The Court of Justice of the European Union (the “CJEU”) has issued a recent judgment (for now only available in its original French version) providing guidance on controllers’ obligation to provide data subjects with access to their personal data under Article 15 of the European General Data Protection Regulation (“GDPR”).
The case involves a complaint filed by a data subject against a business consulting agency providing creditworthiness information. The data subject had requested access to the personal data that the agency processed about him and also asked for a copy of the documents, including emails and database extracts containing his data, in a standard technical format. In response, the agency provided the data subject with a summary list of his personal data undergoing processing. The data subject was not satisfied with this response, arguing that the agency was obligated to provide all documents containing his personal data, including emails and database extracts. Therefore, the data subject filed a complaint with the Austrian Data Protection Authority, which rejected the complaint, stating that the right of access was not violated in any way. The data subject then appealed this decision to the Federal Administrative Court of Austria, which decided to submit prejudicial questions to the CJEU to obtain certainty about the interpretation of Article 15(3) GDPR and, more specifically, the requirement to provide the data subject with a ‘copy’ of their personal data undergoing processing.
After analyzing the wording of Article 15(3) GDPR, the CJEU concludes that the provision grants data subjects the right to obtain a “faithful and intelligible reproduction of their personal data”, understood in a broad sense, that is processed by the controller. This right includes obtaining copies of extracts from documents or even entire documents or extracts from databases containing those data, if the provision of such a copy is essential to allow the data subjects to effectively exercise their data subject rights.
The CJEU notes that the term ‘copy’ relates to the personal data contained in the document, not the document itself, and the copy must be complete and contain all the personal data undergoing processing. The CJEU emphasizes that the objective of Article 15(3) GDPR is to enable data subjects to ensure that their personal data are correct and processed in a lawful manner and underscores that a mere general description of the personal data undergoing processing or a reference to categories of personal data cannot be considered a “copy” in the sense of this article.
Additionally, the CJEU states that it is apparent from the GDPR that the controller must provide the data subject with all the information referred to in an easily accessible form, using plain and clear language, in writing, or by other means, including electronic means where appropriate. Therefore, the copy of the personal data undergoing processing must have all the characteristics necessary for the data subject to exercise his or her rights under the GDPR effectively and must, consequently, reproduce those data fully and faithfully.
To ensure that the information provided to the data subject is easily understandable, it may be necessary to provide extracts from documents, entire documents, or database extracts that contain the personal data undergoing processing. This is especially important when the personal data is generated from other data or when there is an absence of information, making it difficult for the data subject to understand the context in which his or her data are processed. In such cases, presenting the data in an intelligible manner requires taking into account the context in which the data are processed.
If there is a conflict between a data subject’s right to access his or her personal data and the rights or freedoms of others, the CJEU takes the view that a balance should be struck between these conflicting interests. When providing access to personal data, the controller should prefer means of communication that do not infringe the rights or freedoms of others when providing access to personal data. However, this should not result in a complete refusal of the data subject’s right to access all of their personal data.
In summary, the judgment provides significant clarification on the scope of the right of access under Article 15(3) GDPR, confirming that this right includes obtaining copies of documents and other information if such copies are essential for the data subject to effectively exercise his or her data subject rights. For companies, determining what information to disclose and how to do so properly can be challenging. Therefore, seeking legal advice is crucial, particularly when balancing the data subject’s right to access with the rights and freedoms of others.
For further information, please contact:
Maarten Stassen, Partner, Crowell & Moring
mstassen@crowell.com