News

European Court of Justice sharpens access right under data protection law

12.01.2023

In its judgment of 12 January 2023, the European Court of Justice (ECJ) has sharpened  the right of access to personal data under Article 15 GDPR, going beyond the provision’s actual wording. The ECJ’s strict requirements will make it necessary for companies to review their internal processes and their templates for responding to access requests so as to avoid fines and damages actions for failure to provide access.

Sharpening of the right to access under data protection law: no choice for controllers when providing information about recipients

Article 15 GDPR grants an individual the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where this is the case, the data subject has the right of access to the personal data and to certain information about the processing of the data and about the data subject’s rights in this respect. This also includes information about the recipients or categories of recipients to whom such personal data have been or will be disclosed (Article 15(1)(c) GDPR).

At first glance, the wording of Article 15(1)(c) GDPR (“or”) obviously speaks in favour of the controller having a right to choose whether to name specific recipients or only categories of recipients when providing access. However, applying a contextual interpretation, the ECJ arrives at the conclusion that the controller must in principle communicate the specific identity of the recipient and not just the categories of recipients. In the Court’s view, the controller is only permitted in exceptional cases to simply communicate the category of recipients, i.e. in those cases where it cannot identify the specific recipient or it can show that a request for information is manifestly unfounded or excessive.

Private enforcement ‒ damages claims by data subjects

Violations of the right of access can lead to administrative measures and significant fines. For example, the Hessian Data Protection Authority has imposed fines in the mid ten-thousands for violations of the right of access.

The ECJ’s strict requirements are also likely to further encourage the developments currently visible in private enforcement in data protection law. We can expect that, due to violations of the right of access, companies will in future be confronted with more and more damages claims, including mass proceedings.

It is worth noting in this context that there is an increasing tendency among courts in Germany to hand down plaintiff-friendly rulings on claims for non-material damages. For example, Hamm Regional Labour Court has awarded non-material damages in the amount of €1,000 as compensation for violations of the right of access, while Düsseldorf Labour Court and Berlin Labour Court even awarded non-material damages of €5,000 for providing access late. This development is likely to encourage more and more people to claim damages for violations of the right of access.

Review of internal processes and templates for responding to access requests

In light of the new ECJ case law, we recommend that companies carefully review and, if necessary, adapt their internal processes and templates for access requests. In particular, guidelines for handling requests under data protection law and templates for responding to access requests should be revised in order to be prepared for such requests.

Data privacy litigation

As a result of current developments, it is becoming increasingly important for companies to deal strategically with the challenges, opportunities and risks presented by data protection litigation on a timely basis. Data protection law is the substantive basis for such litigation and at the same time the linchpin in relation to other areas, in particular the relevant codes of procedure. To mount a successful defence against a mass action under civil law, the combined efforts of a legal team that is able to seamlessly integrate expertise in data protection law and in litigation are essential. Our established team of recognised data protection and litigation experts with its extensive experience in defending clients in mass action litigation can provide you with advice on data protection law and litigation from a single source.

 

Contact

Daniel Rücker
Daniel Rücker+49 89 28628457
Sebastian Dienst
Sebastian Dienst+49 89 28628457

Data Privacy
Data Protection Litigation
Data Tech and Telecoms

Share

Show all

Insights

hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
library
News

Judgment of the Cologne Administrative Court of 17 November 2023 – BNetzA Acted Unlawfully by Naming Company in Press Release

01.03.2024
compass with pulse
News

Data privacy pitfall: Cookie banners must allow a genuine choice

26.02.2024
bike citylights with pulse
News

Stronger artists’ rights or red tape for streaming services? – European Parliament proposes stricter regulation of music streaming services

12.02.2024
coloured purple and yellow led screen
News

European Data Law

02.02.2024
Cubes structure
News

Occupational retirement provision update: One more year to implement DORA

31.01.2024