AG: DPAs can be 'controllers'
An Advocate General advised that data protection authorities (DPAs) should be treated as 'controllers' for Article 15 access rights in case C‑205/25, shifting who can be asked to provide personal‑data copies. (Social legal commentary highlighted the AG’s recommendation on controller status and Article 15 access requests.) (x.com)
A senior adviser to the European Union’s top court said a data protection authority can count as a “controller” when it handles a person’s complaint file, opening the door to Article 15 access requests against the authority itself. (infocuria.curia.europa.eu) The case is C‑205/25, Joachim Lindenberg v Bayerisches Landesamt für Datenschutzaufsicht, a reference from the Bavarian Administrative Court in Ansbach, Germany, lodged on March 17, 2025. The referring court asked whether a supervisory authority acting on an Article 77 complaint is also a “controller” under Article 4(7) of the General Data Protection Regulation. (infocuria.curia.europa.eu) The same referral also asks whether Article 23 of the General Data Protection Regulation blocks a Bavarian rule that broadly excludes access or inspection rights for supervisory-authority files. The defendant is Bavaria’s state data protection regulator for the private sector. (infocuria.curia.europa.eu) Article 15 is the General Data Protection Regulation’s access right: it lets a person ask a controller whether it processes their data and, if so, obtain the data and information about the processing. European Data Protection Board guidance says the point is to let people verify whether processing is lawful and accurate. (gdpr-info.eu) (edpb.europa.eu) The dispute matters because complaint files held by regulators often contain personal data about the complainant, the target company, and the authority’s own handling of the case. If a regulator is treated as the controller for that file, the access request goes to the regulator, not only to the company that triggered the complaint. (infocuria.curia.europa.eu) (edpb.europa.eu) That would not make access unlimited. Article 15(4) says the right to obtain a copy must not adversely affect the rights and freedoms of others, and the referral separately asks whether national secrecy rules for regulator files can survive Article 23 scrutiny. (gdpr-info.eu) (infocuria.curia.europa.eu) European guidance already draws a line between data-protection access rights and freedom-of-information style access to public documents. The European Data Protection Board says Article 15 is about a person’s own personal data, not a general right to inspect an authority’s whole file. (edpb.europa.eu) The Court of Justice is not bound by an Advocate General’s opinion, but those opinions often frame the final ruling and are followed in many cases. As of April 18, 2026, InfoCuria still lists C‑205/25 as pending. (curia.europa.eu) (infocuria.curia.europa.eu) If the court adopts that approach, people who use the General Data Protection Regulation complaint system could gain a clearer route to obtain copies of their own data from the watchdog handling the complaint. If it rejects it, access fights over regulator files are more likely to stay tied to national procedural limits. (infocuria.curia.europa.eu) (edpb.europa.eu)
