May 15, 2023
CRIF GmbH is a business consulting agency that provides information on the creditworthiness of third parties on the request of its clients.
In December 2018, FF asked CRIF for access to the personal data CRIF held concerning him under Article 15 of the GDPR. He also asked for a copy of the documents, namely emails and database extracts containing his data “in a standard technical format”.
In response, CRIF sent FF a summary list of his personal data that was undergoing processing. FF complained to the Austrian Data Protection Authority (Österreichische Datenschutzbehörde) (Austrian DPA) that he had not been sent a copy of all the documents containing his data as requested. The Austrian DPA rejected FF’s complaint, taking the view that CRIF had not infringed FF’s right of access to his personal data.
FF issued proceedings against the Austrian DPA in the Bundesverwaltungsgericht (the Austrian Federal Administrative Court), which asked the CEJU whether the first sentence of Article 15(3) of the GDPR, which provides that “The controller shall provide a copy of the personal data undergoing processing”, read in the light of the transparency requirement in Article 12(1), meant that the right to obtain a copy of personal data undergoing processing requires the data subject to be given not only a copy of that data, but also a copy of extracts from documents or even entire documents or extracts from databases containing that data. The Austrian court also sought clarification on what precisely is covered by the concept of “information” in the third sentence of Article 15(3) of the GDPR, which provides that “Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form”.
As for the wording of the first sentence of Article 15(3), the CJEU noted that the provision does not itself include a definition of the term “copy”. Therefore, account must be taken of the usual meaning of the term, which refers to the faithful reproduction or transcription of an original. Accordingly, a general description of the data undergoing processing or a reference to categories of personal data does not correspond to that definition. Further, the CJEU said, it was clear that the disclosure obligation in the first sentence of Article 15(3) relates to the personal data undergoing the processing in question. Therefore, in the CJEU’s judgment, it conferred on the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, that are subject to operations that can be classified as processing carried out by the controller.
Considering the context in which the first sentence of Article 15(3) sits, the CJEU noted that Article 15(1) defines the subject matter and scope of the data subject’s right of access. Article 15(3) sets out the practical arrangements for the fulfilment of the controller’s obligation, specifying in the first sentence, the form in which that controller must provide the personal data undergoing processing, namely in the form of a “copy”. Therefore, the CJEU held, the first sentence of Article 15(3) does not establish a separate right from that provided for in Article 15(1). Further, the CJEU noted that the term “copy” does not relate to a document as such, but to the personal data which it contains, which must be complete. In other words, the “copy” must contain all the personal data undergoing processing.
As for the objectives of Article 15, the CJEU noted that the right of access which it provides must enable the data subject to ensure that the personal data relating to him or her are correct and that they are being processed in a lawful manner.
In addition, the CJEU said, it was apparent from Recitals 58 and 60 and Article 12(1) of the GDPR that the controller is obliged to take appropriate measures to provide the data subject with all the information referred to, in a concise, transparent, intelligible and easily accessible form, using plain and clear language. Further, the information must be provided in writing or by other means, including where appropriate, by electronic means, unless the data subject requests that it be provided orally. It followed, the CJEU held, that the “copy” of the personal data undergoing processing that the controller is obliged to provide must have all the characteristics necessary for the data subject to exercise his or her rights effectively. It must, therefore, reproduce the data fully and faithfully.
Accordingly, to ensure that the information provided is easy to understand, as required by Article 12(1) of the GDPR, the reproduction of extracts from documents or even entire documents or extracts from databases containing the personal data undergoing processing might be essential where the data has to be contextualised in order to make it intelligible. For example, where personal data is generated from other data or where such data results from empty fields, i.e. where there is an absence of information, which in itself provides information about the data subject, the context in which the data is processed is essential to enable the data subject to have transparent access and an intelligible presentation of the data.
The CJEU also said that where there is a conflict between exercising the right of full access to personal data and the rights or freedoms of others, a balance must be struck between the two. Wherever possible, the personal data should be communicated in a way that does not infringe the rights or freedoms of others. Further, when conducting the balancing exercise, it should be remembered that the result should not be a refusal to provide all the information to the data subject.
As for the concept of “information” in the third sentence of Article 15(3), the CJEU noted that, again, the provision does not define the term. However, it followed from its context that the word “information” necessarily corresponded to the personal data, a copy of which the controller must provide in accordance with the first sentence of the provision. (Case C-487/21 FF v Österreichische Datenschutzbehörde EU:C:2023:369 (4 May 2023) — to read the judgment in full, click here).