When accounts are blocked: Court strengthens the right to full disclosure under the GDPR
Account blocks and abrupt terminations of business relationships are often difficult for those affected to understand. It often remains unclear what data was used, what checks were carried out and whether external parties were involved. A recent, legally binding ruling by an Austrian court now clarifies that anyone who processes personal data must provide comprehensive information about it – far beyond mere account statements.
The focus of the decision is point III.3, in which the court specifies the scope of the right to information under Article 15 of the GDPR. The key message is clear: responsible bodies are obliged to provide complete and transparent information about all personal data that has been or is being processed.
Information means more than numbers and bookings
In the court’s view, the right under Article 15 GDPR is not limited to the transmission of account balances or technical statements. Rather, it includes:
- information on whether personal data has been or is being processed,
- information on whether this data has been transferred to third parties,
- if so, to which recipients or categories of recipients,
- and a digital copy of all personal data that is or was subject to processing.
The court refers to the case law of the European Court of Justice (including Case C-487/21), according to which data subjects are entitled to a faithful and comprehensible reproduction of all personal data concerning them. Selective extracts or mere summaries are not sufficient.
No restriction to ‘relevant’ or ‘essential’ data
Of particular significance is the clarification that the right to information may not be restricted to certain types of data. It covers all personal data in principle, regardless of whether it is favourable, neutral or unfavourable to the data subject.
This includes in particular:
- internal memos and notes,
- evaluations, classifications or risk ratings,
- communication content,
- review and decision notes,
- information from automated or semi-automated processes,
- details of transfers to external service providers or other recipients.
This scope is particularly crucial in the case of account suspensions or similar measures, as such decisions are often based on complex review mechanisms or internal evaluations.
Transparency in automated or risk-based decisions
The ruling emphasises that blanket references to ‘internal audits’, ‘risk assessments’ or ‘compliance requirements’ are not sufficient when a request for information is made under Article 15 of the GDPR. Data subjects have the right to know what personal information has actually been processed and in what context.
In doing so, the court strengthens the control function of the right to information, particularly in areas where decisions are increasingly prepared on a data-based or automated basis. The aim is not to disclose internal business secrets, but to provide transparency about which personal data has been used in decision-making processes.
Timing and completeness are crucial
The court also clarifies that the right to information arises at the time of the request for information. The data stock at that point in time is decisive. Subsequent, only partial or delayed disclosure does not replace the complete information owed.
This clarification is of great practical importance, particularly in cases where data subjects make multiple requests or only receive documents after a long period of time. The obligation to provide information is immediate and complete.
Conclusion: Art. 15 GDPR as an effective transparency tool
The ruling makes it clear that the right to information under Art. 15 GDPR is not merely a formal right. It serves to create transparency about data-based decisions and to give data subjects a real opportunity to exercise control.
Anyone affected by an account suspension or similar measures can request:
- full disclosure of all personal data processed,
- information about recipients and data transfers,
- and a comprehensible digital copy of this data.
The courts have thus made it clear that controllers may not hide behind blanket justifications or technical jargon. The right to information is a key instrument for effectively countering non-transparent decision-making processes.
Note:
This article is a journalistic analysis. It is based on publicly available sources. It does not constitute a legal assessment or financial advice. All assessments have been researched to the best of our knowledge and are marked as opinions within the meaning of Art. 10 ECHR / Art. 5 GG. Counterstatements will be taken into account in accordance with Section 56 of the German Interstate Broadcasting Treaty (RStV).
Sources:
· General Data Protection Regulation (GDPR)
Art. 15 GDPR – Right of access by the data subject
Regulation (EU) 2016/679
Available at: EUR-Lex, consolidated version.
· European Court of Justice (ECJ)
Judgment of 4 May 2023, Case C-487/21 (Austrian Data Protection Authority)
Key statement: Right to a true and comprehensible copy of all personal data, not mere summaries or selective extracts.
Source: CURIA – Case law of the ECJ.
· Austrian court, final decision (point III.3)
Clarification of the scope of the right to information under Art. 15 GDPR in the case of comprehensive data processing.
(File number and court to be added depending on publication.)
· Guidelines of the European Data Protection Board (EDPB)
Guidelines on Transparency and Data Subject Rights
Confirmation of the broad interpretation of the right to information, in particular in the case of automated or risk-based decisions.
· Specialist literature / commentary
e.g. Kühling/Buchner, GDPR Commentary, Art. 15
Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR)
Leave a Reply
Want to join the discussion?Feel free to contribute!