The Court of Justice of the European Union (CJEU) issued a recent ruling in case C-307/22, highlighting important considerations regarding the extent of the right of access under Article 15 of the GDPR. This ruling carries significant implications for companies that process personal data under the GDPR. It asserts that the GDPR right of access obliges data controllers to provide data subjects with an initial copy of their personal data free of charge. In this article, we provide a summary of the key aspects of this judgment.
The case
The case, brought from the German Federal Court of Justice (BGH) before the CJEU, originated from a dispute between a patient and a healthcare practitioner concerning access to the patient’s medical records. The patient sought to obtain a copy of their medical file, free of cost, to assess whether there were grounds for liability against the healthcare practitioner. In contrast, the data controller declined to provide the document without the patient sharing the associated costs (§630f of the German Civil Code – Bürgerliches Gesetzbuch).
The BGH referred this matter to the CJEU to seek clarification on the scope and limitations of Article 15 GDPR (the Right of Access).
Key CJEU Legal Principles
- Free First Copy: The CJEU ruled that the GDPR requires controllers to provide data subjects with an initial copy of their data, free of charge. Payment can only be requested if data subjects seek additional copies or if their request is manifestly unfounded and/or excessive. This reading of the GDPR does not come as a new one to experts, and is also in line with the EDPB Guidelines on the Right of Access.
- No Prior Justification Required: The GDPR does not mandate data subjects to provide a prior justification or specific reasons when making Data Subject Access Requests (DSARs). The CJEU emphasized that neither the GDPR’s articles nor its recitals say that the Right of Access can be granted by the controller only when the purpose is solely to become aware of and verify the lawfulness of data processing (as mentioned in Recital 63 GDPR). According to the Court, this principle also applies to the case at hand, despite the fact that the reason behind the access request was (evidently) to seek grounds for liability against the controller’s services. This position is also in line with the EDPB Guidelines on the Right of Access:
“According to Recital 63, the right of access is granted to data subjects in order to be aware of, and verify, the lawfulness of the processing. The right of access enables, inter alia, the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of personal data. However, data subjects are not obliged to give reasons or to justify their request. As long as the requirements of Art. 15 GDPR are met the purposes behind the request should be regarded as irrelevant”. (par. 6.1)
- Economic Interests of the Controller: The CJEU clarified that the economic interests of the data controller cannot be invoked to limit DSARs under Article 23(1)(i). This provision allows the restriction of DSARs „for the protection of the data subject or the rights and freedoms of others“ and the CJEU underlined that economic business interests cannot be included in this definition.
Our analysis
The concepts articulated in this CJEU ruling do not represent a groundbreaking shift in the interpretation of DSAR. On the contrary, it is important that the CJEU reinforces the position expressed by the EDPB in the aforementioned guidelines, especially concerning:
- The right of data subjects to receive a first copy of their personal data free of charge;
- The de facto irrelevance of the purposes behind the access request, even when different and additional to those expressly provided for in the GDPR (Recital 63).
However, this ruling opens the door for interpretations to be applied in different cases. From a practical standpoint, it carries the risk of setting a precedent that may lead to the abuse of the right of access by data subjects. Currently, handling requests from data subjects is an onerous obligation for businesses, often involving lengthy processes and significant costs to ensure compliance with the GDPR.
Data subjects’ right to request access to their personal data is and shall remain of primary importance in the EU. Nevertheless, concerns arise from the growing trend of excessive and abusive data subjects’ requests that, in the future, may seek justification in the principles set forth in this ruling.
To understand the extend that such requests can entail, just think of the process that any multinational company has to deal with when a customer requests access to all the data they hold about him.
In this scenario, all his personal data shall be collected. This means, by way of example: documents, invoices, purchase history, personal preferences, customer service interactions such as records of phone calls, chat transcripts, email correspondence. In order to gather this data, all departments (Customer Service, Marketing, IT, Sales, etc.) should ideally be involved.
Then, all the collected data has to be reviewed in order to ensure that the rights of other data subjects are not violated, and finally, all the information should be organized into a comprehensible format. For this activity, different professionals have to be involved, from legal and privacy experts to the IT team.
Conclusion
It is clear that the burden faced by the company, in terms of time, effort and resources, is significant.
Therefore, it is important to address the following questions: what happens when data subjects are aware of this situation and the purpose of their request is not related to the protection of their rights? To which extent must the controller fulfill these requests?
Instead, shouldn’t the EU institutions set out a fair balance between the defense of fundamental rights and the interests of EU businesses?
It will be interesting to see the development of EU institutions’ approach to the undeniable practical challenges faced by businesses in the future, with the hope that they will focus not only on the protection of data subjects’ rights, but also on the business interests of EU and non-EU companies that aim to comply with GDPR.
16. November 2023 @ 11:57
I agree that requests can lead to a lot of work for controllers.
Creating a „fair balance“ between fundamental rights and the interest of EU businesses is nothing to talk easily about. In a time where personal data is still a valuable thing that is collected in a way where the lawfullness is in question (e.g. the approach of Meta) I do not see a reason why there should be excemptions.
The only vulnerable businesses are SMEs. A wide limitation of fundamental rights can´t be the way.