On 4 May 2023, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Case C-487/21 (Österreichische Datenschutzbehörde and CRIF).
The background of this case:
- The applicant in the main proceedings (“Applicant”) exercised his right of access against CRIF, a consultancy agency which provides its clients with information on the creditworthiness of third parties. The Applicant asked CRIF for a copy of the documents, namely e-mails and database extracts, containing his personal data “in a standard technical format”.
- In response to this request, CRIF has provided the Applicant with a summary of the list of his personal data processed by CRIF.
- The Applicant lodged a complaint with the Austrian Data Protection Authority (“Austrian DPA”) as he considered that CRIF should have provided him with a copy of all the documents containing his personal data.
- The Austrian DPA found that CRIF had not violated the Applicant’s right of access and rejected the Applicant’s complaint.
- The Applicant brought an action before the Austrian Federal Administrative Court against the rejection decision of the Austrian DPA.
- The Austrian Federal Administrative Court has asked the CJEU for a preliminary ruling on the interpretation of the right of access under Article 15 of the GDPR.
The CJEU interpretation:
- Regarding the first sentence of Article 15(3) of the GDPR, which provides for the right of the data subject to obtain a copy of his or her personal data undergoing processing
CJEU has interpreted that the right to obtain from the controller a “copy” of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data.
Although Article 15 does not define the term “copy”, the usual meaning of that term should be considered, which refers to the faithful reproduction or transcription of an original.
Therefore, a purely general description of the personal data undergoing processing or a reference to categories of personal data does not correspond to that definition.
CJEU further interpreted that that right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR.
The rights and freedoms of others must be considered. Where there is a conflict between the exercise of the right of access and the rights or freedoms of others, the CJEU has interpreted that a balance must be struck between the rights and freedoms in question. Wherever possible, controllers should choose the means of communicating the personal data that do not infringe the rights or freedoms of others. These considerations should not result in a refusal to provide all information to the data subject.
- Regarding the concept of “information” referred to in the third sentence of Article 15(3) of the GDPR, which provides that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information is to be provided in a commonly used electronic form.
CJEU has interpreted that it follows from the context of this provision that the “information” to which it refers necessarily corresponds to the personal data of which the controller must provide a copy in accordance with the first sentence of that paragraph referring to personal data.
Following the CJEU judgment, the term “copy” of personal data does not relate to a document/support as such, but to the personal data which it contains, and which must be complete.
However, there would be cases where it is mandatory for the controller to provide the data subjects exercising the right of access with copies of extracts from documents or entire documents or extracts from databases which contain the personal data.
This obligation would only arise if the provision of such a copy is essential to enable the data subjects to effectively exercise the rights conferred on them by the GDPR.
Therefore, to determine whether this is essential in the light of the CJEU judgment, controllers would normally have to make a case-by-case assessment and document this if they decide not to provide copies of the document/support containing the personal data.
Note: It appears that the CJEU has not followed exactly the Advocate General’s opinion in this case (see our previous update on this here).