Since the EU’s GDPR entered into force, organisations have increasingly received data subject access requests (Article 15 GDPR). In principle, according to Article 15 GDPR, a data subject may require a data controller to provide a confirmation of whether their personal data is processed. Where this is the case, the data subject has a right of access to the personal data and to receive particular information from the data controller, such as the purposes of the processing and categories of personal data concerned. Article 15 also provides that a data subject has the right to obtain a ‘copy’ of their personal data processed by or for the data controller. Where a data subject requests the copy by electronic means, the information must typically be provided in a commonly used electronic form.
In this context, the interpretation of the term ‘copy’ is crucial for organisations that frequently face extensive requests for such copies, potentially involving large amounts of personal data. In its recent judgment on 4 May 2023, the Court of Justice of the European Union (CJEU) shed light on the interpretation of the term and addressed some of the uncertainties related to it (case C-487/21).
In the following, we introduce the case, the interpretation of the CJEU and give our opinion on its impact for future access requests.
Facts of the case
The company in question offered its clients data about the credit status of data subjects. A data subject whose data was processed requested the company provide a copy of his personal data. In response, the company only provided a summary containing a compilation of the personal data. The data subject took the view that this was not adequate.
A ‘copy’ under the GDPR
According to the CJEU, to comply with a data subject’s request for a copy of personal data, the controller must provide the data subject with a faithful and intelligible reproduction of all the personal data. This entails that the controller cannot simply provide a general description of the data or the categories of data.
The CJEU recalled that the term ‘personal data’ encompasses all kinds of information related to the data subject. This can include not only data collected and stored by the controller but also opinions and assessments resulting from the processing of that collected data (such as an assessment of a person’s creditworthiness or their ability to pay).
Under certain circumstances, data subjects may obtain copies of extracts from documents or even entire documents or extracts from databases. While the CJEU explicitly recognises that the term ‘copy’ does not relate to a document as such, but to the personal data it contains, it considers that the right of access may entail an obligation to provide copies of extracts from documents or even entire documents or extracts from databases, if that is necessary to enable the data subjects to effectively exercise their GDPR rights. The CJEU noted that the data subject’s right of access must enable the data subject to ensure that their personal data is correct and processed in a lawful manner and that other data subject rights under the GDPR can be exercised (eg the right to rectification, right to erasure, right to restriction of processing, the right to object to the processing and a right of action if damage is suffered).
Therefore, the production of copies of extracts from documents or even entire documents or extracts from databases may be necessary when the contextualisation of the personal data is required for the personal data to be ‘intelligible’, ie allowing the data subject to effectively exercise GDPR rights. According to the CJEU, this is particularly the case where the personal data was generated from other data or resulted from empty fields (eg where the personal data resulted from an absence of response to a question from the data subject). In the event of a conflict between the right of access and the rights and freedoms of others, including trade secrets or intellectual property (eg copyright regarding software codes), the controller must strike a balance between the rights in question as explained further in the judgment.
Practical impact of the decision
The key takeaway of the CJEU’s decision for companies is that providing extracts of documents or databases (or even entire documents) may be necessary to fulfil data subject access requests.
In essence, the information must be intelligible enough to enable the data subjects to exercise their further GDPR rights. However, there remains some discretion for assessing whether (only) the personal data is sufficiently ‘intelligible’ or whether understanding the information requires providing a copy of the actual document or database containing the personal data. In case of conflicting rights a correct balance must be applied.
Overall, the CJEU’s judgement confirms the opinion of EU data protection authorities that a data subject access request does not necessarily lead to granting access to documents or databases. This is commendable given that providing access to entire documents and databases in all cases may result in:
- corresponding high costs to redact other data subject’s personal data or trade secrets of third parties; and
- an increased risk of misuse of such documents or databases for purposes other than exercising data protection rights (eg, in preparation for litigation of other purposes).