Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Important decision impacting how companies must provide personal data requested by data subjects under their access rights

January 19, 2023By Preiskel & Co

Giovanni Pitruzzella, Advocate General (AG) recently issued an opinion on what is within scope of the right conferred under Article 15(3) of the EU GDPR to obtain a copy of personal data being processed. The clarifying opinion relates to Case C-487/21 regarding questions referred for a preliminary ruling as lodged by the Austrian Federal Administrative Court.

The AG’s opinion specifically centred on the extent of information available to data subjects by way of the rights of access to personal data and to receive an intelligible copy of said data as follows:

  • The concept of “copy” referred to in Article 15(3) of the EU GDPR must be construed as including an authentic and clear reproduction of the personal data requested by the data subject, in material and permanent form.
  • Such copy should in turn allow data subjects to exercise their right of access and provide full visibility of all their personal data undergoing processing, which includes any data that might be produced as a result of the processing, in order to verify its accuracy and allow them to be satisfied as to the fairness and lawfulness of the processing and, where relevant, to be able to exercise other rights available to them in the EU GDPR.
  • The precise form of the copy accordingly depends on the particular circumstances of each case and, specifically, the nature of personal data in respect of which access is requested and the requirements of the data subject.
  • Article 15(3) of the EU GDPR should therefore not categorically rule out a data subject’s right to be provided with sections of documents, or complete documents or excerpts from databases, if that was essential to guarantee that the personal data being processed, and in respect of which access is being requested, is indeed comprehensible in practice.
  • The notion of “information” in the third sentence must likewise be interpreted as referring exclusively to the “copy of personal data undergoing processing” referred to in the first sentence of Article 15(3) of the EU GDPR.

The ECJ tends to follow the AG’s opinions despite these not being technically binding. Whilst ECJ decisions are no longer enforceable in the UK, they are still pertinent to UK organisations processing EU citizen’s personal data due to the extraterritorial scope of the EU GDPR.

The ECJ has similarly confirmed that Article 15(1)(c) of the EU GDPR must be broadly interpreted as meaning that the data subject’s right of access must necessarily encompass the data subject’s request to the identification of the specific recipients to whom their personal data is disclosed.

Controllers must in such cases disclose in their responses to access requests the recipients of any personal data they shared, unless it is materially impossible or manifestly unfounded or excessive to do so within the meaning of Article 12(5) of the EU GDPR.

Find out more about the ECJ’s decision on the broad scope of access rights here.

 

Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC
    January 27, 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights
    January 19, 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU
    January 12, 2023
  • Saving the WWW from the W3C
    December 20, 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates
    December 13, 2022
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
    December 13, 2022
  • Telecoms Security Framework (TSF) – Background and Requirements
    December 8, 2022
  • Updated EU Commission decision paves way for 5G on the road and in-flight connectivity innovation
    November 29, 2022
  • Controller Binding Corporate Rules – EDPB adopts new recommendations on the application for approval and the elements and principles of the Rules
    November 25, 2022
  • ICO reveals new transfer risk assessment tool
    November 25, 2022
  • Ofcom publishes new rules for telecoms providers to combat scam calls
    November 23, 2022

The Preiskel Blog

  • General EU Requirements for Cookie Banners – EDPB Task Force Report 27 Jan 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC 27 Jan 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights 19 Jan 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU 12 Jan 2023

Preiskel news

  • Danny Preiskel to speak at the Westminster eForum policy conference ‘Next steps for the UK mobile industry’
  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment for East Africa
  • Preiskel & Co’s Technology M&A Global Practice Guide published by Chambers
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
Preiskel tweets
  • Danny Preiskel to speak at the @WeFEvents eForum policy conference ‘Next steps for the UK mobile industry’. Find ou… https://t.co/ELDiFBj6Zo3 days ago
  • General EU Requirements for Cookie Banners – EDPB Task Force Report. Find out more here: https://t.co/2yGdpzOEZp #cookies #EDPB8 days ago
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EE… https://t.co/7hgZjWQ16T8 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy