CJEU clarifies scope of right to obtain a copy of data under GDPR

This is the case when these documents are indispensable for the data subject to effectively exercise their rights under the GDPR, the CJEU said. In such cases, the data subject has a claim to receive copies of extracts of the relevant documents or even copies of the entire documents. The CJEU also said the information provided must "enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner".

Amsterdam-based data law expert Wouter Seinen of Pinsent Masons said that in the UK and many EU member states this decision will only confirm the status quo. "But for countries like Austria and the Netherlands, extending the right of access from providing a report to providing full copies would be a sea change", he said.

"The practical issue is cost and effort. When copies of all responsive documents need to be produced, sometimes tens of thousands emails and notes need to be redacted to filter out personal data of uninvolved data subjects and confidential information, which has a huge cost implication. It will be interesting to see how this decision will pan out in jurisdictions where to date companies could not be as effectively burdened with a simple access request," he said.

The CJEU issued the ruling in the case of a private person (data subject) against the Austrian Data Protection Authority and CRIF, a business consulting agency. At the request of clients, CRIF provides information on the creditworthiness of third parties.

The data subject had requested access to his personal data stored by CRIF. He based his request on his right to access information under the GDPR. He had also asked to be provided with a copy of any documents such as emails and database extracts containing his data. CRIF provided him with a list of his processed personal data, but not with a copy of the documents containing his data. The data subject lodged a complaint with the Austrian Data Protection Authority, but the complaint was rejected. The data subject then filed a case at the Austrian Federal Administrative Court. The court referred the matter to the CJEU for an interpretation of the right to a copy of personal data processed under Article 15(3) of the GDPR.

According to the CJEU, the right to obtain from the controller a "copy" of the personal data undergoing processing pursuant to the first sentence of Article 15(3) of the GDPR means

that the data subject must be given a "faithful and intelligible reproduction of all those data". That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, if the provision of such a copy is essential to enable the data subject to exercise the rights conferred on him or her by the GDPR.

Andre Walter, an Amsterdam-based data protection law expert at Pinsent Masons, said: "Similar to the Austrian DPA, the Dutch DPA’s position had always been a bit more moderate on the right to access 'copy' requirement of Art.15(3): Providing a summary list of the personal data undergoing processing had been acceptable so far. Now the CJEU takes the position that a general description of the data undergoing processing or a reference to categories of personal data does not correspond to the definition of providing a 'copy' of the personal data undergoing processing. This will inevitably lead to a shift in expectations Dutch data subjects will have regarding the right of access and the assessments of possible complaints with the Dutch DPA."

The CJEU also pointed out that, when providing copies of processed personal data, account must be taken of the rights and freedoms of others. "Wherever possible, means of communicating personal

data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that the result of those considerations should not be a refusal to provide all information to the data subject," the CJEU said.

In another case referred to the CJEU by the Austrian Supreme Court regarding the right to information under the GDPR, the CJEU had ruled in January 2023 that "every person has the right to know to whom his or her personal data have been disclosed. But the data controller may "indicate only the categories of recipient if it is impossible to identify the recipients or the request is manifestly unfounded or excessive".

As in the case now decided, the CJEU had emphasised back then that the purpose of the right to information is to enable the data subject to exercise their other rights under the GDPR. Accordingly, the information provided to the data subject must be sufficiently detailed to allow them to exercise their rights, such as the right to rectification, right to erasure, right to restriction of processing, right to object to processing or right of action where they suffer damage.