European Court of Justice sharpens access right under data protection law
In its judgment of 12 January 2023, the European Court of Justice (ECJ) has sharpened the right of access to personal data under Article 15 GDPR, going beyond the provision’s actual wording. The ECJ’s strict requirements will make it necessary for companies to review their internal processes and their templates for responding to access requests so as to avoid fines and damages actions for failure to provide access.
Sharpening of the right to access under data protection law: no choice for controllers when providing information about recipients
Article 15 GDPR grants an individual the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where this is the case, the data subject has the right of access to the personal data and to certain information about the processing of the data and about the data subject’s rights in this respect. This also includes information about the recipients or categories of recipients to whom such personal data have been or will be disclosed (Article 15(1)(c) GDPR).
At first glance, the wording of Article 15(1)(c) GDPR (“or”) obviously speaks in favour of the controller having a right to choose whether to name specific recipients or only categories of recipients when providing access. However, applying a contextual interpretation, the ECJ arrives at the conclusion that the controller must in principle communicate the specific identity of the recipient and not just the categories of recipients. In the Court’s view, the controller is only permitted in exceptional cases to simply communicate the category of recipients, i.e. in those cases where it cannot identify the specific recipient or it can show that a request for information is manifestly unfounded or excessive.
Private enforcement ‒ damages claims by data subjects
Violations of the right of access can lead to administrative measures and significant fines. For example, the Hessian Data Protection Authority has imposed fines in the mid ten-thousands for violations of the right of access.
The ECJ’s strict requirements are also likely to further encourage the developments currently visible in private enforcement in data protection law. We can expect that, due to violations of the right of access, companies will in future be confronted with more and more damages claims, including mass proceedings.
It is worth noting in this context that there is an increasing tendency among courts in Germany to hand down plaintiff-friendly rulings on claims for non-material damages. For example, Hamm Regional Labour Court has awarded non-material damages in the amount of €1,000 as compensation for violations of the right of access, while Düsseldorf Labour Court and Berlin Labour Court even awarded non-material damages of €5,000 for providing access late. This development is likely to encourage more and more people to claim damages for violations of the right of access.
Review of internal processes and templates for responding to access requests
In light of the new ECJ case law, we recommend that companies carefully review and, if necessary, adapt their internal processes and templates for access requests. In particular, guidelines for handling requests under data protection law and templates for responding to access requests should be revised in order to be prepared for such requests.
Data privacy litigation
As a result of current developments, it is becoming increasingly important for companies to deal strategically with the challenges, opportunities and risks presented by data protection litigation on a timely basis. Data protection law is the substantive basis for such litigation and at the same time the linchpin in relation to other areas, in particular the relevant codes of procedure. To mount a successful defence against a mass action under civil law, the combined efforts of a legal team that is able to seamlessly integrate expertise in data protection law and in litigation are essential. Our established team of recognised data protection and litigation experts with its extensive experience in defending clients in mass action litigation can provide you with advice on data protection law and litigation from a single source.