Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Important decision impacting how companies must provide personal data requested by data subjects under their access rights

January 19, 2023By Preiskel & Co

Giovanni Pitruzzella, Advocate General (AG) recently issued an opinion on what is within scope of the right conferred under Article 15(3) of the EU GDPR to obtain a copy of personal data being processed. The clarifying opinion relates to Case C-487/21 regarding questions referred for a preliminary ruling as lodged by the Austrian Federal Administrative Court.

The AG’s opinion specifically centred on the extent of information available to data subjects by way of the rights of access to personal data and to receive an intelligible copy of said data as follows:

  • The concept of “copy” referred to in Article 15(3) of the EU GDPR must be construed as including an authentic and clear reproduction of the personal data requested by the data subject, in material and permanent form.
  • Such copy should in turn allow data subjects to exercise their right of access and provide full visibility of all their personal data undergoing processing, which includes any data that might be produced as a result of the processing, in order to verify its accuracy and allow them to be satisfied as to the fairness and lawfulness of the processing and, where relevant, to be able to exercise other rights available to them in the EU GDPR.
  • The precise form of the copy accordingly depends on the particular circumstances of each case and, specifically, the nature of personal data in respect of which access is requested and the requirements of the data subject.
  • Article 15(3) of the EU GDPR should therefore not categorically rule out a data subject’s right to be provided with sections of documents, or complete documents or excerpts from databases, if that was essential to guarantee that the personal data being processed, and in respect of which access is being requested, is indeed comprehensible in practice.
  • The notion of “information” in the third sentence must likewise be interpreted as referring exclusively to the “copy of personal data undergoing processing” referred to in the first sentence of Article 15(3) of the EU GDPR.

The ECJ tends to follow the AG’s opinions despite these not being technically binding. Whilst ECJ decisions are no longer enforceable in the UK, they are still pertinent to UK organisations processing EU citizen’s personal data due to the extraterritorial scope of the EU GDPR.

The ECJ has similarly confirmed that Article 15(1)(c) of the EU GDPR must be broadly interpreted as meaning that the data subject’s right of access must necessarily encompass the data subject’s request to the identification of the specific recipients to whom their personal data is disclosed.

Controllers must in such cases disclose in their responses to access requests the recipients of any personal data they shared, unless it is materially impossible or manifestly unfounded or excessive to do so within the meaning of Article 12(5) of the EU GDPR.

Find out more about the ECJ’s decision on the broad scope of access rights here.

 

Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Tim Cowen, Chair of Antitrust Practice, Preiskel & Co, quoted in The Times
  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy