On January 18th the European Data Protection Board (EDPB) published Guidelines 01/2022 on the right of access under Article 15 of the GDPR.
Access requests from data subjects and the obligations of data controllers to provide a copy of personal data are of great relevance for practice, but essential questions of detail regarding scope and extent are still unresolved. It is disputed, for example, whether the objection of abuse of rights can be raised against acess requests if the applicant is not concerned with controlling the processing of his or her personal data but is pursuing interests outside of data protection, e.g. preparing the assertion of a claim for overtime pay by means of a request for information regarding stored working time data. Parts of Members State courts are of the opinion that the objection of abuse of rights can also be raised against a request under Article 15 of the GDPR.
The scope of the right to copy data under Article 15(3) of the GDPR is also unclear, as is the relationship of this regulation to the information obligations according toArticle 15(1) of the GDPR.
Unsurprisingly, the EDPB has tended to interpret the right of access broadly in its 60-page guidelines. The interested public had the opportunity to submit comments on the Guidelines until 11th of March. CEDPO participated in the consultation process.
The statement of CEDPO can be found here.