On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.

A patient seeking to uncover errors in his dentist’s work requested access to his medical records.  The dentist replied that, under German law, access to the patient’s medical records could be conditional on the data subject’s payment of the costs connected with providing the records.The patient claimed that this was inconsistent with the GDPR, which gives data subjects a right to access a copy of their data (Article 15).

The CJEU held that, generally, exercising the right of access under the GDPR should not entail any cost for the data subject and that such cost may be only imposed where the data subject has already received a first copy of his or her data free of charge.  The Court also clarified that the GDPR does not require data subjects to provide reasons for their request, and therefore, the data holder cannot reject an access request on the grounds that the data subject access request is not aimed at verifying GDPR compliance.

Finally, the CJEU reiterated that the data subject must be given a “faithful and intelligible reproduction” of the data (see our blog post here).  This includes sharing a full copy of documents containing the data subject’s personal data – rather than just extracts – if doing so is “essential” for the data subject to understand and verify the accuracy and exhaustiveness of the data processing.

The scope of GDPR’s right of access (see our blog posts here and here) has been heavily litigated both at EU and national level.  At national level, in a surprising decision earlier this year the Belgian Data Protection Authority held that it would be excessive to ask an employer to search its email servers for all emails concerning a former employee.  According to the Authority, this would constitute a “disproportionate effort” for the former employer as, among other things, the requestor had been an employee for eight years and, for some period of time, the email address the requestor used was also used by other employees.  In addition, the requestor had not provided any parameters that could aid the former employer in its search through the email servers. 

*                             *                             *

Covington’s Data Privacy and Cybersecurity Practice regularly advises on data subject access requests, and on privacy investigations and disputes including at the CJEU.  If you have any questions about the interaction between data protection and local laws we are happy to assist.

(This blog post was written with the contributions of Alberto Vogel.)

Tags: CJEU, European Union, GDPR, German law, medical records, Right of Access
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less