On March 13, 2025, the Court of Justice of the EU (“CJEU”) ruled that the right of rectification (in Article 16 GDPR) requires a national authority to correct a person’s gender identity, where it is shown to be inaccurate (Case C‑247/23 [Deldits]). The authority, however, may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate, but may not go so far as to require proof of gender reassignment surgery.Continue Reading CJEU Rules on Right of Rectification of Gender Identity
GDPR Rights
EDPB Launches Coordinated Enforcement on the Right to Erasure
Posted in European Union, GDPR Rights
Updated
On March 5, 2025, the European Data Protection Board (“EDPB”) announced that EU Supervisory Authorities (“SAs”) will undertake a coordinated enforcement action in 2025 regarding data subjects’ right to erasure under Art. 17 of the GDPR. For context, the EDPB selects a particular topic each year as its focus for pan-EU coordinated enforcement.Continue Reading EDPB Launches Coordinated Enforcement on the Right to Erasure
CJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets
On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a significant decision on the right of data subjects to request access to their personal data under Article 15 GDPR, specifically as it relates to automated decision-making and striking an appropriate balance between informing data subjects and protecting trade secrets (Case C‑203/22).Continue Reading CJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets
EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
By Dan Cooper & Anna Oberschelp de Meneses on
Posted in European Union, GDPR Rights
On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR. For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.
In 2023, regulators focused upon data protection officers’ designation and role. And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action. This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
CJEU Holds That GDPR Right of Access Overrules Local Laws
Posted in European Union, GDPR Rights
On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws
Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
Posted in European Union, GDPR Rights
On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient
CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data
By Dan Cooper & Anna Oberschelp de Meneses on
Posted in EU Data Protection, GDPR Rights
On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR. The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data