The Court of Justice of the European Union ("CJEU") has delivered an important judgment in regard to the scope of the right to access under the GDPR, in particular as to what constitutes a "copy" of personal data.
Article 15(3) of the GDPR requires controllers to provide data subjects with a "copy" of their personal data, when requested. The EDPB Guidelines on Data Subject Access Requests ("DSARs"), along with the DPC Guidelines on DSARs, both state that this does not necessarily mean that the data subject is entitled to a reproduction of the original document containing their personal data. Rather the controller is obliged to furnish to the data subject, a copy of the personal data being processed in those documents. The personal data should be provided, in a durable format, meaning in a way that is capable of being retained by the data subject in accordance with their own needs.
This interpretation was recently endorsed by the CJEU. In case C-487/21 (Österreichische Datenschutzbehörde and CRIF), the CJEU ruled that the term "copy" in Article 15(3) GDPR, means that the data subject is entitled to obtain "a faithful and intelligible reproduction" of his or her personal data.
The CJEU confirmed that the term "copy" does not necessarily mean the data subject is entitled to a copy of the document itself, but rather to a copy of the personal data within the document, which must be complete. Accordingly, it is insufficient for the data subject to be provided only with a summary of their data.
The CJEU acknowledged that copies of extracts from documents, or even entire documents, or extracts from databases which contain those data, should be provided "if…such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by [the GDPR]" and where the contextualisation of the data processed is necessary in order to ensure the data are intelligible. If providing a copy of entire documents poses a conflict with the rights and freedoms of others, a balance must be struck between the rights in question. Wherever possible, the personal data should be communicated in a format that does not infringe the rights or freedoms of others. Accordingly, controllers must consider the most appropriate format in which to respond to a DSAR on a case-by-case basis.
FF, an individual, submitted a DSAR to an Austrian credit rating agency, requesting a copy of documents, namely emails and database extracts, containing his data, "in a standard technical format." In response, the agency sent FF, in summary form, a list of his personal data that was undergoing processing. FF lodged a complaint with the Austrian Data Protection Authority ("DSB") claiming that the agency should have sent him a copy of all the documents containing his data. The DSB rejected the complaint, finding that the agency had not infringed FF's right of access. FF appealed against the DSB's decision to the Austrian court.
The referring court was uncertain about the scope of the right of access under Article 15 GDPR, in particular the meaning of the term "copy" in Article 15(3) GDPR. It therefore referred a number of questions to the CJEU, including:
- What does a "copy" of personal data actually mean?
- Does the obligation to provide a "copy" of personal data undergoing processing entail a right only to an exact reproduction of the personal data or does it include an obligation to provide entire documents or copies of database extracts containing personal data?
- If the data subject has a right only to exact reproduction of the personal data, is it necessary in certain cases to make text passages or entire documents available to the data subject?
- Should the term "information" in Article 15(3) of the GDPR be interpreted as referring solely to (a) "personal data undergoing processing", or does it include (b) information pursuant to Article 15(1)(a)-(h) of the GDPR, or (c) associated metadata?
Decision: The first, second, and third questions referred
The CJEU noted that the GDPR does not contain a definition of the term "copy", thus account must be taken of the usual meaning of that term, along with the context in which it appears, and the objectives pursued by the GDPR.
On that basis, the CJEU interpreted the term "copy" in Article 15(3) of the GDPR as conferring on a data subject the right to obtain a faithful reproduction of his or her data, that is undergoing processing. The CJEU agreed with the European Commission's written observation, that the term "copy" does not relate to a document as such, but to the personal data which it contains, and which must be complete.
In order to ensure the information provided to the data subject is easy to understand, as required by Article 12(1) of the GDPR, read in conjunction with recital 58 of the GDPR, the CJEU held that "it may prove essential" to provide "the reproduction of extracts from documents or even entire documents or extracts from databases" which contain the personal data, "where the contextualisation of the data processed is necessary in order to ensure the data are intelligible". For example, the CJEU noted that where personal data results from empty fields (i.e. where there is an absence of information which provides information about the data subject), the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data. Accordingly, the need for controllers to provide data subjects with entire documents or extracts in order to ensure the intelligibility of the information provided, will need to be analysed on a case-by-case basis depending on the type of data being requested and the request itself.
In addition, the CJEU noted that in accordance with Article 15(4) of the GDPR, read in conjunction with recital 63 of the GDPR, a data subject's right to obtain a "copy" of their personal data, must not adversely affect the rights and freedoms of others. Therefore, when a conflict arises between exercising the right of access, and the rights and freedoms of others, a balance must be struck between the rights in question.
Decision: The fourth question referred
The CJEU held that the concept of "information" in Article 15(3) of the GDPR should be interpreted narrowly, as referring exclusively to the personal data which the controller must provide a copy of pursuant to the first sentence of that paragraph.
Impact of Decision
The CJEU's confirmation of the approach taken by the EDPB and DPC on what constitutes a "copy" of one's personal data is helpful, and reflects the approach taken by most controllers to date.
The CJEU similarly decided in the case of YS (C-141/12 and C-373/12) that the right of access under the former (now repealed) Data Protection Directive (95/46/EC) did not provide data subjects with a right to a copy of the actual document in which their personal data appeared, and that the right of access could be complied with by providing the data subject with a "full summary" of the data in an intelligible form.
The EDPB Guidelines on DSARs already highlighted that the word "summary" in the case of YS should not be misinterpreted as meaning that the compilation would not encompass all data covered by the right of access. Rather, it is a way to present all the data without systematically providing access to the actual documents. The EDPB note that making some kind of compilation and/or extraction of the data that renders the information easy to comprehend, is also a way of complying with the requirement to provide the information in a way that is both "intelligible and easily accessible" as required under the GDPR. The EDPB acknowledged that in other cases, information may be better understood by providing a copy of the actual document containing the personal data. Hence which form is most suitable must be decided on a case by case basis.
The CJEU's latest decision serves as reminder to controllers of the importance of providing data subjects with "a faithful reproduction" of their personal data when responding to DSARs, and of considering the most appropriate format in which to respond to a DSAR on a case-by-case basis. Where the provisions of a copy of a document or extracts from a database are necessary in order to ensure the data subject fully understands the personal data undergoing processing, and does not adversely affect the rights, and freedoms of others, then controllers should consider whether it is appropriate to disclose entire documents or extracts.
If you would like to find out more, please contact Technology and Innovation Group partners Anne-Marie Bohan, Davinia Brennan, Deirdre Crowley, Rory O'Keeffe, Carlo Salizzo, or your usual Matheson contact.