On May 4, 2023, the Court of Justice of the European Union (‘CJEU’) decided, in case C-487/21, that the right to obtain a ‘copy’ of personal data means that the data subject must be provided with a faithful and intelligible reproduction of all personal data. This can also include documents or extracts from databases containing personal data, where it would be necessary to ensure that the personal data is intelligible, as per Article 15(3) GDPR.
Background. The case arose from a data subject, requesting a copy of documents containing his personal data, addressed to a credit rating agency (‘the Agency’). The Agency responded to this request with a summarized list of the data subject’s data undergoing processing. Being of the view that he should have been given a copy of all the documents containing his data, the data subject complained to the Austrian Supervisory Authority, which rejected his complaint. The data subject then appealed this decision to the Austrian Federal Administrative Court, which referred the matter to the CJEU.
Fulfilling the right of access. The CJEU considered that the right to obtain a “copy” of personal data under Article 15(3) GDPR is not a separate right from the right provided for under Article 15(1) and that the term “copy” does not relate to the document as such, but to personal data contained within such a document. Therefore, the CJEU interpreted the right to obtain a “copy” as requiring the data subject to be given a faithful and intelligible reproduction of his or her personal data undergoing processing. In particular, the CJEU held that the data controller must provide copies of extracts from documents, or even entire documents or extracts from databases, that contain the personal data, in order to ensure the effective exercise of data subject rights under the GDPR. Equally, the controller has to ensure that the personal data is clearly intelligible, which may require the reproduction of extracts from documents or even entire documents in order to clarify the context in which the personal data was processed.
Finally, the CJEU states that, in the event of a conflict arising between the data subject’s right to access and third-party rights, the right to obtain a copy should not adversely affect the rights and freedoms of others, which includes protecting trade secrets and intellectual property rights belonging to the third party. The CJEU agreed with the Advocate General, finding that data controllers must conduct a balancing act and select the approach that is least intrusive as regards the protection of intellectual property rights.
Information. On the meaning of the term “information” found in Article 15(3) GDPR, the CJEU clarified that this only refers to the personal data processed by the controller, pursuant to the first sentence of Article 15(3), excluding additional information, such as metadata.
* * *
Covington’s Data Privacy and Cybersecurity Practice monitors CJEU cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the interaction between data protection and local laws we are happy to assist.
(This blog post was written with the contributions of Alberto Vogel.)