UK: Important Decision Impacting How Companies Must Provide Personal Data Requested By Data Subjects Under Their Access Rights

Giovanni Pitruzzella, Advocate General (AG) recently issued an opinion on what is within scope of the right conferred under Article 15(3) of the EU GDPR to obtain a copy of personal data being processed. The clarifying opinion relates to Case C-487/21 regarding questions referred for a preliminary ruling as lodged by the Austrian Federal Administrative Court.

The AG's opinion specifically centred on the extent of information available to data subjects by way of the rights of access to personal data and to receive an intelligible copy of said data as follows:

• The concept of "copy" referred to in Article 15(3) of the EU GDPR must be construed as including an authentic and clear reproduction of the personal data requested by the data subject, in material and permanent form.
• Such copy should in turn allow data subjects to exercise their right of access and provide full visibility of all their personal data undergoing processing, which includes any data that might be produced as a result of the processing, in order to verify its accuracy and allow them to be satisfied as to the fairness and lawfulness of the processing and, where relevant, to be able to exercise other rights available to them in the EU GDPR.
• The precise form of the copy accordingly depends on the particular circumstances of each case and, specifically, the nature of personal data in respect of which access is requested and the requirements of the data subject.
• Article 15(3) of the EU GDPR should therefore not categorically rule out a data subject's right to be provided with sections of documents, or complete documents or excerpts from databases, if that was essential to guarantee that the personal data being processed, and in respect of which access is being requested, is indeed comprehensible in practice.
• The notion of "information" in the third sentence must likewise be interpreted as referring exclusively to the "copy of personal data undergoing processing" referred to in the first sentence of Article 15(3) of the EU GDPR.

The ECJ tends to follow the AG's opinions despite these not being technically binding. Whilst ECJ decisions are no longer enforceable in the UK, they are still pertinent to UK organisations processing EU citizen's personal data due to the extraterritorial scope of the EU GDPR.

The ECJ has similarly confirmed that Article 15(1)(c) of the EU GDPR must be broadly interpreted as meaning that the data subject's right of access must necessarily encompass the data subject's request to the identification of the specific recipients to whom their personal data is disclosed.

Controllers must in such cases disclose in their responses to access requests the recipients of any personal data they shared, unless it is materially impossible or manifestly unfounded or excessive to do so within the meaning of Article 12(5) of the EU GDPR.

Find out more about the ECJ's decision on the broad scope of access rights here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.