The key takeaways for organisations are:
- DSARs usually have to be answered. The threshold for “abuse” that entitles to refuse access is very high.
- DSARs must be tailored to the individual data subject’s situation, also regarding recipients of data.
- Despite the above, organisations have flexibility in answering DSARs, e.g. by applying a layered approach (first reply not with all details), limit or reduce the right to access (especially the right to a copy) on the basis of exemptions, e.g. rights of others, business secrets, IP, confidentiality obligations or excessive DSAR.
- Answers to DSARs can be standardized if data subjects still can pull from the answers information for their own individual case.
All in all, case law and authority views seem to go into a direction of balanced interests, but have not yet fully arrived. Organisations should definitely challenge data subject and authority views and find a DSAR process that provides necessary information to the data subject, but also is practical and operative.
Details on some cases:
The CJEU clarifies the obligation to disclose the identity of specific recipients – January 2023
The CJEU ruled in case C-154/21 that Article 15(1)(c) of the GDPR must be interpreted in such a way that not only the categories of recipients but also, in principle, the specific recipients must be disclosed. This applies regardless of whether the personal data has already been or will be disclosed to these recipients.
The CJEU clarified that in cases where it is not (yet) possible to identify those recipients, the controller may disclose only the categories of the recipient in question. Another exception is that disclosing only the categories is sufficient where the access request is either manifestly unfounded or excessive.
Practical implications: Organisations have to disclose the specific recipients in their responses to access requests. However, there is still room for exemptions, which the CJEU did not specifically mention in its judgment:
- Limitation is possible via Article 12(1) of the GDPR if specific recipients are too complex and the category of recipients could be easier to understand for the data subject.
- In relation to the principle of transparency, the list of every single recipient could be overwhelming for the data subject and, therefore, not concise and intelligible under Article 12(1) of the GDPR.
- The list of specific recipients can be classified as a trade secret. This argument is supported by Recital 63(5) of the GDPR, which explicitly mentions trade secrets as a right that should not be adversely affected. In line with the AG’s opinion in case 634/21, minimum information still has to be delivered, and Recital 63 cannot be interpreted as a reason to completely deny the request.
- The provision of the specific recipient could lead to security issues if a third party can request, for example, the information where data (e.g. sensible backups) is stored.
Administrative Court (“AC”) Gelsenkirchen on the applicability of national provisions to EU law – February 2023
The data subject exercised his right of access and requested further information regarding the judge, the personnel file of the president and the publication of a decision from the controller (the Higher Administrative Court). The controller refused to act on the access request as they classified it an abuse of law where the plaintiff wanted to use the request to harass the judicial administration. The data subject brought action before the AC Gelsenkirchen (docket no. 15 K 3678/22). The AC Gelsenkirchen dismissed the case on the grounds of the lawsuit being an abusive exercise of rights. Furthermore, the court took the view that the plaintiff’s access request can be classified as an abusive exercise of the law and violates the good faith doctrine under Section 242 German Civil Code. The national good faith doctrine can, therefore, limit the right of access as long as the full effectiveness and a uniform application of the Union law is not impaired.
Practical implications: Where data subjects exercise their right of access against a general legal principle (such as the good faith doctrine), organisations can rightfully refuse to act on these access requests.
Advocate General (“AG”) Priit Pikamy: Information under Article 15(1) of GDPR should not be too complex to understand – March 2023
AG Priit Pikamy addressed the scope of Article 15(1)(h) of the GDPR in his opinion in CJEU case C-634/21. In the case at hand, a credit agency did not want to disclose its method of calculation to the data subject and considered this method a trade secret with reference to Recital 63 of the GDPR. The AG stated that the protection of trade secrets is, in principle, a legitimate reason to refuse the access request. However, it cannot justify an absolute refusal of information.
Furthermore, the AG referenced Article 12(1) of the GDPR and the obligation to provide any communication under Articles 15 to 22 of the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Therefore, the disclosure of an algorithm is precluded as it is too complex for a data subject to understand.
