CJEU: the right to a copy of data

by Gerald Trieb and Stephanie Briegl//

In its decision of 4 May 2023, the European Court of Justice (CJEU, C-487/21) dealt with the term “copy” and its the meaning of under Art 15 para 3 of the GDPR.

CRIF, a credit reference agency, processed personal data of the applicant (data subject) for the purpose of assessing his creditworthiness. The data subject requested CRIF to provide him with a copy of documents such as e-mails and extracts from databases “in a standard technical format“. Subsequently, CRIF sent him “merely” a list of his personal data undergoing processing. Upon that, the data subject lodged a complaint with the Austrian data protection authority (Datenschutzbehörde), which dismissed his complaint on the grounds that CRIF had not violated his right of access. The Austrian Federal Administrative Court (Bundesverwaltungsgericht), which acts as the court under Art 78 para 1 of the GDPR, referred several questions to the CJEU for a preliminary ruling on the scope of the right to a copy of data enshrined in the first sentence of Art 15 para 3 GDPR. In addition, the referring court asked for an interpretation of the term “information” in Art 15 para 3 third sentence GDPR.

The CJEU states that Art 15 para 3 first sentence GDPR does not contain a definition of the term “copy”, but that the “usual meaning” of the term must be taken into account. According to the CJEU this refers to the “faithful reproduction or transcription of an original“. A general description of the data or a reference to its categories is not sufficient. Furthermore, the CJEU explains that all personal data must be communicated to the data subject in a “precise, transparent, intelligible and easily accessible form” so that the data subject is given the opportunity to fully understand the information. Following this interpretation of Art 15 para 3 first sentence GDPR, the CJEU states that the data subject has the right to receive a faithful and intelligible reproduction of all personal data undergoing processing from the controller. This right implies the right to obtain a copy of excerpts from documents or even entire documents or even excerpts from databases containing these data, if the contextualization of the processed data is necessary to ensure their comprehensibility. This is particularly important in the case of data generated from other data – as given in the present case, where a credit score was calculated on the basis of the data subject’s data.

It is important to note, though, that the CJEU also makes clear that such right does already exist under Art 12 para 1 and Art 15 para 1 first sentence of the GDPR, as Art 15 para 3 of the GDPR does not regulate the subject matter of the data subject’s right to access, but the modalities for its observance by the controller.

Eventually, the CJEU states that in the event of a conflict between the exercise of the right of full and complete access to personal data on the one hand, and the rights and freedoms of others (third parties) on the other hand the rights in question must be weighed against each other. According to the CJEU, a controller has to choose such “modalities” of the transmission of the data that do not violate the rights and freedoms of others and do not lead to a refusal of access for the data subject.

In relation to the additional question, the CJEU concludes that the term “information” according to Art 15 para 3 third sentence GDPR refers exclusively to personal data of which the controller must provide a copy according to the first sentence of this paragraph. We understand this in a way that metadata are not to be provided.

Overall, the CJEU has given an almost classic lawyer’s answer here by explaining that “it depends”. For controllers, the present decision does not impose an obligation to always provide a complete copy (or set of excerpts) of documents or database extracts – it is normally sufficient to provide the personal data contained therein. In certain cases, however, it may be necessary to provide entire documents or database extracts if this appears necessary for the comprehensibility of the data and their context for the data subject. The rights of third parties must be preserved properly, i.e., their data would then have to be redacted from the documents or deleted from the database extracts.

Dr. Gerald Trieb, LL.M. is Partner at Knyrim Trieb Rechtsanwälte, Vienna (Austria).

Mag. Stephanie Briegl, BA is Associate at Knyrim Trieb Rechtsanwälte in Vienna (Austria).