Jef Ausloos, Michael Veale and René Mahieu
The right to object offers a context-dependent
and individualised re-assessment of the relevant
processing purposes, specically in relation to the
data subject’s concrete situation. Data controllers’
potential compelling legitimate interests should be
detailed, publicly declared and foreseeable, in order
to be able to override data subjects’ clear desire to
stop the respective processing operation.
6 The right to restriction of processing — currently
ignored by most data controllers — should be
prioritised in time and effectively ‘freeze’ any
further processing operations. Information society
services should offer this through an interface.
7 The right to rectication applies to opinions and
inferences of the data controller, including proling,
and must consider that the vast majority of data is
(Joint) controllers have an explicit duty to facilitate
the exercise of data subject rights and cannot
require specic forms or legislative wording as a
precondition for accommodating them.
9 Restrictions or limitations on how data rights are
accommodated (eg rights and freedoms of others,
excessiveness, repetitiveness) need to be foreseeable
and interpreted narrowly and specically in light
of the concrete and specic right, data subject and
context at hand.
Data subject rights are of critical importance in
the European data protection regime. Throughout
all discussions of their scope and limits, it must be
recalled that rights are not simply a way to police
that sufcient data protection is occurring, but they
are an intrinsic part of the fundamental right to data
protection enshrined in the Charter of Fundamental
rights, which states that:
Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it
11 Data rights must, in general, be implemented with
several observations of the Court of Justice of the
European Union in mind.2 The Court has held that
one of the key objectives of data protection law
is the effective and complete protection of the
fundamental rights and freedoms of natural persons
with respect to the processing of personal data.3
1 Charter, art 8(2).
2 We refer to the Court of Justice as the Court in the remainder
of this article.
3 Case C-131/12 Google Spain SL and Google Inc v Agencia Española
12 We can see this principle in operation in relation to
data rights which are prerequisites to others. The
Court held that the right of access is a pre-requisite
to the ‘rectication, erasure or blocking’ of data, and
thus the existence (and extent) of the right of access
must allow effective use of other data rights.4
The Court has also held that provisions of data
protection law must be interpreted as to give
effect to the efcient and timely protection of
the data subject’s rights.5 Furthermore, it is critical
to consider data rights in light of the overarching
principles of transparency and fairness in the
GDPR. Data controllers are not permitted to frustrate
data subjects in their attempts to benet from the
high level of protection that follows from their
fundamental rights. Indeed, they have to both
implement data rights6 as well as facilitate the
exercise of such rights.7
Relatedly, the Court has also highlighted that
data protection should be understood within the
framework of the responsibilities, powers and
capabilities of a data controller.8 As the European
Data Protection Board has already pointed out,
‘information society or similar online services that
specialise in automated processing of personal data’
are highly capable at classifying, transmitting and
managing personal data in automated ways, and as
a result9 meet data rights in an effective, complete,
efcient, and timely manner.
Finally, the Court has also linked the ability to
effectively exercise data subject rights with the
fundamental right to effective judicial protection
in Article 47 Charter. Specically, it stressed that
‘legislation not providing for any possibility for an
de Protección de Datos (AEPD) and Mario Costeja González
EU:C:2014:317 ; Case C-73/16 Peter Puškár v Finančné
riaditeľstvo Slovenskej republiky and Kriminálny úrad nančnej
správy EU:C:2017:725 .
4 Case C434/16 Peter Nowak v Data Protection Commissioner
EU:C:2017:994 ; Case C-553/07 College van burgemeester en
wethouders van Rotterdam v MEE Rijkeboer EU:C:2009:293 .
5 Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale
NRW eV EU:C:2019:629 .
6 GDPR, art 25 (‘Data protection by design and by default’).
7 GDPR, art 12(2).
8 Google Spain (n 3) ; Case C136/17 GC and Others v
Commission nationale de l’informatique et des libertés (CNIL)
9 Article 29 Working Party, ‘Guidelines on the Right to Data
Portability (WP 242)’ (13 December 2016) 12.