Subject Access Request: Right of access to be interpreted more strictly

(31.01.2023)

In a recent ruling, the European Court of Justice (ECJ) stated that the specific recipients of a data subject’s personal data must be named when the data subject exercises their right of access.

The right of access is one of the most important rights of data subjects in data protection. It guarantees that every person may inquire whether or not, and which of their personal data is being processed. This also includes information on recipients to whom the personal data have been or will be disclosed disclosed to.

The ECJ has now ruled that these recipients of data must be specified in the information provided (Case C-154/21, judgment of 12.01.2023). It is not sufficient to merely name the “categories of recipients” (e.g. “IT service providers”, as was often done previously). Rather, the individual recipients must be identified, i.e. the specific names must be given (e.g. “Dan’s IT services Ltd.”).

However, there are exceptions. It is sufficient to merely state the category of recipients if the specific recipients are not (yet) known, if a specific statement is impossible for other reasons or if the request for information is manifestly unfounded or excessive.

What does this mean in practice?

  • Adapt the template used for subject access requests: If you have a template for providing information, it should be clarified/annotated. Then this new requirement cannot be overlooked in a specific subject access request.
  • Instructions on how to handle subject access requests: If your company uses fox-on’s “Data subject rights handbook”, this must also be updated.

To prepare for future requests for right of access (after all, they have to be answered within the legal deadline of one month): To quickly get the information you need, you can check your foxondo documentation. All the relevant information should be documented there. If foxondo is not up to date, now would be a good time to have a second look.

Summary:
When subject access requests (for information) are received, you must ensure that you specifically name each recipient of the personal data. Well-maintained documentation in foxondo helps with this. 

By the way: It is still okay if only the category of recipients is named in the data protection information (“privacy policy”), just as before.