Update Data Protection No. 147
The European Court of Justice specifies the scope of the Right of Access
In its judgment of 4 May 2023 (Case C-487/21), the European Court of Justice (“ECJ”) specified the scope of the right to obtain a “copy” of personal data in the context of the right of access. The ECJ ruled that the copy must be used to provide the data subject with a faithful and intelligible reproduction of all personal data that are the subject of the processing. This means that extracts from documents or entire documents or, if applicable, extracts from databases must be provided if and insofar as this is necessary for the effective exercise of the rights of data subjects. Controllers must now take this into account when providing information and create appropriate capacities.
We have already reported on the facts of this case in our Update Data Protection no. 129 regarding the Opinion of the Advocate General of the European Court of Justice (“Advocate General”), Giovanni Pitruzzella in this proceeding.
In summary, the judgment is based on a preliminary ruling procedure, with which the referring Federal Administrative Court (Austria) essentially asked questions about the content and scope of the right to a copy of the personal data in the context of the right of access pursuant to Art. 15 (3) s. 1 GDPR. The decisive question was whether the claim is already fulfilled where the controller transmits the personal data as a summary table in aggregated form, or whether the claim also includes the provision of a copy of the extracts from documents or even a copy of entire documents or even extracts from databases.
Decision of the ECJ
The ECJ decided that the right to obtain a copy pursuant to Art. 15 (3) s. 1 GDPR is to be understood as meaning that the data subject is provided with a faithful and comprehensible reproduction of all personal data that are the subject of the processing. This could include a copy of documents or extracts thereof or extracts from databases, where this is essential to enable the data subject to effectively exercise the rights conferred upon him or her by this Regulation. However, the rights and freedoms of others must also be taken into account.
In the context of the reasoning of the judgment, the ECJ first established that the term “copy” is not defined in the GDPR. The “usual meaning” of the term “copy” derives from the understanding of a faithful reproduction or transcription of an original, so that a general description of the personal data or a reference to the categories of personal data would not correspond to the definition (cf. para. 21). According to the wording, it is also clear that the information relates to the personal data that are the subject of the processing (cf. para. 21).
Furthermore, the ECJ clarified the context of the right to obtain a copy in connection with the right of access. According to this, Art. 15 (1) GDPR regulates the subject matter and scope of the right of access, while Art. 15 (3) GDPR determines the practical modalities of the provision of information. For example, Art. 15 (3) s. 1 GDPR determines the form of the provision of information (the “copy”). The right to obtain a copy pursuant to Art. 15 (3) GDPR thus does not regulate any claim other than that laid down in Art. 15 (1) GDPR, but only the form of the information to be provided pursuant to Art. 15 (1) GDPR (cf. para. 30 et seqq.).
The ECJ further argues that the term “copy” does not refer to a particular document, but to the personal data contained therein; the copy would therefore have to contain in full all the personal data that are the subject of the processing. Like the Advocate General with his Opinion, the ECJ argues here with the purpose of the right to information. This serves to strengthen the rights of the data subject. In addition to the possibility of verifying whether the personal data are correct, there should be a possibility of verifying whether their personal data are processed in a permissible manner. In the opinion of the ECJ, this right of access is necessary in order to enable the data subject to exercise the further rights of a data subject (e. g. right of rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR).
The ECJ also takes up an argument already made by the Advocate General in his Opinion: It follows from recital 58 GDPR and Art. 12 (1) GDPR that the personal data must be reproduced completely and true to the original. According to Art. 12 (1) GDPR, the controller must take appropriate measures to provide the information to the data subject in a concise, transparent, intelligible and easily accessible form in clear and plain language (cf. para. 38).
In accordance with the Advocate General’s Opinion, the ECJ concludes that it may be necessary to reproduce extracts from documents or entire documents or even extracts from databases. This is the case when the “contextualisation of the data processed is necessary in order to ensure the data are intelligible” (para. 41). In particular, according to the ECJ, this is the case if personal data are “generated from other data” or “result from empty fields, that is to say, where there is an absence of information which provides information about the data subject”; in such cases, the context is decisive for transparent access (para. 42).
Naturally, the provision of access in this way can also lead to a conflict with the rights or freedoms of other data subjects. The ECJ resolves this problem by finding that in the event of such a conflict a balance is to be struck between the right of full and comprehensive access and the conflicting rights or freedoms of other persons. A path should be chosen that does not violate the rights or freedoms of other persons, but without denying the data subject all access.
The referring court also asked itself what is meant by “information” pursuant to Art. 15 (3) s. 3 GDPR. According to Art. 15 (3) s. 3 GDPR, in the case of an electronic request for access, the “information” must generally be provided in a commonly used electronic form. The ECJ clarifies that information in this context only includes personal data. Only the controller would have to provide a copy of these in accordance with Art. 15 (3) s. 1 GDPR (cf. para. 46 et seqq.).
With the judgment, the ECJ clarifies important questions. The copy does not refer to a particular document, but to the personal data contained therein. The right to a copy includes the faithful reproduction of the processed personal data, if this is indispensable for the understanding of the context. When this is the case, however, remains to some extent an open question. Although the ECJ gives examples (cf. para. 42), these are only helpful to a limited extent. Data controllers should be guided by the principle that the provision of information must enable data subjects to verify both the accuracy of the data processed and the lawfulness of the processing.
The important, numerous other requirements for the provision of information should not be ignored either. For example, the ECJ has decided that, in principle, any specific recipients of personal data of the data subjects must also be named when providing information (as we reported in our Update Data Protection no. 133). Non-compliances in the provision of information can also justify the finding of a data protection breach (subject to an administrative fine). Data subject access requests should therefore always be carefully examined and not be taken lightly. In particular, companies are advised to implement effective processes for dealing with the rights of data subjects.