The year 2023 has seen a number of clarifications with respect to the right of access under the GDPR:
- Clarification by the Court of Justice of the European Union (“CJEU”) of the notion of “copy” to be provided to the data subject
How far to go in responding to an access request? This is a recurring question in practice when controllers prepare their answer to an access request made under Article 15 of the GDPR.
On 4 May 2023, the CJEU in its judgement in Case C-487/21 confirmed that the underlying document containing the concerned data does not necessarily have to be provided and if the decision is made to produce the entire document, it may be necessary to anonymise the parts involving third parties.
- EDPB’s final version of Guidelines 01/2022 on data subject rights - Right of access
The European Data Protection Board (“EDPB”) adopted on 28 March 2023 the final version of its Guidelines 01/2022 regarding the right of access (“Guidelines”). These Guidelines are an essential tool for controllers and data subjects to better understand the aim and the scope of the right of access, the methods of reply and the existing limits of a right that is more and more used by data subjects. Further to the public consultation, the Guidelines were updated to clarify several aspects, among which are:
- personal data processed by the processor: the EDPB clarifies that in the event the data controller uses a processor for its data processing activities, the reply must also include personal data processed by the processor.
- information with respect to recipients or categories of recipients: the EDPB recalls that on 12 January 2023, the CJEU in its judgement in Case C-154/21 indicated that, in the absence of choice of the data subject, a controller must “provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive (…), in which cases the controller may indicate to the data subject only the categories of recipient in question.”
Finally, an important clarification is expected from the CJEU in the coming months since the German Federal Court of Justice decided to refer the following question to the CJEU for a preliminary ruling: can data subjects request access to their personal data on the basis of the GDPR for purposes other than those relating to data protection? (Case C-307/22)