Home Knowledge Copy That: “Faithful and Intelligible Reproduction” is the Standard for DSAR Responses

Copy That: "Faithful and Intelligible Reproduction" is the Standard for DSAR Responses

On 4 May 2023, the Court of Justice of the European Union (CJEU) provided clarity around the right of individuals to access their personal data under the GDPR, often referred to as data subject rights requests (DSARs).

In the Austrian case of Österreichische Datenschutzbehörde v CRIF GmbH, the CJEU held that controllers must provide “a faithful and intelligible reproduction” of personal data relating to an individual to comply with Article 15(3) GDPR. This entails a right for individuals to obtain copies of extracts from documents or even entire documents or extracts from databases which contain an individual’s personal data to exercise their right of access effectively. Nonetheless, the right of access must be balanced between the right of the individual and the rights & freedoms of others.

Background of the Case

The applicant made a DSAR to CRIF, a company which provides information on the creditworthiness of third parties. The applicant’s DSAR included a request for copies of his personal data in documents contained in emails, and database extracts to be made available ‘in standard technical format’. In response, CRIF provided his personal data in summary form.

The applicant wanted more than CRIF’s response; he expected to receive actual copies of the documents containing his personal data and, as a result, complained to the Austrian Data Protection Authority (ADPA). The ADPA rejected his complaint on the basis that CRIF had not infringed on the applicant’s right of access. The applicant then escalated the matter to the Federal Administrative Court in Austria.

The Austrian Court referred questions to the CJEU on the obligation to provide a ‘copy’ of personal data under Article 15(3) GDPR. In particular, the Austrian Court sought clarification on the appropriate form a “copy” of personal data should take in the context of DSARs, such as a summary table or document extracts or even entire documents, as well as database extracts.

CJEU Decision

In considering this question, the CJEU lent credence to the purpose of the right of access, which is to enable individuals to ensure that their personal data are accurate and that the processing of such data is lawful. The CJEU also considered the meaning of the term “copy”, looking at its standard meaning (since the GDPR does not define it).

The CJEU held:

  • Article 15(3) GDPR confers a right on individuals to receive a “faithful and intelligible reproduction” of their personal data which is to be understood in a “broad sense”.
  • Article 15(3) GDPR sets out the “practical arrangements” for DSAR responses which specifies the form in which a controller must provide personal data, namely a “copy”. It does not create a separate right from that under Article 15(1) GDPR (i.e. right of access).
  • A “copy” refers to a copy (in the normal meaning) and not necessarily the original document in which personal data are recorded.
  • A “copy” of personal data must have all the characteristics necessary for the individual to exercise their right of access effectively and consequently reproduce such data fully and faithfully.
  • Providing a mere summary or general description of personal data is not a sufficiently comprehensive response to a DSAR.

The CJEU acknowledged that, depending on the circumstances, reproductions of extracts of documents, or even entire documents or extracts from databases, might be the format necessary to facilitate the objectives underpinning DSARs.

The CJEU confirmed that responding to a DSAR will often require a balancing act between the rights of the individual concerned and the rights and freedoms of third parties. While the protection of third parties rights is not an adequate basis for a refusal to provide an individual with copies of their personal data, the CJEU held that, wherever possible, the information should be transmitted in a form that does not infringe on the rights of others.

Conclusion

While the CJEU has provided welcome clarity on the obligations of controllers when responding to DSARs, this decision highlights that in practice, each DSAR (and the response) will be context and fact specific when considering the appropriate method of making copies of personal data available to an individual. From an Irish data protection law perspective, the Data Protection Commission expects a high standard of compliance from businesses in relation to handling DSARs (see our previous article here), with the right of access being the main subject of complaints it receives year-on-year.

If your business requires guidance on navigating the nuances and complexities which can arise with DSARs, please contact Rachel Hayes, Leo Moore David Cullen or your usual William Fry contact.

 

Contributed by Louisa Muldowney