CJEU Clarifies the Right to Obtain a Copy of Personal Data under the GDPR
E-Bulletin No 06/23
On May 4, 2023, the Court of Justice of the European Union (‘CJEU’) decided, in case C-487/21*, that the right to obtain a ‘copy’ of personal data means that the data subject must be provided with a faithful and intelligible reproduction of all personal data.This can also include documents or extracts from databases containing personal data, where it would be necessary to ensure that the personal data is intelligible, as per Article 15(3) GDPR.
BACKGROUND
This request for a preliminary ruling concerns the interpretation of Article 15 of Regulation (EU) 2016/679 (GDPR). The request has been made in proceedings between F.F. and the Österreichische Datenschutzbehörde (Austrian Data Protection Authority; ‘DSB’) concerning DSB’s refusal to require CRIF GmbH to send F.F. a copy of the documents and extracts from databases containing, inter alia, his personal data undergoing processing. CRIF is a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties. It was for that purpose that it processed the personal data of the applicant in the main proceedings. On 20 December 2018, the applicant applied to CRIF, on the basis of Article 15 of the GDPR, for access to the personal data concerning him. In addition, he asked to be provided with a copy of the documents, namely emails and database extracts containing, inter alia, his data, ‘in a standard technical format’.
In response to that request, CRIF sent the applicant in the main proceedings, in summary form, the list of his personal data undergoing processing.
Being of the view that CRIF should have sent him a copy of all the documents containing his data, such as emails and database extracts, the applicant in the main proceedings lodged a complaint with DSB.
By decision of 11 September 2019, DSB rejected that complaint, taking the view that CRIF had not in any way infringed the right of access of the applicant in the main proceedings to his personal data. The data subject then appealed this decision to the Austrian Federal Administrative Court, which referred the matter to the CJEU.
The referring court asked to the CJEU in particular whether the obligation laid down in that provision to provide a ‘copy’ of the personal data is fulfilled where the controller transmits the personal data in the form of a summary table or whether that obligation also entails the transmission of document extracts or entire documents, as well as database extracts, in which those data are reproduced.
Considerations of the CJEU
Fulfilling the right of access. The CJEU considered that the right to obtain a “copy” of personal data under Article 15(3) GDPR is not a separate right from the right provided for under Article 15(1) and that the term “copy” does not relate to the document as such, but to personal data contained within such a document. Therefore, the CJEU interpreted the right to obtain a “copy” as requiring the data subject to be given a faithful and intelligible reproduction of his or her personal data undergoing processing. In particular, the CJEU held that the data controller must provide copies of extracts from documents, or even entire documents or extracts from databases, that contain the personal data, in order to ensure the effective exercise of data subject rights under the GDPR. † Equally, the controller has to ensure that the personal data is clearly intelligible, which may require the reproduction of extracts from documents or even entire documents in order to clarify the context in which the personal data was processed. In particular, where personal data are generated from other data or where such data result from empty fields, that is to say, where there is an absence of information which provides information about the data subject, the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data.
Finally, the CJEU states that, in the event of a conflict arising between the data subject’s right to access and third-party rights, the right to obtain a copy should not adversely affect the rights and freedoms of others, which includes protecting trade secrets and intellectual property rights belonging to the third party.The CJEU agreed with the Advocate General, finding that data in the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights and freedoms of others, a balance will have to be struck between the rights in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’.
On the meaning of the term “information” found in Article 15(3) GDPR, the CJEU clarified that this only refers to the personal data processed by the controller, pursuant to the first sentence of Article 15(3). As the Advocate General observed in points 36 to 39 of his Opinion, the broad definition of the concept of ‘personal data’‡ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person, such as the assessment of that person’s creditworthiness or his or her ability to pay.
* For full text of the decision, please visit: https://curia.europa.eu/juris/document/document.jsf?text=&docid=273286&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4130800
† Thus, the right of access provided for in Article 15 of the GDPR must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner (see, to that effect, judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C 154/21, EU:C:2023:3, paragraph 37 and the case-law cited).
‡ The use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (see, by analogy, judgment of 20 December 2017, Nowak, C 434/16, EU:C:2017:994, paragraph 34). In that regard, it has been held that information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (see, to that effect, judgment of 20 December 2017, Nowak, C 434/16, EU:C:2017:994, paragraph 35).