Practical implications: The AG’s basic idea can be transferred to Article 15(1) of GDPR as a whole. Organisations can restrict the information to be provided under Article 15(1) of the GDPR when it is too complex for a data subject to comprehend. For example, specific purposes under Article 15(1)(a) of the GDPR with technical terms could be too complex to understand, such as “monitoring root user logins”. Instead, the controller can limit the information on the purpose to “security measures”.
The European Data Protection Board updates its Guidelines on the Right of Access - April 2023
The European Data Protection Board (EDPB) published its updated Guidelines on the Right of Access (the Guidelines) in mid-April.
CJEU judgment C-154/21 was incorporated into the Guidelines (see paragraph 117). The EDPB stated that Article 15 of the GDPR lays down a genuine right of access for the data subject, which results in the option to choose between information about the specific recipients or about the categories of recipients. If the data subject does not choose to request information about the categories explicitly, the controller “is obliged to name the actual recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR”.
Practical implications: Supervisory authorities might start to carefully review responses to Article 15 of the GDPR in relation to whether specific recipients have been disclosed.
The EDPB clarified that in the scenario (see paragraph 38) where data is scheduled to be deleted, and shortly beforehand, a data subject exercises their right to access, the controller can continue to process the data to fulfil its obligation to answer the request under Article 6(1)(c) of the GDPR in combination with Articles 15 and 12(3) of the GDPR.
Interestingly, the EDPB added a section (see paragraph 113) regarding the need to tailor information in response to Article 15(1) which has already been provided in a privacy policy. The EDPB stated that, in general, referring to the wording of the privacy policy is not a sufficient way to provide information under Articles 15(1) and 15(2) of the GDPR unless the tailored and updated information is the same as the information provided at the beginning of the processing. The EDPB explained that the controller can, where appropriate, refer to certain activities and, therefore, use the same wording as in the privacy policy. The controller needs to introduce the section in its response to Article 15(1) of the GDPR with a sentence that explains to the data subject that this information relates to them.
Practical Implications: Controllers can use their privacy policy wording in their response to Article 15(1) of the GDPR by adding sentences such as “If you have used this service, [insert privacy policy wording]” or “If you have paid by [payment method], [insert privacy policy wording]”. Consequently, controllers should be sure to phrase their privacy policy in this way to simplify the process even further.
AG Nicholas Emiliou: Data subjects can request access for any legitimate reason – April 2023
Case C-307/22 partially covers the same question addressed in case C-487/21 about the concept of a copy under Article 15(3) of the GDPR. AG Nicholas Emiliou stated that the GDPR is not a piece of legislation on access to documents but on data protection. Consequently, its primary focus is ensuring access to data, not to documents that contain data. In some cases, however, it is necessary to provide access to documents to enforce data protection.
In addition, the AG stated that a data subject has the right to receive a copy of their data even when their request pursues legitimate purposes but is unrelated to data protection.
Practical implications: If the CJEU follows the AG’s opinion, organisations will lose the option to deny an access request when a data subject exercises their right of access purely for purposes unrelated to data protection.
The CJEU clarifies the interpretation of the right to obtain a copy under Article 15(3) of the GDPR – May 2023
The whole data protection community closely watched case C-487/21 as the CJEU came to a decision about the interpretation of Article 15(3) of the GDPR. The CJEU clarified that Article 15(3) of the GDPR sets out the practical arrangements for the fulfilment of the controller’s obligation. Therefore, Article 15(3) of the GDPR cannot be interpreted as establishing a separate right from that provided for in Article 15(1) of the GDPR.
Furthermore, the CJEU ruled on the exact form of a copy under Article 15(3) of the GDPR. A copy is a faithful and intelligible reproduction of all the personal data undergoing processing. The controller only has to provide extracts of documents, entire documents or extracts from databases if the provision is essential in order to enable data subjects’ rights. The CJEU did not define ‘essential’. However, an example was given where the contextualisation (with said documents) of the data processed is necessary in order to ensure the data is intelligible. Irrespective of the form, the CJEU points to Article 15(4) of the GDPR and states that the copy must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and, in particular, the copyright protecting the software.
Practical implications: Unless specified otherwise, a data subject access request has to be answered with both information under Article 15(1) of the GDPR and a copy under Article 15(3) of the GDPR. Organisations do not have to provide an excerpt from, for example, their CRM if a chart completed with the personal data from the CRM can satisfy the data subject equally. However, this has to be assessed on a case-by-case basis.
