Three Lessons on Subject Access Requests From the CJEU in 2023
The Court of Justice of the European Union (CJEU) has considered three cases about the “right of access” so far in 2023—two decisions and one opinion from the court’s Advocate General.
The right of access is among the most important concepts in data protection law, and it existed decades before the EU General Data Protection Regulation (GDPR) took effect. But the CJEU is still answering questions about how the right of access works.
This article provides a summary of each case, which explore questions about:
- Is the data subject entitled to a “copy” of their personal data, including entire documents or database extracts, or is a comprehensive summary enough?
- When is the data subject entitled to information about the specific recipients of their personal data rather than the “categories of recipients”?
- Can data subjects make a valid subject access request for reasons unrelated to data protection?
When to Provide a ‘Copy’ of Personal Data: Case C-487/21
The CJEU’s latest decision on subject access requests is May’s Case C-487/21, which initially arrived from Austria’s Federal Administrative Court.
The claimant, known as “FF”, made a subject access request to a credit-rating agency called CRIF GmbH.
Like all credit-rating agencies, CRIF engages in some complex data processing, drawing inferences about people from a wide range of data gathered from many sources.
FF made a subject access request (also known as a “SAR” or a data subject access request, “DSAR”). He requested access to the personal data CRIF processed about him, including copies of documents, emails, and “database extracts” in “a standard technical format”.
CRIF responded with a summary table that included all of the personal data the company was processing about FF.
FF was unsatisfied with this response. He argued that he was entitled to a “copy” of the personal data—not just a summary. He made a complaint to the DSB.
A Summary vs a Copy
The DSB decided the complaint in favour of CRIF, finding that the company had fulfilled its obligations. According to the DSB, CRIF did not violate FF’s data protection rights by providing a summary of his personal data.
The case eventually got to the Austrian Federal Court, which referred several questions to the CJEU.
Among other questions, the Austrian court asked about Article 15 (3) of the GDPR, which refers to the right to receive a “copy” of personal data.
Does this mean a literal copy (such as a scan of a document), or does a comprehensive summary or replication of the data count?
Why Does This Matter?
The Austrian court’s questions are important because the right of access is supposed to enable data subjects to check whether a controller is processing their personal data unlawfully.
Suppose you request a copy of your personal data from a credit-referencing agency and the agency simply produces a list of the personal data it processes about you. Without context, it might be hard to tell what’s actually happening with your data.
But getting a copy of the documents could provide further context and help you better understand how your personal data is being processed.
The CJEU’s Answers
The CJEU found that a “purely general description” or a list of the types of personal data is not enough.
However, you don’t always need to provide a copy of a document or database extract. The format of the personal data isn’t the point.
The CJEU highlighted some crucial elements of a subject access request:
- The data subject is entitled to a “faithful reproduction” of all the personal data the controller processes about them.
- The data subject must be able to “fully understand the information”.
- Based on the information the controller provides, the data subject must be in a position to exercise their other rights effectively.
If the only way to meet these requirements is by providing a copy of a document or a database extract, then that’s what you must do. But if you can meet all Article 15’s requirements another way, that’s also fine.
As always, you must not infringe on anyone’s rights when providing someone with a copy of their personal data.
As such, when providing a copy of a document as part of an access request, you’ll normally have to remove any personal data about other people and comply with any restrictions to the right of access under the relevant national law.
When to Disclose the Specific Recipients of Personal Data: Case C-154/21
Our second recent case regarding the right of access is January 2023’s judgment in Case C-154/21.
“RW” made a subject access request to Austria Post, which performs analytics services for direct marketing companies. RW wanted to know which companies Austria Post had shared his personal data with.
Austria Post provided a list of the types of companies it shared personal data with but did not reveal the names of specific companies.
RW was unhappy with this response, and his case ended up at the CJEU.
Recipients vs Categories of Recipients
Austria Post cited Article 15 (1) (c) to justify its response to RW.
