The GDPR gives individuals of whom personal data are processed the right to know what personal data are being processed about them. In practice, many organizations struggle with the correct and timely follow-up of an ‘access request’ from a data subject. Exactly what data should you provide in the event of an access request? In what form? To whom? Are there any exceptions? And within what time period should you actually respond?
Right to a copy?
Article 15(3) of the GDPR states that the controller must provide a copy of the personal data, but what exactly is a copy? Case law from the Dutch Council of State shows that in general, the data subject is not entitled to a copy or transcript of the document containing their personal data.
EU Court of Justice: Österreichische Datenschutzbehorde et CRIF (C-487/21)
The Austrian Bundesverwaltungsgericht referred to the Court of Justice of the European Union (“CJEU”) the preliminary question whether the right to access personal data entitles the data subject to a copy of – complete – documents containing the personal data or only to a faithful reproduction of the personal data, the interpretation chosen by the Council of State. Today the judgment was published in which the CJEU answered this question.
The CJEU clarified that it follows from article 15(3) of the GDPR that the right to obtain a “copy” from the controller means that the data subject must be given a “faithful and intelligible reproduction” of their personal data. This does not automatically mean that a copy of the document containing the personal data in question must also be provided.
In light of the objectives pursued by Article 15 of the GDPR (enabling the datasubject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner) and in order to ensure that the information provided is easily understandable, it may be indispensable that extracts from documents or even complete documents or database extracts containing the personal data are reproduced. According to the CJEU this may be the case, for example where personal data are generated from other data or where such data result from empty fields, that is to say where there is an absence of information which provides information about the data subject. In that case the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data. The CJEU thus follows the earlier conclusion of the Advocate General.
The moment a full exercise of the right of access to personal data conflicts with rights or freedoms of others, then both rights must be balanced against each other. The personal data must then be provided in a manner that does not infringe the rights and freedoms of others.
Earlier this year, in RW v. Österreichische Post AG (C-154/21), the CJEU ruled that an organization must, when confronted with a request to access, specifically identify the parties with whom personal data has been shared. A categorical overview is not sufficient except for some exceptional situations.
More about data subjects’ rights
There is much more to be said about privacy rights of data subjects and (also) Dutch courts have made hundreds of rulings on this subject in recent years. We have recently studied these rulings and have written a comprehensive and up-to-date article on this subject together with Chris Erents and Niels Groenhart. The article (in Dutch) was published in issue 1 (February 2023) of the professional journal Privacy & Information (P&I) of Uitgeverij Paris.
Want to know more?
Do you need clarity on your obligations with respect to data subjects’ rights in the form of policy or in case of a more complex data request? If so, please contact us.