Skip to content

EDPB Guidelines on the Right of access

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

EDPB Guidelines on the Right of access

The European Data Protection Board has released Guidelines 01/2022 on the right of access subjecting them, as is customary, to public consultation; any comments should be sent by March 11, 2022.

The guidelines contain an explanatory flow chart, which we will use to better describe the content of the document. Given the ongoing public consultation, the final text of the guidelines may be subject to change, although no significant changes are expected; however, since the date of their release it has been decided to postpone until the outcome of the consultation the issue of the interaction between right of access and logs of internal connections, a subject currently pending before the CJEU (J.M. Case C-579/21).

Subject: personal data

EDPB Guidelines 01/2022 - First step in exercising the right of access
Source: EDPB Guidelines 01/2022 – First step in exercising the right of access

The data subject’s right of access plays an essential function within the bouquet of rights that the Regulation guarantees to the data subject: the exercise of this right contributes to the data subject’s power of control over the controller’s use of their personal data, and it often precedes the exercise of other rights such as the remedies regulated in Chapter VIII of the GDPR.

Unlike other similar rights to access, such as access to administrative documents, GDPR access is concerned with:

  • the Confirmation as to ‘whether’ or not personal data are being processed
  • the access to (i.e. knowledge of) only the personal data of the data subject
  • the access to information relating to their use, explained in letters a) to h) of Article 15.1 of the Regulation (i.e. purposes, categories of data, recipients, storage period, existence of rights and complaints, any automated process and its consequences, storage periods, sources of acquisition).

Consequently, the scope of the GDPR’s right of access is broad, both because of the broad meaning of the definition of “personal data” in the Regulation (in Art. 4(1)) and also because of the inclusion of information on their use (Art. 15.1, GDPR; to that effect, CJEU, Rijkeboer C-553/07, para. 59).