CJEU - C‑307/22 - Copies of Medical Records

CJEU - C‑307/22 Copies of Medical Records

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 12(5) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 23(1)(i) GDPR
Decided:	26.10.2023
Parties:
Case Number/Name:	C‑307/22 Copies of Medical Records
European Case Law Identifier:	ECLI:EU:C:2023:811
Reference from:	BGH (Germany)
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU ruled that Data Subject Access Requests are not limited by recital 63 GDPR. Article 12(5), 15(1) and 15(3) GDPR impose an obligation on a controller to provide the data subject, free of charge, with a first copy of his or her personal data.

English Summary

Facts

The case involved a dispute between a patient (DW) and a healthcare practitioner (FT) regarding access to the patient's medical file. DW is the data subject and FT the controller. DW received dental care from the controller and suspected errors during the treatment. DW requested a free copy of their medical file from FT. FT insisted that DW should bear the costs associated with providing the copy, in accordance with German national law.

Initially, DW's request for a free copy was granted, as the first-instance court based their interpretation of German national legislation in light of Article 12(5) and Article 15(1) and 15(3) GDPR.

FT appealed this decision to the Bundesgerichtshof (Federal Court of Justice, Germany). The court stated that the solution to the dispute depends on the interpretation that should be given of the provisions of the GDPR. Therefore, the Bundesgerichtshof referred the case to the CJEU as a preliminary reference with the following questions:

1. Does the GDPR (Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR) require the practitioner to provide a free copy of the patient's personal data when the patient's request is for a purpose other than those mentioned in the GDPR under recital 63? For example in this case, requesting a first copy of their medical file in order to hold a medical practitioner liable?

2. If the answer to the first question is negative:

a) Can a national provision adopted before the GDPR came into force restrict the right to receive a free copy of personal data granted by the GDPR?^[1]

b) If the answer to a) is positive, do the 'rights and freedoms of others' mentioned under Article 23(1)(i) GDPR include being relieved of the costs and charges associated with providing a copy of the data?

c) If the answer to b) is positive, does a national regulation that gives the doctor a right to reimbursement of costs from the patient for providing a copy of the patient's personal data, constitute a restriction on the rights and obligations provided by the GDPR?

3. If the answer to the first question and the second question (a) to (c) is negative, does the the first sentence of Article 15(3) of the GDPR mean that the patient has the right to receive copies of all parts of the medical file containing personal data, or is it limited to a copy of the patient's personal data, allowing the treating physician to decide how to compile the data concerning the patient?

Advocate General Opinion

Holding

On the first question the court stated that Article 12(5) and Article 15(1) and (3) GDPR imposes an obligation on controllers to provide the data subject, free of charge, with a first copy of his or her personal data being processed. Article 12(5) GDPR, already considers two reasons why a controller may either charge a reasonable fee or refuse to follow up on a request. These reasons relate to cases of abuse of rights, in which the requests of the person concerned are "manifestly unfounded" or "excessive", in particular because of their repetitive nature. In this case, the referring court had already noted that the request of the person concerned was not unfair. A data subject's right of access is guaranteed by Article 15(1) GDPR. The court used Article 15(4) to read Article 15(3) as conferring a 'right' to the data free of charge. Payment can therefore be required by the controller only when the data subject has already received, free of charge, a first copy of his or her data and requests it again. Furthermore, as Article 15(3) GDPR outlines, this copy should be a faithful reproduction the personal data, understood in a broad sense, that are subject to operations that can be classified as ‘processing carried out by the controller’.^[2] Thus, a combined reading of Article 12(5) and Article 15(1) and (3) GDPR confirms the right of the data subject to obtain a first free copy of his or her personal data being processed. It also confirms exemptions to this general rule. Under certain conditions, the controller can charge reasonable fees taking into account administrative costs, or refuse to comply with a request if the latter is manifestly unfounded or excessive (as outlined in Article 12(5) GDPR).

Importantly, the court confirms that the above obligation remains valid even when the DSAR request is motivated for a purpose unrelated to those referred to in the first sentence of recital 63 GDPR. Neither the wording of Article 12(5) GDPR nor that of Article 15(1) and (3) GDPR condition the provision (to access the first copy of their personal data free of charge) on a reason to justify the requests (see paragraph 38). It follows that the person concerned is not required to give reasons for the request for access to the data. The first sentence of recital 63 cannot be interpreted as meaning that a request must be rejected if it is intended for an objective other than that of taking knowledge of the processing of the data and verifying its lawfulness. In this manner recital 63 cannot restrict the scope of Article 15(3) GDPR (see paragraph 35).

On the second question Article 23(1)(i) GDPR must be interpreted to mean that national legislation adopted before the entry into force of the GDPR is likely to fall within the scope of this provision. However, such an option does not allow the adoption of national legislation which, in order to protect the economic interests of the controller, charges the data subject for the costs of a first copy of his or her personal data subject to such processing. Article 23(1) GDPR does not exclude from its scope national legislative measures adopted before the entry into force of the GDPR, provided that they meet the conditions the GDPR prescribes. The court agreed that Article 23(1)(i) GDPR places a limitation on the scope of Article 15 GDPR. Consequently the right granted to the data subject to obtain a first free copy of his or her personal data being processed is not absolute. However, this limitation is related to the protection of the rights and freedoms of others. Thus, an objective related to the protection of the economic interests of practitioners is not sufficient to justify a limitation of the right enshrined by Article 15 GDPR. This is further substantiated by the fact that these interests even have the consequence of deterring patients from making legitimate requests for a copy of their medical record,

As to the last question, already in C-487/21 F.F. v DSB the CJEU decided that the right to a copy under Article 15(3) GDPR entails that data subject must be given a faithful and intelligible reproduction of all their personal data. This may include, to the extent that it is necessary to protect their rights and interests, copies of extracts from documents, entire documents or extracts from databases. Here the CJEU extends this principle to the the context of a doctor/patient relationship, and in doing so seems to limit it. The patient has the right to obtain a full copy of the documents in his/her medical record, where it is essential in order to understand the personal data which those documents contain.^[3] This right includes information such as diagnoses, examination results, opinions of treating doctors and any treatment or intervention administered to him or her.

Comment

The judgment makes sense and follows previous CJEU case law such as; Österreichische Post (Information regarding the recipients of personal data) (C-154/21), CJEU Österreichische Datenschutzbehörde and CRIF (C-487/21) and CJEU Pankki S (C-579/21).

Further Resources

↑ In this case the rights granted by reading first sentence of Article 15(3), in conjunction with Article 12(5) of the GDPR under Article 23(1)(i) GDPR.
↑ (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 28).
↑ Para 79 of the judgement states: 'the right to obtain a copy of personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in his or her medical records and containing, inter alia, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible'.

[1] In this case the rights granted by reading first sentence of Article 15(3), in conjunction with Article 12(5) of the GDPR under Article 23(1)(i) GDPR.

[2] (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 28).

[3] Para 79 of the judgement states: 'the right to obtain a copy of personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in his or her medical records and containing, inter alia, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible'.

[1]

[2]

[3]