29/01/24

Right of access – Recent lessons learned from the CJEU and EDPB

Happy Data Protection Day! Yesterday, we celebrated Data Protection Day, which is this year  dedicated to taking control of one’s data. For this occasion, Lydian’s Information Governance & Data Protection (Privacy) Team decided to highlight some practical take-aways relating to the right of access stemming from both recent case-law of the Court of Justice of the EU (CJEU) and the (final) Guidelines [1] of the European Data Protection Board (EDPB) as published last year.

1 The mother of all GDPR rights: understanding the purpose

By way of reminder, the right of access gives data subjects the right to request sufficient, transparent and easily accessible information about the processing of their personal data in order to be informed of, and verify, the lawfulness of the processing. In other words, when exercising this right, data subjects should be able to understand how their personal data are being processed as well as the consequences of such processing, and verify the accuracy of the data processed. The right of access can therefore be considered as the gateway to the exercise of the other rights foreseen in the GDPR.

Exercising the right of access does not entail a variety of conditions. Indeed, data subjects do not have to state any reason for their access request. As a controller, organisations should not assess why the data subject is requesting access, but focus solely on verifying whether or not they hold personal data relating to that individual and responding to the request within due time. 

The CJEU confirmed that a controller is obliged to provide the data subject with access to his or her personal data undergoing processing, even where the reason for that request is completely unrelated to becoming aware of the processing of data or verifying the lawfulness of that processing. Hence, a patient could ask his dentist for a copy of his medical records with a view to triggering her liability for errors allegedly made in providing him with dental care. [2] In a similar vein, businesses are not allowed to deny access to personal data on the grounds or suspicion that the requested data could be used by the data subject to defend itself in court or in the event of a dismissal or commercial dispute with the business.

2 What information shall be given to the data subject?

The right of access essentially contains three (3) different layers of information:

  • confirmation as to whether personal data are processed or not,
  • access to the personal data that are processed; and
  • access to certain other information about the processing, such as purpose, categories of data, (categories of) recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.

Most of this information should already be included in a general way in the organisation’s record of processing activities and/or privacy policy. However, some types of information may vary depending on who makes the request and what the scope of the request is.

Controllers must communicate to the data subject the precise purpose(s) pursued by the data processing concerning the individual. Although strictly speaking there is no obligation to mention the applicable legal basis for the processing, this information will be relevant to data subjects in order to verify the lawfulness of the data processing and to determine which data subject rights are applicable. Hence, it is recommended to also inform the data subject on the applicable legal basis for each processing operation or to indicate where they can find this information (e.g., in the privacy policy).

Controllers are also required to disclose the (categories of) recipients to whom the personal data have been or will be disclosed. In most cases, controllers tend to stay generic and choose to only disclose categories of recipients. While this can be transparent enough for a privacy policy, it is insufficient in the context of an access request, as was confirmed by the CJEU. Controllers must disclose the concrete identity of the specific recipients in question if the data subject requests so, unless it is impossible to identify the concrete recipients or if the request is manifestly unfounded or excessive. A data subject must have the identity of the concrete recipients in order to guarantee the effectiveness of his or her other data subject rights, in particular the right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers damage. [3]

Moreover, the question arises whether a data subject can request access to the log data consisting of the identity of the specific employees who had consulted his data, as well as the exact dates of the consultations and the purposes for which those data had been processed. In these circumstances, the CJEU ruled that employees of the controller cannot be regarded as recipients when they process personal data under the authority of that controller and in accordance with its instructions. By consequence, a data subject in principle does not have a right of access to information relating to the identity of the employees of the controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights and provided that the rights and freedoms of those employees are taken into account. On the other hand, information relating to the consultation operations carried out and the dates and purposes of those operations can be requested by the data subject. [4]

3 The right to obtain a copy

As mentioned above, one of the layers of the right of access concerns the personal data being processed. Since data subjects have the right to obtain a copy of their personal data, this information is typically provided in the form of a copy (although it can be appropriate to provide access through other means than a copy where it is in the interest of the data subject or the data subject asks for it).

In this regard, a data subject does not have a general right to obtain a copy of the document itself containing his or her personal data, but an unaltered copy of the personal data being processed in such document. Hence, a copy of the personal data could be provided through a compilation containing all relevant personal data as long as the compilation makes it possible for the data subject to be made aware of and verify the lawfulness of the processing.

In a first case before the CJEU, an individual requested a business consulting agency to provide him with a copy of all e-mails and database extracts containing his data which had been processed in order to provide information on his creditworthiness to the agency’s clients. The agency only replied with a summary list of the personal data undergoing processing. According to the CJEU, a copy must be understood as any faithful and intelligible reproduction of all personal data undergoing processing, enabling him or her effectively to exercise the (other) data subject rights. The Court found that an extract from a document or even an entire document or extract from a database which contains those data, may have to be provided if the provision of such a copy is essential in order to enable the data subject to exercise effectively his or her other data subject rights, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others (e.g. trade secrets or intellectual property). [5]

In another case before the CJEU, a patient requested that his dentist provide, free of charge, a first copy of his medical records to verify the existence of claims under medical liability law, suspecting that errors had been made in the treatment he had been given. The dentist, however, demanded that the patient cover the costs connected with providing such copy, as was provided for under national law. The Court ruled that, in the specific context of a doctor-patient relationship, the data subject has the right to obtain a full copy of the documents included in his or her medical records and containing his personal data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible. [6]

In the same decision, the Court confirmed that a controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, regardless of the economic interests of the controller (e.g. if the cost of reproduction is considered to be high) and even where the reason for that request is unrelated to the processing of the data. [7]

Lydian’s Information Governance & Data Protection (Privacy) Team is at your service for any further questions you may have regarding the right of access and ready to help you deal with data subject (access) requests. 

[1] EDPB Guidelines (version 2.0) of 28 March 2023.

[2] CJEU 26 October 2023, C-307/22 (FT v. DW).

[3] CJEU 12 January 2023, C-154/21 (RW v Österreichische Post AG). 

[4] CJEU 22 June 2023, C-579/21 (Pankki).

[5] CJEU 4 May 2023, C-487/21 (CRIF).

[6] CJEU 26 October 2023, C-307/22 (FT v. DW).

[7] CJEU 26 October 2023, C-307/22 (FT v. DW); and EDPB Guidelines (version 2.0) of 28 March 2023, 13, nr. 22.

dotted_texture