Skip to content
Spin & WinFood and drinkHarnessing the Power of Cloud ComputingTravel

Landmark GDPR Case Could Redefine Data Access Rights in the EU

A high-stakes legal battle could change how your personal data is shared—or withheld. Will new rules curb abuse or weaken your rights under GDPR?

 and  Administrator
2 min read
The image shows a map of the United States with different colors representing the percentage change...
The image shows a map of the United States with different colors representing the percentage change in real GDP by state in 2011. The map is accompanied by text that provides further information about the data.

Landmark GDPR Case Could Redefine Data Access Rights in the EU

A key legal battle over GDPR access rights is heading to the Court of Justice of the European Union (CJEU). The case, Brillen Rottler (C-526/24), will examine whether organisations are misusing their powers when handling data subject requests. Meanwhile, new proposals aim to tighten rules around abusive or unfounded demands for personal information.

The outcome could reshape how companies process requests under Article 15 GDPR, which guarantees individuals the right to access their data. Changes are also being considered to prevent premature deletions that might block legitimate access claims. Under current GDPR rules, individuals can request copies of their personal data through Article 15. However, organisations must first ensure these requests do not harm others’ rights, as outlined in Article 15(4). Before sharing information, controllers are required to redact unrelated data but cannot alter or withhold the subject’s own details.

A recurring issue is the incorrect handling of these requests, often due to oversight rather than intent. Some companies delete data too soon, potentially violating GDPR if it prevents individuals from exercising their right to access. To avoid such breaches, organisations must now keep records of correspondence and data copies for up to three years, fulfilling their accountability duties under Article 5(2).

The Digital Omnibus proposal introduces stricter measures, allowing controllers to charge fees or reject requests deemed manifestly unfounded or excessive. Another suggested change to Article 12(5) GDPR would shift the burden of proof, requiring controllers to demonstrate when a request is abusive. This aims to prevent misuse while ensuring access rights remain protected.

The CJEU’s ruling in Brillen Rottler will clarify how these rules should be applied in practice. Until then, companies must prioritise access requests over deletion demands to avoid undermining individuals’ rights under Article 17 GDPR. The CJEU’s decision will set a precedent for how organisations balance access rights with data protection obligations. If adopted, the proposed amendments would give controllers more tools to manage abusive requests while maintaining transparency.

For now, businesses must ensure they process requests accurately and retain necessary records. Failure to do so could lead to GDPR violations, particularly if data is deleted before access is granted.

Read also:

Related

Latest