the affirmative.The importance of complying with the principle of data minimisation takes on even greater significance in the event of access requests initiated in a conflict context.

Footnotes

1. Regulation (EU) 2016/679 (General Data Protection Regulation)

2. CJEU, Joined Cases C-141/12 and 372/12, 17 July 2014, YS and Others, para. 60.

3. CJEU (C-487/21), 4 May 2023, FF v Österreichische Datenschutzbehörde

4. CJEU, (C-154/21), 12 January 2023, RW v Österreichische Post AG

5. CJEU, C-307/22, FT v DW (yet to be settled)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.