Subject access disputes: exemptions, closed procedures and more

May 12th, 2023 by Robin Hopkins

As noted by Panopticon earlier today, the CJEU has been busy pronouncing on subject access request principles. The drift has, in general, been pro-data subject. In the UK, however, subject access case law has not necessarily been one-way pro-disclosure traffic, as is evident from the robust and careful judgment handed down this week by Mrs Justice Farbey in X v Transcription Agency and Master James. Read more »


Subject access requests: what do you need to provide?

May 12th, 2023 by Robin Hopkins

Dear Sir/Madam, I hereby make a subject access request, please give me copies of documents and specify everyone you gave my data to, yours sincerely.

Response: okay, you can have some data, but no documents and we only need to tell you about ‘categories’ of recipients, not specific recipients.

Reply: not good enough, Article 15 GDPR entitles me to more detail.

Who is right? The CJEU has had a busy few months shedding some light on these kinds of issues, thanks mainly to a slew of Austrian referrals, with its latest contribution coming last week. Read more »


GDPR compensation claims: no threshold of seriousness

May 5th, 2023 by Robin Hopkins

Panopticon has covered a number of judgments handed down in the UK over the last year or two that demonstrate judicial scepticism about compensation claims for alleged data protection infringements. In a number of cases (though not all), judges have been particularly sceptical whether, on the facts before them, the claim – even if made out – would pass the threshold of seriousness for entitlement to compensation. Some, however, argue that compensation claims under the GDPR/UK GDPR are not subject to any such threshold. So what’s the answer? Read more »


How Do You Solve a Problem Like Korea?

January 5th, 2023 by Christopher Knight

By making it the subject of the UK’s first post-Brexit UK GDPR data adequacy decision of course! With effect from 19 December 2022, the UK has designated the Republic of Korea as providing an adequate level of personal data: see the Data Protection (Adequacy) (Republic of Korea) Regulation 2022. Regulation 2(2) specifies that a “transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time“. Read more »


11KBW Information Law Conference 2023 *DATE ANNOUNCED*

December 20th, 2022 by lawrence

We are delighted to announce our Information Law Conference will be taking place on 24 April 2023.

11KBW’s market-leading specialists to provide insights and updates across the information law spectrum.

Click here to view the conference programme.

Conference details

Date: 24 April 2023

Registration from: 9.00am

Duration of Conference: 9.30am – 3.30pm

Drinks Reception from: 3.30pm – 5pm

Venue: Royal College of Surgeons, 38-43 Lincoln’s Inn Fields, London, WC2A 3PE

Cost: £199 + VAT per person.

To book a place please email


Erasure requests: accuracy and images

December 12th, 2022 by Robin Hopkins

The right to be forgotten – remember that? It isn’t often the subject of litigation, in the UK at least: uncertainty about outcomes is probably a significant reason why parties usually opt not to put their disputes before the courts. Last week’s judgment of the Grand Chamber of the CJEU in TU and RE v Google LLC (Case C‑460/20) won’t remove uncertainty about judicial approaches to such cases, but it does shed helpful light on some common elements of disputes under Article 17 (UK) GDPR. Read more »