16 May '20

T-903/16: The right of access to personal data is a continuous and permanent right of access to those data. The non-applicability of the case-law on purely confirmatory measures in relation to personal data.

Posted in 

“46 In that regard, it must be recalled, first, that Article 13(c) of Regulation No 45/2001 provides that ‘the data subject shall have the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller […] communication in an intelligible form of the data undergoing processing […]’. It follows from that provision, which allows the data subject to access his personal data ‘at any time’, that that person had a continuous and permanent right of access to those data.
47 Second, while Article 20(1) of Regulation No 45/2001 provides for exemptions and restrictions to the right for the data subject to access his personal data, that provision specifies that the institutions cannot restrict the application of Article 13 of that regulation except ‘where such restriction constitutes a necessary measure’. It follows that the exemptions and restrictions laid down in Article 20(1) of that regulation are applicable only in the period during which they remain necessary.
48 In addition, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter of Fundamental Rights of the European Union is especially important for the right to respect for private life enshrined in Article 7 of that charter (judgment of 8 April 2014, Digital Rights Ireland and Others, C 293/12 and C 594/12, EU:C:2014:238, paragraph 53).
49 Thus, the Court has favoured an interpretation of EU law conducive to a high level of protection of personal data. It has taken into account, among other things, the fact that, in the context of the processing of personal data, the factual and legal situation of the data subject is, by its nature, liable to change over time, since the mere passage of time is capable of rendering the processing of data, which was initially lawful, unnecessary or even unlawful (see, to that effect and by analogy, judgment of 13 May 2014, Google Spain and Google, C 131/12, EU:C:2014:317, paragraphs 92 and 93).
50 It follows that, under Regulation No 45/2001, a person may, at any time, make a new request for access to personal data to which access had previously been refused. Such a request requires the institution concerned to examine whether the earlier refusal of access remains justified.
51 Therefore, a fresh examination seeking to verify whether a previously-adopted refusal to grant access to personal data remains justified having regard to Articles 13 and 20 of Regulation No 45/2001 leads to the adoption of an act which is not purely confirmatory of the earlier act, but constitutes an act that may be the subject of an action for annulment under Article 263 TFEU.
………..
69 However, it has already been observed in paragraph 46 above that, in the context of Regulation No 45/2001, the data subject has a continuous and permanent right of access to his personal data. That right enables him, among other things, to make a request for access to personal data, including where the data subject has already been able to access all or part of those data in order, for example, to satisfy himself that all of the personal data held by an institution had in fact been identified and communicated, or to know whether the data in question was still being processed by the institution and, if so, whether they had been altered or not”.