ARTICLE
12 July 2023

Some Useful Clarifications On Right Of Access Under GDPR

EH
ELVINGER HOSS PRUSSEN, société anonyme

Contributor

ELVINGER HOSS PRUSSEN, société anonyme logo
Independent in structure and spirit, Elvinger Hoss Prussen guides clients on their most critical Luxembourg legal matters. Committed to excellence and creativity in legal practice, our firm delivers the best possible advice for businesses, institutions and entrepreneurs, playing a unique role in the development of Luxembourg as a financial centre.
Explore
How far to go in responding to an access request? This is a recurring question in practice when controllers prepare their answer to an access request made under Article 15 of the GDPR.
Luxembourg Privacy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The year 2023 has seen a number of clarifications with respect to the right of access under the GDPR:

  • Clarification by the Court of Justice of the European Union ("CJEU") of the notion of "copy" to be provided to the data subject

How far to go in responding to an access request? This is a recurring question in practice when controllers prepare their answer to an access request made under Article 15 of the GDPR.

On 4 May 2023, the CJEU in its judgement in Case C-487/21 confirmed that the underlying document containing the concerned data does not necessarily have to be provided and if the decision is made to produce the entire document, it may be necessary to anonymise the parts involving third parties.

  • EDPB's final version of Guidelines 01/2022 on data subject rights - Right of access

The European Data Protection Board ("EDPB") adopted on 28 March 2023 the final version of its Guidelines 01/2022 regarding the right of access ("Guidelines"). These Guidelines are an essential tool for controllers and data subjects to better understand the aim and the scope of the right of access, the methods of reply and the existing limits of a right that is more and more used by data subjects. Further to the public consultation, the Guidelines were updated to clarify several aspects, among which are:

  • personal data processed by the processor: the EDPB clarifies that in the event the data controller uses a processor for its data processing activities, the reply must also include personal data processed by the processor.
  • information with respect to recipients or categories of recipients: the EDPB recalls that on 12 January 2023, the CJEU in its judgement in Case C-154/21 indicated that, in the absence of choice of the data subject, a controller must "provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject's requests for access are manifestly unfounded or excessive (...), in which cases the controller may indicate to the data subject only the categories of recipient in question."

Finally, an important clarification is expected from the CJEU in the coming months since the German Federal Court of Justice decided to refer the following question to the CJEU for a preliminary ruling: can data subjects request access to their personal data on the basis of the GDPR for purposes other than those relating to data protection? (Case C-307/22)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Person photo placeholder
Elvinger Hoss Prussen
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More