Since May 25, 2018, the date that marks the beginning of the application of Regulation (EU) 2016/679, known as “GDPR”, there have been several decisions of the Court of Justice of the European Union regarding the topic of data protection. This time, the scope of Article 15, paragraph 3, of this same Regulation was subject to interpretation (case C-487/21).
This case is part of a request for a preliminary ruling on the interpretation of this provision in relation to a dispute between the applicant and the Austrian data protection authority. This was concerning the latter’s refusal to provide the applicant with a copy of documents and basic extracts containing his personal data undergoing processing in respect of the consulting agency, providing information on the creditworthiness of third parties.
In this connection, the Austrian Federal Administrative Court referred four questions to the Court of Justice for a preliminary ruling in the light of Art. 267 TFEU: (1) in what sense should the term “copy” be interpreted, (2) should the data subject receive a copy of complete documents or only a true reproduction of the personal data in accordance with Art. 15. no.1?,(3) are the nature of the data and the principle of transparency intended also to provide the data subject with passages of text or full documents?, (4) should the concept of “information” in the third part of this article refer only to “personal data undergoing processing”?
The Court came to divide the answer to the preliminary questions raised into two parts.
First, it came to answer the first three questions. In the case, the applicant in the main proceedings was provided with a list of his personal data in the form of a general and synthetic table. The decision denied that a purely general description of the facts met the usual definition of copying. Moreover, it is emphasized that it is impossible to dissociate paragraphs 1 and 3 of art. 15, so that the “copy” should include all personal data being processed, as mentioned by the European Commission in its written comments, so as to effectively ensure the right of the data subjects to access their personal data collected, in order to verify their lawfulness and exercise their right to rectification. He concludes this point by stating that the data controller should provide the data subject with additional information necessary to ensure fair processing and to guarantee compliance with the principle of transparency, be it copies of extracts of documents, complete documents, or extracts from databases containing data essential to ensure the effective exercise of the rights conferred on him by the Regulation.
It then comes to the fourth preliminary question, which asks whether the “information” to which this paragraph 3 refers should cover only the personal data which the controller must provide a copy of under the first part of this provision, whether it refers to all the information that is mentioned in paragraph 1 of the same article, or whether it goes beyond this scope. Considering the first part of this provision, which states that “the controller shall provide a copy of the personal data undergoing processing”, and meeting the objectives pursued by this article, the concept should be read as covering the personal data which copy the controller must provide in accordance with the first part of Art. 15. no.3.
In conclusion, the interpretation of this article in light of the CJEU demonstrates the need to ensure the right of access to data by data subjects, enforcing the principles of fair processing and transparency, while respecting the rights and freedoms of others.
Filipa Grilo @ DCM | Littler