The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Right of access according to the CJEU – 2

We resume our analysis of some preliminary rulings of the CJEU on the right of access, published in the first half of 2023; specifically, issued:

  • In the Crif case, C-487/21, of May 4, 2023 on the right of access, the term of “copy” and the term of “information” to be provided in response.
  • In the Pankki case, C-579/21, of June 22, 2023, on the scope of the right of access in relation to consultation operations carried out by employees authorized to process, on the admissibility of subjecting logs to the information to be provided as a result of the exercise of this right, and on the term of “recipient.”

Personal data to be provided in the response

The questions submitted to the CJEU’s judgment in case c-487/21 concern:

  • whether the data subject has the right “to access information relating to the context in which his or her data are processed, in the form of copies of extracts of documents or even entire documents or extracts from databases containing, inter alia, such data” (c-487/21, p. 15).
  • Does the notion of “information” to be provided to the data subject as an acknowledgement of the exercise of the right of access include “additional information such as metadata about the data,” in addition to “personal data undergoing processing” (c-487/21, pp. 15 and 16), i.e., in addition to the true-to-original replica of personal data.

The CJEU, in this regard, recalls that the subject of the right of access is personal data concerning the data subject and that the definition of “personal data” uses the expression “any information,” which “reflects the aim of the Union legislator to give an extended meaning to this term” whereby “the broad definition of the term of ‘personal data’ does not only include data collected and stored by the data controller, but also includes all information resulting from a processing of personal data concerning an identified or identifiable person, such as the assessment of that person’s creditworthiness or his or her ability to pay.”

Similarly broad is the term of “processing” from which it follows that Article 15 of the GDPR “confers on the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, that are subject to operations that can be classified as processing carried out by the controller.” (c-487/21, p. 28).