European Court of Justice decides on a number of questions concerning GDPR damages, the right to access and documentation requirements under the GDPR

The European Court of Justice handed down several judgments earlier this month, addressing various relevant data protection issues.
Concept of “copy” in requests for access to information
In the first case (case no. C-487/21), the Court examined the right to access under art. 15 GDPR. This rule states that

“The controller shall provide a copy of the personal data undergoing processing.” 

The question raised in this case was the interpretation of the term “copy.” The ECJ ruled that individuals have the right to receive an accurate and readable reproduction of their personal data. This may include copies of excerpts from documents or, if necessary, entire documents or extracts from databases to enable individuals to effectively exercise their rights. In certain cases, the controller must explain the context of data processing, such as when personal data is derived from other data or incomplete information, to ensure transparent information and a clear presentation of the data to the individual.

Compensation for data protection breaches requires a causal relation between the breach and actual harm incurred by the data subject

In another case (case no. C-300/21), the ECJ ruled that not every violation of the GDPR automatically gives data subject the right to claim damages. It is instead necessary to demonstrate a causal relation between the data protection breach and actual harm incurred by the data subject. On the other hand, the ECJ rejected the notion of a limitation for damages claims only to cases where the harm passed a certain “severity threshold”. Missing record of processing activities and JCA do not immediately imply unlawful processing In a third case (case no. C-60/22), the ECJ determined that an incomplete record of processing activities and a missing Joint Controller Agreement (JCA) do not imply that the data processing activities themselves are unlawful. The lawfulness of processing is determined by the presence of a legal basis under art. 6 GDPR. However, the relevant law does not require the controller to maintain a JCA or a complete record of processing activities for the processing to be lawful.

If you have any further questions regarding these judgments, please let us know.

(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)