CJEU - C‑307/22 - Copies of Medical Records: Difference between revisions

CJEU - C‑307/22 Copies of Medical Records
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 3 GDPR Article 12(5) GDPR Article 15(3) GDPR Article 23(1)(i) GDPR
Decided:	26.10.2023
Parties:
Case Number/Name:	C‑307/22 Copies of Medical Records
European Case Law Identifier:	ECLI:EU:C:2023:811
Reference from:	Bundesgerichtshof (Federal Court of Justice, Germany)
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU ruled that Data Subject Access Requests are not limited by their goals under tecital 63. Data subjects are not obliged to state those goals anyways.

English Summary

Facts

The case involved a dispute between a patient (DW) and a healthcare practitioner (FT) regarding access to the patient's medical file. DW is the data subject and FT the controller. DW received dental care from the controller and suspected errors during the treatment. DW requested a free copy of their medical file from FT. FT insisted that DW should bear the costs associated with providing the copy, in accordance with German national law.

Initially, DW's request for a free copy was granted, as the first-instance court based their interpretation of German national legislation in light of Article 12(5) and Article 15(1) and 15(3) GDPR.

FT appealed this decision to the Bundesgerichtshof (Federal Court of Justice, Germany). The court stated that the solution to the dispute depends on the interpretation that should be given of the provisions of the GDPR. Therefore, the Bundesgerichtshof referred the case to the CJEU as a preliminary reference with the following questions:

1. Does the GDPR (Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR) require the practitioner to provide a free copy of the patient's personal data when the patient's request is for a purpose other than those mentioned in the GDPR under recital 63? For example in this case, requesting a first copy of their medical file in order to hold a medical practitioner liable?

2. If the answer to the first question is negative:

a) Can a national provision adopted before the GDPR came into force restrict the right to receive a free copy of personal data granted by the GDPR?^[1]

b) If the answer to a) is positive, do the 'rights and freedoms of others' mentioned under Article 23(1)(i) GDPR include being relieved of the costs and charges associated with providing a copy of the data?

c) If the answer to b) is positive, does a national regulation that gives the doctor a right to reimbursement of costs from the patient for providing a copy of the patient's personal data, constitute a restriction on the rights and obligations provided by the GDPR?

3. If the answer to the first question and the second question (a) to (c) is negative, does the patient have the right to receive copies of all parts of the medical file containing personal data, or is it limited to a copy of the patient's personal data, allowing the treating physician to decide how to compile the data concerning the patient?

Advocate General Opinion

AG Nicholas Emiliou

Holding

On the first question the court stated that Article 12(5) and Article 15(1) and (3) GDPR must be interpreted as meaning that the obligation to provide the data subject, free of charge, with a first copy of his or her personal data being processed is imposed on the controller. Even when this request is motivated for a purpose unrelated to those referred to in the first sentence of recital 63 GDPR.

Article 12(5) GDPR, already considers two reasons why a controller may either charge a reasonable fee or refuse to follow up on a request. These reasons relate to cases of abuse of rights, in which the requests of the person concerned are "manifestly unfounded" or "excessive", in particular because of their repetitive nature. In this case, the referring court already noted that the request of the person concerned was not unfair.

Article 15(1) payment can therefore be required by the controller only when the data subject has already received, free of charge, a first copy of his or her data and requests it again.

On the second question Article 23(1)(i) GDPR must be interpreted to mean that it is likely to fall within the scope of this provision a national legislation adopted before the entry into force of this regulation. However, such a option does not allow the adoption of national legislation which, in order to protect the economic interests of the controller, charges the data subject for the costs of a first copy of his or her personal data subject to such processing.

As to the last question, the first sentence of Article 15(3) GDPR must be interpreted to mean that in the context of a doctor/patient relationship, the right to obtain a copy of the personal data being processed implies that the data subject is given a faithful and intelligible reproduction of all these data. This right presupposes that of obtaining a full copy of the documents in his medical file that contain, among other things, the said data, if the provision of such a copy is necessary to allow the person concerned to verify their accuracy and completeness and to guarantee their intelligibility. In the case of data relating to the health of the person concerned, this right includes in any case that of obtaining a copy of the data in his or her medical file containing information such as diagnoses, examination results, opinions of treating doctors and any treatment or intervention administered to him or her.

Comment

The judgment makes sense and follows previous CJEU case law such as; Österreichische Post (Information regarding the recipients of personal data) (C-154/21), CJEU Österreichische Datenschutzbehörde and CRIF (C-487/21) and CJEU Pankki S (C-579/21).

Further Resources

Share blogs or news articles here!