Reed Smith In-depth

The first half of 2023 has had much to offer regarding new developments in relation to the data subject access right (“DSAR”) under Article 15 of the GDPR. In terms of the practical implications for organisations, whilst the general trend is that the right of access is strengthened even further, boundaries to the right have also been established. Since a greater level of detail is necessary and requirements have been refined, organisations must closely monitor the changes and re-evaluate their responses to Article 15 of the GDPR accordingly.

The key takeaways for organisations are:

  1. DSARs usually have to be answered. The threshold for “abuse” that entitles to refuse access is very high.
  2. DSARs must be tailored to the individual data subject’s situation, also regarding recipients of data.
  3. Despite the above, organisations have flexibility in answering DSARs, e.g. by applying a layered approach (first reply not with all details), limit or reduce the right to access (especially the right to a copy) on the basis of exemptions, e.g. rights of others, business secrets, IP, confidentiality obligations or excessive DSAR.
  4. Answers to DSARs can be standardized if data subjects still can pull from the answers information for their own individual case.

All in all, case law and authority views seem to go into a direction of balanced interests, but have not yet fully arrived. Organisations should definitely challenge data subject and authority views and find a DSAR process that provides necessary information to the data subject, but also is practical and operative.

Details on some cases:

The CJEU clarifies the obligation to disclose the identity of specific recipients – January 2023

The CJEU ruled in case C-154/21 that Article 15(1)(c) of the GDPR must be interpreted in such a way that not only the categories of recipients but also, in principle, the specific recipients must be disclosed. This applies regardless of whether the personal data has already been or will be disclosed to these recipients.

The CJEU clarified that in cases where it is not (yet) possible to identify those recipients, the controller may disclose only the categories of the recipient in question. Another exception is that disclosing only the categories is sufficient where the access request is either manifestly unfounded or excessive.

Practical implications: Organisations have to disclose the specific recipients in their responses to access requests. However, there is still room for exemptions, which the CJEU did not specifically mention in its judgment:

  • Limitation is possible via Article 12(1) of the GDPR if specific recipients are too complex and the category of recipients could be easier to understand for the data subject.
  • In relation to the principle of transparency, the list of every single recipient could be overwhelming for the data subject and, therefore, not concise and intelligible under Article 12(1) of the GDPR.
  • The list of specific recipients can be classified as a trade secret. This argument is supported by Recital 63(5) of the GDPR, which explicitly mentions trade secrets as a right that should not be adversely affected. In line with the AG’s opinion in case 634/21, minimum information still has to be delivered, and Recital 63 cannot be interpreted as a reason to completely deny the request.
  • The provision of the specific recipient could lead to security issues if a third party can request, for example, the information where data (e.g. sensible backups) is stored.