This provision states that controllers must disclose “the recipients or categories of recipient” of personal data in response to a subject access request.
This implies a choice: The data subject must be told about either:
- The recipients (specific organisations, e.g. “Google”), OR
- The categories of recipients (types of organisations, e.g. “advertisers”).
But does the controller simply get to choose between these two options?
The CJEU’s Answer
The CJEU said controllers must disclose the specific recipients of personal data in almost all circumstances.
The court cited one exception. Where it is “impossible to disclose the identity of specific recipients, in particular where they are not yet known”.
The CJEU emphasised that if the data subject doesn’t know who has received the personal data, they can’t check whether they are processing it lawfully.
This is similar to the reasoning in our first “right of access” case. The right of access is a kind of “gateway right”, enabling the data subject to understand how their personal data is processed and then to request (for example) its erasure or rectification.
Try Wide Angle Analytics!
When to Charge a Fee for Subject Access Requests
Our final case about the right of access is an April 2023 opinion on Case C‑307/22 from the CJEU’s Advocate General (AG) Emiliou.
An AG provides an opinion on every pending CJEU decision. The AG’s opinion isn’t binding, so this case is not as significant as the other two above.
But when the CJEU rules on this case, it will refer to the opinion—and the court tends to draw the same conclusions as the AG.
In this case, “DW” was considering suing his dentist (“FT”) because he believed she had provided poor medical care.
DW made a subject access request to FT, requesting a copy of his medical records. FT told DW that she would only provide the records if DW paid a fee.
Following a complaint to the DSB and a series of appeals through the German courts, the case was referred to the CJEU.
To Charge or Not to Charge
Under the GDPR, a controller must facilitate a subject access request free of charge unless the request is “manifestly unfounded or excessive”.
But under German national law, healthcare providers may charge an administrative fee when providing copies of medical records.
The question is whether the GDPR overrides this national law. Did DW’s right to free access to his personal data prevail over the German law?
Motivation For the Request
As noted in our two previous cases, a data subject may submit a subject access request to check whether their personal data is being processed unlawfully.
This principle is confirmed in Recital 63, which states that the right of access enables data subjects to “be aware of, and verify, the lawfulness of the processing”.
But is this the only valid reason to lodge a subject access request? Could DW submit a subject access request to check if he had a legal claim against FT?
In his opinion, AG Emilou said “no”—verifying the lawfulness of processing is not the only valid reason to submit a subject access request.
Data subjects can request access to their personal data for any “legitimate” reason — even if it is “unrelated to data protection”.
This reasoning suggests that making a subject access request to support a legal claim against the controller can be “legitimate”.
But in this case, AG Emilou found that the German legislation permitting health professionals to charge for medical records is compatible with the GDPR, which allows EU countries to restrict the right of access for public health reasons.
Therefore, there are circumstances in which some controllers can charge for subject access requests made for legitimate reasons.
How Much to Charge
In circumstances where it is acceptable to charge a fee to carry out a subject access request, how much can a controller charge?
AG Emilou emphasised that only costs relating to labour and material—“such as paper, toner for printer machines or copy machines, and/or USB sticks, etc.”—were recoverable, and that he would be “surprised (and thus suspicious)” if the amount exceeded “a handful of euros”.
Three Lessons on Subject Access Requests from the CJEU in 2023
Here’s a key takeaway from each of the CJEU cases we’ve looked at above.
- When responding to a subject access request, you should provide a faithful reproduction of all the relevant personal data to enable the data subject to check whether you are processing their personal data lawfully — including copies of documents, where necessary.
- If a data subject requests information about the recipients of their personal data, you must identify the specific recipients unless it is impossible to do so, in which case you may disclose the categories of recipients.
- Data subjects can make a subject access request for any legitimate reason, not just a reason connected to data protection.
Remember: The CJEU itself has yet to decide on that final point, but the case should be decided later in 2023.
Try Wide Angle Analytics!