The Court of Justice of the European Union (“CJEU”) ruled that the right to obtain a copy of personal data entails the right to obtain copies of extracts from documents or even entire documents/extracts from databases which contain those data, if that is essential for the data subject to effectively exercise their rights under the GDPR.
The case concerns an individual who requested access to his personal data from a business consulting agency that provides information on creditworthiness. The individual requested a copy of emails and database extracts containing his personal data in a standard technical format, but the agency only provided a summary of the list of his personal data undergoing processing. The Austrian Data Protection Authority rejected the individual’s complaint, leading to a court case on the scope of the obligation to provide a copy of personal data under Article 15(3) of the GDPR.
During the proceedings, the competent Court in Austria asked the CJEU whether the said obligation is fulfilled where the controller transmits the personal data in the form of a summary table or whether that obligation also entails the transmission of documents extracts or even entire documents, as well as extracts from databases, in which those data are reproduced.
Here are the main conclusions reached by the CJEU:
– The CJEU clarified that the right to obtain a “copy” of personal data means that the data subject must be given a faithful and intelligible reproduction of all of their data. This means that providing a general description of the data undergoing processing will not be sufficient to comply with the data subject’s request.
– That right includes the right to obtain copies of extracts from documents or entire documents or database extracts if that is essential for exercising effectively their rights under the GDPR while taking into account the rights and freedoms of others.
– The CJEU also noted that the term “copy” does not refer to the document itself, but rather relates to the personal data it contains and that this must be complete. Therefore, the copy should include all the personal data that is being processed.
– Finally, if there is a conflict between granting complete access to personal data and protecting the rights and freedoms of others, the Court suggests finding a balance between the two. It is preferable to choose methods of sharing personal data that do not violate the rights or freedoms of others. However, it is important to note that the end result should not be a complete refusal to provide information to the data subject.
How does your organisation handle data subject rights? Contact us, experts in data privacy, if you want to learn more via firstname.lastname@example.org.