CJEU - C‑312/23 - Addiko Bank
CJEU - C‑312/23 Addiko Bank v Agencija za zaštitu osobnih podataka | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 15(3) GDPR |
Decided: | 27.05.2024 |
Parties: | Addiko Bank |
Case Number/Name: | C‑312/23 Addiko Bank v Agencija za zaštitu osobnih podataka |
European Case Law Identifier: | ECLI:EU:C:2024:458 |
Reference from: | Upravni sud u Zagrebu |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | nzm |
The CJEU confirmed its case law regarding the right to obtain a copy of personal data stating that the data subject must be provided with a faithful and intelligible reproduction of the data, regardless of whether or not the request is motivated.
English Summary
Facts
Between May 2018 and April 2019, several customers of a bank (‘controller’) asked it to provide them with a copy of documents containing their personal data, including loan contracts they had concluded, repayment plans, documents relating to changes in interest rates and account statements. Some of these requests were explicitly motivated by the data subjects’ desire to bring a claim or legal action against the controller.
The controller refused to give access to these documents. The data subjects lodged complaints with the Croatian DPA claiming that this rejection constituted a violation of Article 15(3) GDPR. As the controller did not comply with the injunctions issued by the DPA in 26 specific cases, the DPA ordered it to pay a HRK 1,100,000 (€146,667) fine.
The controller considered that Article 15(3) GDPR confers only a right to a copy of the personal data being processed, to the exclusion of the documents containing them. Therefore, the controller brought an action before the Administrative Court of Zagreb against the administrative fine imposed by the DPA.
The Administrative Court decided to stay the proceedings and referred the following questions to the CJEU:
1) Does Article 15(3) GDPR oblige the controller to provide the data subject with a copy of the document containing their personal data?
2) May the controller reject an access request made as a means of obtaining documentation to assist the data subject with bringing legal proceedings against the controller?
Holding
On the first question
First, the CJEU indicated that by its wording, Article 15(3) GDPR confers on the data subject the right to obtain an accurate reproduction of personal data concerning them, understood in a broad sense, which are subject of a processing carried out by the controller (§25 of the Order).
Second, the CJEU noted that the term ‘copy’ does not refer to a document as such, but to the personal data it contains, which must be complete. The copy must therefore contain all the personal data being processed (§26 of the Order, and see CJEU, 26 October 2023, C-307/22, §72).
Last, Article 15 aims to strengthen and clarify the rights of data subjects. Thus, the right of access must enable the data subject to check that the personal data concerning them is accurate and processed lawfully. Therefore, the copy provided by the controller must present all the characteristics enabling the data subject to effectively exercise their rights under the GDPR. This implies that the data subject must be provided with a faithful and intelligible reproduction of the data (§29 of the Order).
Therefore, the CJEU concluded that the right of the data subject to obtain a copy of personal data relating to them implies that they must be provided with a true and intelligible reproduction of such data. It also implies the right to obtain a complete copy of the documents containing, inter alia, the data if the copy is necessary to enable the data subject to verify the accuracy and completeness of the data (§33 of the Order).
On the second question
Recital 63 GDPR establishes that the data subject should have a right of access to personal data in order to be aware of and verify the lawfulness of the processing.
The CJEU held that the wording of Article 15(1) and (3) GDPR does not make the provision of a copy of personal data conditional on the data subject invoking a reason to justify their request for access to that data. Therefore, the controller does not have the possibility to require that the data subject inform it of the grounds of the access request (§40 of the Order).
The CJEU thus considered that Article 15(1) and (3) GDPR cannot be interpreted as meaning that the request must be refused if it has an objective other than that of becoming aware of the processing of those data, and verifying its lawfulness. Indeed, the recital cannot restrict the scope of Article 15(3) GDPR as the preamble to an act of Union law has no binding legal force and cannot e relied on to derogate from the actual provisions of the act concerned to interpret those provisions in a manner manifestly contrary to their wording (§43 and §44 of the Order).
Additionally, the CJEU held that the fact that the personal data is processed in compliance with a legal obligation had no influence on the scope of that right, as the GDPR does not make the right of access dependent of the reason of the processing (§51 of the Order).
Therefore, the CJEU concluded that the obligation to provide a copy of the data subject’s personal data is binding on the controller, even where that request is motivated by a purpose other than those referred to in the first sentence of recital 63 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!