Swedish supervisory authority decides on the scope of Article 15 (1) of the GDPR – June 2023
The Swedish Authority for Privacy Protection (IMY) handed down a decision on 12 June 2023 that showed its views on the scope of information to be provided under Article 15 (1) of the GDPR. In this case, the information provided under Article 15 (1) of the GDPR was generalised rather than customised with regard to the specific data subject making the request. The IMY clarified that generalised information may be appropriate for standardised services. However, it must always be clear and easy for the data subject to identify which information applies in which situations.
Further, the controller only provided high-level categories of personal data processed (e.g., ‘user data’ and ‘usage data’). The IMY found that it was not possible for data subjects to understand what personal data was included in these categories. As the processing purposes, recipients and sources of the data were categorised based on these high-level categories of personal data, the information on the purposes, recipients and sources was also not considered sufficient.
Finally, the IMY did not consider generalised information on international data transfers to be sufficient (i.e. that the personal data is shared globally and appropriate safeguards, such as standard contractual clauses, are applied). The IMY was critical of the fact that it was not indicated whether the controller actually transferred personal data to a third country, which safeguards were used and to which countries a transfer had taken place.
Practical implications: The IMY decision opened up the possibility of providing generalised information. Organisations must, however, clearly indicate when such generalised information applies (e.g., by stating, “If you use service A, then we process the following personal data,” as the EDPB illustrated in its updated Guidelines).
The CJEU provides further guidance on the scope of the right of access – June 2023
In its decision issued on 22 June 2023 case C-579/21, the CJEU confirmed that employees of the data controller cannot be considered ‘recipients’ when they process personal data under the authority and instructions of the controller.
The CJEU clarified that data subject can rightfully request under Art. 15 (1) GDPR information relating to consultation operations carried out on their personal data, including the dates and purposes of these operations.
In addition, the CJEU acknowledged that revealing the identity of employees who processed data could infringe upon their rights and freedoms, as this information contains their own personal data, which gives rise to a conflict between exercising the data subject’s right of access and the rights or freedoms of these employees. The CJEU highlighted the importance of striking a balance in such cases.
The CJEU concluded that Article 15 (1) of the GDPR does not grant individuals an automatic right to obtain information about the identity of the employees who access their personal data on behalf of the data controller, unless such information is crucial for the data subject to exercise their rights effectively and provided that the employees’ rights or freedoms are taken into account. It can be inferred from the CJEU’s decision that the disclosure of employee identities could be justified, for example, when the access by employees occurred without them acting under the authority and instructions of the data controller.
Practical implications: The right of access is not boundless, and demand for certain internal information can potentially be rightfully denied.
Recent Austrian case law – inform about identity of a hacker
A recent case from the Austrian Supreme Court of Justice (docket no. 6Ob242/22i) illustrated the opposite. The data subject specifically requested to know whether her personal data was mentioned in an Excel file, which was unlawfully shared, resulting in a data breach. The court ruled that the data subject had the right not only to be informed under Article 15(1)(c) of GDPR about the identity of the specific recipient but also to find out whether her data was actually disclosed.
Practical implications: The main difference between the CJEU case and the case from the Austrian Supreme Court of Justice is that in the latter, the data subject sought the information in order to verify whether their personal data was processed in a lawful manner. In the CJEU case, the data subject did not challenge the lawfulness of the data processing. This can be seen as a decisive factor. Therefore, individuals seeking detailed information regarding the identity of employees who handle their personal data should necessarily face a higher burden to demonstrate the necessity of such data in their requests for specific information under Article 15 of the GDPR.
Conclusion and action points
The CJEU is increasingly strengthening and expanding the right to access. However, there are also some rays of hope for organisations within the recent judgments, AGs’ opinions and the recent update on the EDPB Guidelines. These rays of hope include pointing out that the right to access does not know no bounds. It remains to be seen whether the CJEU falls into line with the AGs’ opinions described above and whether supervisory authorities start to review responses to Article 15 of the GDPR more carefully – or even start a coordinated enforcement action.
In-depth 2023-162