Data Protection Insider, Issue 91

Data Protection Insider, Issue 91 - Image Landing Page DPI 2

– AG Opinion: Clarification on the Right to Obtain a Copy of One’s Data – 


On 20th April, AG Emiliou provided an interpretation on the right of access to one’s data, in particular on the right to receive a complete and free copy of one’s data under Article 15 (3) GDPR in the case of FT v DW. As to the facts of the case, a patient who received dental care requested copies of all the documents related to the treatment they had received by a certain dentist in order to pursue their claim for maltreatment. The dentist agreed to provide the requested copies for a certain monetary fee. The patient claimed that their first copy should be free of charge, relying on Articles 12 and 15 (3) GDPR. Eventually, the dispute reached the domestic courts, which requested the CJEU to provide an interpretation of these two GDPR provisions. The three concrete questions read as follows: (1) does the motif for requesting copies under the GDPR play a role as to whether the right of access under the GDPR is applicable?; (2) may the right to a (free) copy be restricted under Article 23 GDPR?; and (3) does an individual have a right to an exact copy of all the documents? In his Opinion, AG Emiliou proposed that the CJEU should answer as follows: (1) the GDPR does not require that the only motif for requesting a copy to one’s data should be to control the legality of the data processing. Thus, the motif does not play a role for the exercise of the right of access to one’s data. As to question (2), AG Emiliou answered that charges may be imposed even on the first free copy as a way of a restriction under Article 23 GDPR, in casu on the grounds related to the protection of public health under Article 23 (1) (e) and (i) GDPR, as long as the restriction is necessary and proportionate. He provided his interpretation of what might be a necessary and proportionate charge and how his interpretation should be applied in the present case, but suggested that the national courts should eventually decide. As to (3), the AG endorsed the interpretation of AG Pitruzzella in case F.F. (on which we have previously reported). In short, an exact copy is not always a must, but sometimes it might be the only medium for providing complete and understandable information about the processing of one’s data.

Learn more


– AG Opinion: Clarifications on Certain LED Provisions to Access to Cell Phone Data by the Police 


On 20th April, AG Campos Sanchez-Bordona delivered an opinion on the data protection aspects of police access to data stored on one’s mobile phone in CG v Bezirkshauptmannschaft Landeck. As to the facts of the case, a German citizen was caught in Austria with 85 g cannabis by the Austrian police. The latter confiscated his mobile phone and requested the applicant to provide them the PIN number in order to unlock the phone and look through it in order to discover who provided the applicant with the cannabis. The applicant refused to cooperate. The policemen tried nevertheless unsuccessfully to unlock it. The applicant decided to sue the police and the referring court

requested an interpretation of the legality of the police attempts to unlock and search though the applicant’s phone data under Articles 5 and 15 of the e-Privacy Directive. In his Opinion, the AG first argued that the CJEU should reject the request for preliminary ruling as inadmissible, as the case does not raise a question under the e-Privacy Directive. This is because, in his opinion, the e-Privacy Directive is applicable only where access is sought by the law enforcement authorities to metadata stored by mobile phone operators, which is not the case in casu. AG Campos Sanchez-Bordona suggested that if the CJEU does not reject the request for a preliminary ruling, then the question should be reformulated and examined under the LED. Thus, he suggested that the question should be whether the access sought was legal under the LED, in particular whether access may be sought only in cases of serious crime, and whether individuals should be informed that the police made attempts to access the data on the phone. Having rephrased and reframed the request for reference, the AG suggested that the LED does not require that the data processing by the police may take place only in cases of serious crime, but in cases of any (suspected) crime. For that, the requirements for a legal basis for the processing under national (or European) law must be satisfied (Articles 4 (1) (a) and 8 (1) LED). He argued then that subject to the restrictions on the right of access to one’s data in Article 15 (1) LED and to be informed of the processing of one’s data under Article 13 (3) LED, individuals should be informed that the police made attempts to access the data on their phone in order to be able to exercise their right to effective remedies under the LED and under Article 47 (1) CFREU. Still, the AG suggested that ‘(a)ny conduct by the data controller in breach of its duties under Article 13 of Directive 2016/680 may have other consequences but does not, I would reiterate, in itself influence the lawfulness or otherwise of the processing of those data.’

Learn more


– EDPB Report New Documents and Initiatives – 


Over the past couple of weeks, the EDPB have published a number of significant documents, and launched significant initiatives. These include the following:


  •  ‘Data Protection Guide for Small Businesses’
  •  ‘Report of the work undertaken by the supervisory authorities within the 101 Task  Force’
  •  ‘EDPB Annual Report 2022’
  •  ‘Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority: Version 2.0’
  •  ‘Guidelines 01/2022 on data subject rights – Right of access: Version 2.0’


‘Guidelines on the use of facial recognition technology in the area of law enforcement (after public consultation)’ were discussed in the EDPB’s 79th plenary – held on 26th April.

Learn more


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort