New CJEU Judgment on Access Requests by Data Subjects: the advent of a “Legitimate Access Assessment”?

Written By

lisa gius Module
Lisa Gius

Associate
Belgium

I am an associate in the Privacy and Tech & Comms teams in Belgium. My work covers topics ranging from data protection and the EU's new digital legislation to cybersecurity, regulatory advice on telecommunications and the review of IT contracts.

benoit van asbroeck Module
Benoit Van Asbroeck

Partner
Belgium

As a partner and IP/IT specialist here at Bird & Bird in Brussels, I lead our Belgian Data Protection, Tech & Comms and Media practices, advising our clients on legal issues in privacy, data, e-commerce, digital marketing, cloud computing, the Internet of Things, AI, 3D printing, cookies, electronic signatures, intermediary liability and automated objects. I also co-head the Bird & Bird international special interest group on Copyright due my large experience in copyright matters with the Court of Justice of the European Union.

A significant new data protection judgment of the CJEU was rendered today in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH) on the topic of access requests by data subjects.

The questions referred to the CJEU by the Austrian Federal Administrative Court relate to the scope of the controller’s obligations in relation to access requests by data subjects pursuant to article 15 of the GDPR.

Does the obligation to provide a “copy” of the data entail:

  • transmission of personal data in the form of a summary table or
  • a sort of “autonomous right” to the transmission of document extracts or entire documents, as well as database extracts, in which those data are reproduced

It turns out, neither really. The Court toes the line by rejecting the “autonomous right” while simultaneously consecrating a broad understanding of the right of access:

  1. The controller must give the data subject a faithful and intelligible reproduction of all personal data undergoing processing

    This obligation derives from the necessity for the data subject to assess whether the personal data is correct (we understand, “accurate”) and whether they are processed in a lawful manner.

    As a result, data subjects’ right to access is conceptualised as a gateway right for the exercise of other data subject rights.

     

  2. This may include an obligation to provide copies of entire or partial documents and/or databases if essential to enable data subjects to exercise their rights under the GDPR effectively

    As the Court states, “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, […] where the contextualisation of the data processed…

Full article available on Disputes +

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line pink background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line teal background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More