What do companies know about me? European justice recognizes the right of citizens to demand the delivery of all the data they have about them | My Rights | Economy

The immense amount of data held by companies is more accessible to citizens after the important ruling of the Court of Justice of the EU (CJEU) that reinforces the right to obtain a copy of their personal data.

The European justice – before the prejudicial question raised by an Austrian court – considers that the companies are obliged to deliver to the citizen who exercises the right of access to his information an “authentic and intelligible reproduction of all his data”.

Following this recent decision (access here to the CJEU ruling), every citizen has the right to obtain a copy with the entire documents or extracts from databases that contain their personal information. Access to this information allows the interested party to effectively exercise the rights conferred by the General Data Protection Regulations (RGPD) such as, among others, those of opposition, cancellation, rectification…

Does the data controller have to transmit the personal data in the form of a summary table or deliver entire documents and extracts from databases where the user’s information is reproduced? Faced with this conflict, the CJEU is in favor of the delivery of complete documents or extracts and establishes the content and scope of the citizen’s right of access to information.

European justice has ruled that citizens have the right to obtain a “copy” of their personal data from the file controller. This implies that the interested party is given a authentic and intelligible reproduction of all your reviews.

The judges consider that access to the “copy” grants the interested party the right to obtain an authentic reproduction of all their personal data subject to treatment, “understood in a broad sense”.

This right of access includes obtaining a reproduction of extracts of documents, including entire documents, or extracts from databases that contain information of the interested party. The practice of many companies to send a summary list of the citizen’s personal data is no longer valid.

Company obligations

With this sentence, the companies and those responsible for data processing are obliged to carry out new procedures regarding the information of citizens. Thus, they must provide the interested party with all the information requested in a concise, transparent, intelligible and easily accessible. In addition, it will be provided in clear and simple language.

The copy must be sent in writing or by other means, including, if applicable, by electronic means, unless the interested party requests that it be provided orally. The information provided must reproduce in its entirety and authentically the personal data held on the citizen.

In the event of a conflict between the right of full and complete access to personal data and the rights or freedoms of third parties, the Court of Justice considers that it is appropriate to balance the conflicting freedoms.

Whenever possible, the company must opt ​​for forms of communication of personal data that do not violate the rights or freedoms of others, but taking into account that these considerations must not result in the refusal to provide all the information to the interested party.

Other rights of the citizen

The data protection regulations allow the citizen to exercise the rights of access, rectification, opposition, deletion and right to be forgotten before the person responsible for the processing of files.

The exercise of all these rights is free and requests must be answered within a month, although taking into account the complexity and number of requests, the term can be extended for another two months, the Spanish Agency for Data Protection assures. (AEPD).

Only if the requests are manifestly unfounded or excessive (such as their repetitive nature) may the person responsible for the file charge a fee proportional to the administrative costs borne or refuse to act.

These rights can be exercised directly or through a legal representative (such as a lawyer) or volunteer.

The right of access to personal data -now reinforced by European justice- is the one that opens the door to the exercise of the rest of the faculties, (here you can download template to request personal data of the AEPD).

The exercise of right of rectification authorizes the citizen to obtain the correction of their personal data that are inaccurate or to complete those that are missing without undue delay from the data controller.

He right of opposition means that you can oppose before the person responsible for processing personal data in two cases.

If the object of treatment is based on a mission of public interest or legitimate interest (including profiling), the person in charge will stop processing the data unless he proves compelling reasons that prevail over the rights of the interested party or for the formulation of the exercise or the defense of claims.

If the processing is for the purpose of direct marketing (also including profiling), the personal data will no longer be processed for such purposes.

He right of erasure It can be exercised, among others, when the personal data is no longer necessary for the purposes for which it was collected, the consent given for its treatment is withdrawn or the personal data has been illegally processed.

The GDPR, when regulating this power, connects it with the right to be forgotten, forcing the deletion of any link or copies or replicas of the deleted data. It is not an unlimited right and the deletion is rejected when the treatment is necessary for the exercise of freedom of expression and information, for the fulfillment of a legal obligation…

new rights

The jurisprudence of the Spanish and European courts have been outlining and adding new rights to data processing.

He right to restriction of processing consists of obtaining the suspension of personal data when its accuracy is challenged during the period that the person in charge can verify it or when the citizen has opposed the processing of their personal data that the person in charge carries out based on the legitimate interest or mission of public interest, while he verifies whether these motives prevail over those of the citizen.

He right to portability reinforces the control of personal information, so that when the treatment is carried out by automated means, the citizen receives their personal data in a structured, commonly used, machine-readable and interoperable format, and can transmit them to another data controller, provided that the treatment is legitimized on the basis of consent or the execution of a contract. It cannot be applied when the treatment is necessary for the fulfillment of a mission of public interest.

He right not to be subject to automated individual decisions guarantees that the user is not subject to a decision based solely on the processing of their data, including profiling, which produces legal effects on them or significantly affects them.

Profiling analyzes or predicts aspects related to job performance, economic situation, health, personal preferences or interests, reliability or behavior. This right will not be applicable when it is necessary to enter into a contract or when the data processing is based on previously given consent. However, the person responsible for the file must guarantee the citizen’s right to obtain human intervention, express his point of view and challenge the decision.