The General Data Protection Regulation (GDPR) grants data subjects the right to obtain from the controller information about the personal data concerning them. Processing of their data. As the European Court of Justice (ECJ) has ruled Right to information further concretized and with which Guidelines the European Data Protection Board (EDPB) offers comprehensive support.
Four landmark ECJ rulings on the right to information
The Right to information is of particular importance, as it enables data subjects to assert further rights. These include Correction, Deletion or compensation. The European Court of Justice (ECJ) understands the Right to information as a strong and far-reaching right and has confirmed it in several decisions. The State Commissioner for Data protection and Freedom of Information North Rhine-Westphalia in its 29th report. Activity report the most important ECJ rulings on the Right to information compiled:
The information also includes the identity of the recipients
The ECJ has ruled that Responsible persons must generally inform the data subjects of the identity of the recipients to whom their data has been disclosed. The naming of categories of recipients is only sufficient in exceptional cases: If it is impossible to identify the recipients or the request for information would be manifestly unfounded or excessive.
This decision (judgment of 12 January 2023, ref. C-154/21) underlines the importance of the Transparency of data processing so that data subjects can check whether their data is being processed lawfully.
Right to information also includes log data
The Right to information also includes information from log data. This documents when and why data was accessed. The ECJ has clarified (judgment of June 22, 2023, ref. C-579/21) that it is generally sufficient to inform the data subjects about the logged data queries without mentioning the names of the employees.
The identity of employees must only be disclosed if this is necessary to verify the lawfulness of the data processing. However, the rights and freedoms of employees must be taken into account.
First copy is also free of charge for patient files
The ECJ has ruled that patients have a right under data protection law to a first free copy of their patient file without giving reasons. This complete copy is necessary so that the patient can check the accuracy and completeness of their data.
The ruling (of October 26, 2023, ref. C-307/22) ensures that patients receive a complete and comprehensible copy of their data, including information such as diagnoses, examination results and treatment data.
The right to a copy is the right to reproduce the data
According to the ECJ (judgment of March 4, 2023, ref. C-487/21), the right to a copy of personal data means a faithful and intelligible reproduction of the data. This includes copies of extracts from documents or entire documents as well as extracts from databases if this is necessary for the effective exercise of the data subjects' data protection rights. Those responsible must take into account the rights and freedoms of other persons and make the data available in a common electronic format.
Reading tip: Implementation of the NIS 2 Directive in the EU - the current status
EDPB guidelines on the right to information
In addition to the decisions of the ECJ, the Guidelines of the European Data Protection Board (EDPB) provides comprehensive assistance in the application of the right of access under Art. 15 GDPR. GDPR.
The Guidelines first provide an overview of the complex structure of the regulation. They outline the most important principles that Right to information must be observed. The questions that arise for the controller who has received a request for information are then dealt with in detail. These include questions such as
- the interpretation and provision of information,
- Measures for finding the data,
- the importance of a "copy of the data" and
- the limits of the right to information.
A flow chart in the Guidelines illustrates the individual steps involved in processing a request for information. Further Guidelines on data subject rights such as the right to object or the right to Deletion are planned in the medium term. For the basic Right to information standardized explanations are now available throughout Europe, which describe the content and practical handling by those responsible in detail.
Conclusion: The Right to information after the GDPR is a central element of data protection. It is supported by the case law of the ECJ and the Guidelines of the EDSA are continuously being concretized and strengthened. Companies and Responsible persons should familiarize themselves with these requirements. They should also ensure that they meet the requirements for the Right to information fully and correctly to ensure the protection of personal data and the rights of data subjects.
German 
English 
Italian 
French