Share This Article
According to the CJEU, the GDPR poses an obligation on a controller to provide the data subject, free of charge, with a first copy of its personal data.
The Court of Justice of the European Union (CJEU) recently issued a groundbreaking ruling that has far-reaching implications for data subject access rights. Let’s delve into the key takeaways:
Overview on the CJEUโs decision on the Right of Access
There is a dispute between a patient and a healthcare practitioner over access to the patient’s medical file. ย The patient sought a free copy of their medical file from the healthcare practitioner to bring liability claims and the latter insisted on cost-sharing under German national law.
The matter was escalated to the European Court of Justice that was requested to clarify the scope of Articles 12 (5), 15 (1) and 15 (3) of the GDPR and in particular the limits within which a data controller can charge a data subject for providing a copy of his/her personal data.
CJEU’s Ruling on the Right of Access
According to the CJEU, The GDPR (Article 12(5), 15(1), and 15(3)) imposes an obligation on controllers to provide a data subject with a free first copy of their personal data.
Payment by the controller is permissible only when the data subject requests another copy, having already received one free of charge. ย The provided copy must faithfully reproduce personal data subject to processing by the controller.
Also, the CJEU confirms that Data Subject Access Requests (DSARs) are not limited by recital 63 GDPR which narrows the scope of the right of access to cases when DSARs are exercised in order to be aware of, and verify, the lawfulness of the data processing.
Indeed, according to the court, neither Article 12(5) GDPR nor Article 15(1) and (3) GDPR require DSARs to be justified with specific reasons. ย Also, the European Court of Justice held that the limitation on data subject rights under Article 23(1)(i) GDPR is for the protection of others’ rights and freedoms, not economic interests.
Potential abuses deriving from DSARs following the CJEUโs ruling
The CJEU’s ruling reinforces data subject access rights under GDPR, ensuring they receive their personal data free of charge and emphasizes that DSARs can serve purposes beyond those mentioned in GDPR. Protecting data subjects’ rights and interests remains paramount, even in cases unrelated to GDPR’s specific recitals.
The decision seems to overlook its practical implications and how privacy rights are often abused by individuals with purposes that go beyond the protection of their rights. Indeed, it should be considered that
- For organisations, the management of DSARs is becoming an unbearable cost. They have to set up units dedicated to their management, and the risk of not being compliant despite of the considerable organisational measures is considerably high;
- Individuals are aware of this difficult position of businesses and abuse of privacy rights to achieve purposes that are totally unrelated to privacy protection.
As such, I donโt agree with the position of the CJEU that does not indicate the appropriate balance between individualโs rights and potential limitations to their requests. These decisions risk to vanish the values behind privacy protection as an individualโs fundamental right.
On a similar topic, you can read the article โDisclosing data recipients in privacy access right requests is compulsory according to the CJEUโ.
