Data subject’s access right: cjeu clarifies the concepts of “copy” and “information”

Article 15(3) GDPR provides that, at the request of the data subject, the controller must provide a “copy” of the personal data that have been processed and, if the request is made electronically, provide the “information” in a commonly used electronic form. The CJEU recently clarified that the terms “copy” and “information” do not refer to a document as such, but only to the personal data of which a copy must be provided to the data subject. However, the Court nevertheless specified that, since the right to access information presupposes a true and intelligible reproduction of all these data, it may in some cases be necessary to reproduce extracts from documents or even complete documents.

On the basis of Article 15(1) GDPR, every data subject has the right to access personal data relating to him or her that have been processed. Paragraph 3 provides that, at the request of the data subject, the controller must provide a copy of the personal data that has been processed and, if the request is made electronically, provide the information in a commonly used electronic form. In Österreichische Datenschutzbehörde, a judgment of 4 May 2023, the Court of Justice of the European Union (CJEU) clarified the concepts of “copy” and “information”.

The CJEU provided these clarifications in response to preliminary questions raised by the Austrian Bundesverwaltungsgericht in a case in which a business consultancy had sent the personal data it had processed only in aggregated form to a data subject who had exercised his right of access. The claimant subsequently filed a complaint with the Austrian data protection authority, arguing that the business consultancy should have provided a copy of all documents containing his data.

In its judgment, the CJEU clarifies the content and scope of the data subject’s right to access personal data relating to him that have been processed. The Court points out that the terms “copy” and “information” do not refer to a document as such, but to the personal data it contains. According to the Court, it follows from the GDPR that the controller must provide the data subject with all the information in question in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and that the information must be provided in writing or by other means, including by electronic means, unless the data subject requests the information to be provided orally. It follows that the copy must present all the necessary characteristics to enable the data subject to effectively exercise his or her rights deriving from the GDPR. This copy must therefore reproduce the data fully and faithfully.

Accordingly, there is no general obligation to provide a copy of the original documents including personal data. However, to ensure that the information provided is comprehensible, it may in some cases be necessary to reproduce extracts from documents or even complete documents or database extracts containing, among others, the personal data processed. In particular, where personal data are generated on the basis of other data or where such data result from open text fields, the context in which such data are processed is an indispensable element to enable the data subject to transparently access and understand such data.

The CJEU nevertheless recognises that the full exercise of the right of access to personal data may come into conflict with the rights or freedoms of others. Following the CJEU judgment, therefore, the controller who, on the basis of the right of access, has to provide the data subject with a copy of the personal data processed, will always have to strike a careful balance between: 

• the obligation to transmit a true and intelligible reproduction of all personal data processed, whereby it may be necessary in certain cases to reproduce complete documents; and the
• rights or freedoms of others.

With these clarifications, the CJEU’s recent judgment provides useful guidance to controllers on how to conduct a case-by-case assessment of requests to access information based on the GDPR.

Didier Houttequiet
Attorney – Associate Claeys & Engels