About Your Right to Access Your Personal Data

On 12 January 2023, the European Court of Justice (“CJEU“) delivered the judgment. About your right to access your personal data under Article 15 of the GDPR. The CJEU has determined that data subjects must provide the individual data recipients of their personal data when exercising their rights of access under the GDPR.

Background

Under Article 15 GDPR, data subjects have the right to obtain confirmation from the controller as to whether personal data concerning them are being processed. Information about the recipients or categories of recipients to whom personal data have been disclosed or to be disclosed, in particular recipients in third countries or international organizations(Article 15(1)(c) GDPR).

A reference to the CJEU is a data subject access request (“DSARs”) under Article 15 GDPR. The data subject has requested information about the identity of third parties to whom the controller has disclosed personal data. Upon request, the controller also referred to her website, which provided the data subject with categories of recipients and set out more information and the purpose of further data processing.

The data subject claims that the controller has failed to comply with the requirements of Art. filed a lawsuit against it in an Austrian court. of personal data.

The Court of First Instance and the Court of Appeal ruled in favor of the Controller, ruling that the wording of Article 15 (1) (c) GDPR permits disclosure of only categories of recipients. The data subject appealed to the Austrian Supreme Court, which referred the matter to her CJEU.

Decision of CJEU

The CJEU has determined that the right of access under Article 15 of the GDPR includes the controller’s obligation to provide the data subject with the actual identity of the recipient of personal data.

Specifically, the CJEU determined that:

• Information provided to data subjects pursuant to DSARs under Article 15(1)(c) of the GDPR must be as accurate as possible. In particular, it is in principle a choice of the data subject whether individual recipients or only categories of recipients are disclosed. The CJEU states that Article 15 (1) (c) of the GDPR allows data subjects to obtain from the controller information about specific recipients to whom their data has been or will be disclosed simply select to request  Information about the recipient category.
  
• The CJEU emphasized that there are two “exceptions” to the general rule that data subjects have the right to know the identity of certain recipients.

• • When it is “impossible” to provide information about a particular recipient: “Where it is not possible to disclose the identity of a particular recipient, access may be restricted to information about categories of recipient, especially if the recipient is not already known.” This carve-out is interesting because it is not explicitly included in the GDPR.

• • If the controller can demonstrate that The request is clearly unfounded or excessive (within the meaning of Article 12(5) GDPR). The CJEU did not further clarify these concepts.

Comment

As individuals become more aware of their rights under data protection laws, DSARs are becoming an increasingly frequent concern for organizations large and small. Individuals and plaintiff companies are increasingly using her DSAR as a means to obtain information and documents to support their lawsuits. The CJEU’s decisions have broad implications for data controllers and can present significant challenges when responding to DSARs, especially if controllers do not have a comprehensive list of recipients for each processing activity.

Of particular note, the CJEU findings do not appear to automatically extend to information contained in privacy notices under Sections 13 and 14. Controller to provide the data subject with information about categories or specific recipients of personal data. However, Article 15 of the GDPR “The option to set out the true access rights of the data subject so that, where possible, the data subject obtains information either on the specific recipients to whom the data has been or will be disclosed, or on the categories of the recipient’s”

If you have any questions about the content of this post, please contact us.