The General Data Protection Regulation (GDPR) grants data subjects the right to request information from data controllers about the processing of their data. How the European Court of Justice (ECJ) has further specified the right of access and the guidelines of the European Data Protection Board (EDPB) to provide comprehensive support.
Four landmark ECJ rulings on the right to information
The right of access is of particular importance as it enables data subjects to assert further rights. These include rectification, erasure or compensation. The European Court of Justice (ECJ) considers the right of access to be a strong and far-reaching right and has confirmed it in several decisions. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia has compiled the most important ECJ rulings on the right of access in its 29th activity report:
The information also includes the identity of the recipients
The ECJ has ruled that data controllers must generally inform data subjects of the identity of the recipients to whom their data has been disclosed. Naming categories of recipients is only sufficient in exceptional cases: If it is impossible to identify the recipients or the request for information would be manifestly unfounded or excessive.
This decision (judgment of January 12, 2023, ref. C-154/21) underlines the importance of transparency in data processing so that data subjects can check whether their data is being processed lawfully.
Right to information also includes log data
The right to information also includes information from log data. This documents when and why data was accessed. The ECJ has clarified (judgment of June 22, 2023, ref. C-579/21) that it is generally sufficient to inform the data subjects about the logged data queries without mentioning the names of the employees.
The identity of employees must only be disclosed if this is necessary to verify the lawfulness of the data processing. However, the rights and freedoms of employees must be taken into account.
First copy is also free of charge for patient files
The ECJ has ruled that patients have a right under data protection law to a first free copy of their patient file without giving reasons. This complete copy is necessary so that the patient can check the accuracy and completeness of their data.
The ruling (of October 26, 2023, ref. C-307/22) ensures that patients receive a complete and comprehensible copy of their data, including information such as diagnoses, examination results and treatment data.
The right to a copy is the right to reproduce the data
According to the ECJ (judgment of March 4, 2023, ref. C-487/21), the right to a copy of personal data means a faithful and intelligible reproduction of the data. This includes copies of extracts from documents or entire documents as well as extracts from databases if this is necessary for the effective exercise of the data subjects' data protection rights. Those responsible must take into account the rights and freedoms of other persons and make the data available in a common electronic format.
Reading tip: Implementation of the NIS 2 Directive in the EU - the current status
EDPB guidelines on the right to information
In addition to the decisions of the ECJ, the guidelines of the European Data Protection Board (EDPB) provide comprehensive assistance in applying the right of access under Art. 15 GDPR.
The guidelines first provide an overview of the complex structure of the regulation. They set out the most important principles to be observed in the right to information. The questions that arise for the controller who has received a request for information are then dealt with in detail. These include questions such as
- the interpretation and provision of information,
- Measures for finding the data,
- the importance of a "copy of the data" and
- the limits of the right to information.
A flowchart in the guidelines illustrates the individual steps involved in processing a request for information. Further guidelines on data subject rights such as the right to object or the right to erasure are planned for the medium term. For the basic right to information, standardized explanations are now available throughout Europe, which describe the content and practical handling by those responsible in detail.
Conclusion: The right of access under the GDPR is a central element of data protection. It is continuously being concretized and strengthened by the case law of the ECJ and the guidelines of the EDPB. Companies and data controllers should familiarize themselves with these requirements. They should also ensure that they fully and correctly implement the requirements for the right of access in order to guarantee the protection of personal data and the rights of data subjects.