Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling

May 17, 2023By Preiskel & Co

On 4 May 2023, the CJEU provided a preliminary ruling for Case C-487/21, in which the Austrian Court sought guidance on the scope of information accessible to data subjects under the right to access a copy of personal data, as provided for by Article 15(3) of the General Data Protection Regulation (“GDPR”).

CJEU rulings are binding within the EU and no longer in the UK (though UK organisations may need to adhere to them, when the extraterritorial provisions of the EU’s GDPR apply).

The Austrian Court approached the CJEU with uncertainty as to the applicable scope of Article 15(3), requesting clarity in relation to two sentences of the provision:

  1. The meaning of “copy” in the first sentence of Article 15(3):

“The controller shall provide a copy of the personal data undergoing processing”.

The Court requested clarity as to whether the obligation to provide the data subject with a “copy” would necessitate the provision of entire documents and database extracts, or whether this obligation can be easily satisfied by providing the data subject with a summarised list of their data.

  1. The concept of “information” in the third sentence of Article 15(3):

“Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form”.

The Court requested clarity as to whether this sentence affords the data subject a general right to copies of all documents containing their personal information, or if the “information” accessible extends only to the personal data “undergoing processing”, in accordance with the first sentence of Article 15(3).

The background

The case involved a consulting agency who provides commercial clients with information on the creditworthiness of third parties. The applicant made a request to the agency, on the basis of Article 15(3), for a copy of documents containing his personal data “in a standard technical format”. In response, the agency sent the applicant a document with the personal data that was undergoing processing in the format of a summarised list.

Under the impression that the Article 15(3) right entitled him to copies of entire documents and database extracts, the applicant lodged a complaint with the Austrian Data Protection Authority (“DPA”). The DPA rejected such complaint under the premise that there had been no infringement and the agency had in fact satisfied the data subject’s right to access copies.

The data subject brought the case to the Austrian Federal Administrative Court, who sought clarity from the CJEU on the precise interpretation of Article 15(3) of the GDPR. In addressing the two questions surrounding the interpretative scope of the provision above, the CJEU delivered the following responses:

First question: the meaning of “copy”

The CJEU confirmed that the copies that the controller must provide pursuant to the first sentence of Article 15(3) must have all the characteristics necessary to provide the data subject with a faithful and intelligible reproduction of all those data. This affords data subjects the right to obtain copies of extracts from documents or databases or even entire documents which contain, inter alia, those data.

Second question: the concept of “information”

The CJEU clarified that the reference to “information”, in the third sentence of Article 15(3), exclusively corresponds and refers to the “personal data undergoing processing” that the controller is obliged to provide a copy of in accordance with the first sentence of the paragraph. As such, the third sentence of Article 15(3) does not generate any additional right for the data subject to access copies of document and databases containing broader “information” that is not undergoing processing.

Overall, the CJEU’s ruling provides essential clarity in regard to scope of Article 15(3)’s right to access a copy of personal data. This outcome should encourage EU controllers to act accordingly when fulfilling a data subject’s request to receive copies, even if this means preparing, compiling and delivering entire database extracts and documents.

Find the CJEU ruling here.

 

Please contact Jose Saras if you have any questions regarding the above.

 

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1r2 days ago
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB3 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm211 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy