CJEU - C‑307/22 - Copies of Medical Records
| CJEU - C‑307/22 Copies of Medical Records | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 12(5) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 23(1)(i) GDPR |
| Decided: | 26.10.2023 |
| Parties: | |
| Case Number/Name: | C‑307/22 Copies of Medical Records |
| European Case Law Identifier: | ECLI:EU:C:2023:811 |
| Reference from: | Bundesgerichtshof (Federal Court of Justice, Germany) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | sh |
The CJEU ruled that Data Subject Access Requests are not limited by recital 63 GDPR. Article 12(5), 15(1) and 15(3) GDPR impose an obligation on a controller to provide the data subject, free of charge, with a first copy of his or her personal data.
English Summary
Facts
The case involved a dispute between a patient (DW) and a healthcare practitioner (FT) regarding access to the patient's medical file. DW is the data subject and FT the controller. DW received dental care from the controller and suspected errors during the treatment. DW requested a free copy of their medical file from FT. FT insisted that DW should bear the costs associated with providing the copy, in accordance with German national law.
Initially, DW's request for a free copy was granted, as the first-instance court based their interpretation of German national legislation in light of Article 12(5) and Article 15(1) and 15(3) GDPR.
FT appealed this decision to the Bundesgerichtshof (Federal Court of Justice, Germany). The court stated that the solution to the dispute depends on the interpretation that should be given of the provisions of the GDPR. Therefore, the Bundesgerichtshof referred the case to the CJEU as a preliminary reference with the following questions:
1. Does the GDPR (Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR) require the practitioner to provide a free copy of the patient's personal data when the patient's request is for a purpose other than those mentioned in the GDPR under recital 63? For example in this case, requesting a first copy of their medical file in order to hold a medical practitioner liable?
2. If the answer to the first question is negative:
a) Can a national provision adopted before the GDPR came into force restrict the right to receive a free copy of personal data granted by the GDPR?[1]
b) If the answer to a) is positive, do the 'rights and freedoms of others' mentioned under Article 23(1)(i) GDPR include being relieved of the costs and charges associated with providing a copy of the data?
c) If the answer to b) is positive, does a national regulation that gives the doctor a right to reimbursement of costs from the patient for providing a copy of the patient's personal data, constitute a restriction on the rights and obligations provided by the GDPR?
3. If the answer to the first question and the second question (a) to (c) is negative, does the the first sentence of Article 15(3) of the GDPR mean that the patient has the right to receive copies of all parts of the medical file containing personal data, or is it limited to a copy of the patient's personal data, allowing the treating physician to decide how to compile the data concerning the patient?
Advocate General Opinion
Holding
On the first question the court stated that Article 12(5) and Article 15(1) and (3) GDPR must be interpreted to mean that the obligation to provide the data subject, free of charge, with a first copy of his or her personal data being processed is imposed on the controller. Even when this request is motivated for a purpose unrelated to those referred to in the first sentence of recital 63 GDPR. Article 12(5) GDPR, already considers two reasons why a controller may either charge a reasonable fee or refuse to follow up on a request. These reasons relate to cases of abuse of rights, in which the requests of the person concerned are "manifestly unfounded" or "excessive", in particular because of their repetitive nature. In this case, the referring court had already noted that the request of the person concerned was not unfair. A data subject's right of access is guaranteed by Article 15(1). The court used Article 15(4) to read Article 15(3) as conferring a 'right' to the data free of charge. Payment can therefore be required by the controller only when the data subject has already received, free of charge, a first copy of his or her data and requests it again. This right to obtain a faithful reproduction of the personal data should be interpreted broadly. A combined reading of Article 12(5) and Article 15(1) and (3) GDPR confirms the right of the data subject to obtain a first free copy of charge of his or her personal data being processed. It also confirms that under certain conditions, the controller can charge reasonable fees taking into account administrative costs, or to refuse to comply with a request if the latter is manifestly unfounded or excessive.
Importantly, the court expands on this interpretation to say that neither the wording of Article 12(5) GDPR nor that of Article 15(1) and (3) GDPR condition the provision (to access the first copy of their personal data free of charge) on a reason to justify their requests (see paragraph 38). It follows that the person concerned is not required to give reasons for the request for access to the data. The first sentence of recital 63 cannot be interpreted as meaning that a request must be rejected if it is intended for an objective other than that of taking knowledge of the processing of the data and verifying its lawfulness. In this manner recital 63 cannot restrict the scope of Article 15(3) GDPR (see paragraph 35).
On the second question Article 23(1)(i) GDPR must be interpreted to mean that national legislation adopted before the entry into force of the GDPR is likely to fall within the scope of this provision. However, such a option does not allow the adoption of national legislation which, in order to protect the economic interests of the controller, charges the data subject for the costs of a first copy of his or her personal data subject to such processing. Article 23(1) GDPR does not exclude from its scope national legislative measures adopted before the entry into force of the GDPR, provided that they meet the conditions the GDPR prescribes. The court agreed that Article 23(1)(i) GDPR places a limitation on the scope of Article 15 GDPR. Consequently the right granted to the data subject to obtain a first free copy of charge of his or her personal data being processed is not absolute. However, this limitation is related to the protection of the rights and freedoms of others. Thus, an objective related to the protection of the economic interests of practitioners is not sufficient to justify a limitation of the right enshrined by Article 15 GDPR. This is further substantiated by the fact that these interests even have the consequence of deterring patients from making legitimate requests for a copy of their medical record,
As to the last question, the first sentence of Article 15(3) GDPR must be interpreted to mean that in the context of a doctor/patient relationship, the right to obtain a copy of the personal data being processed implies that the data subject is given a faithful and intelligible reproduction of all these data. This right presupposes that of obtaining a full copy of the documents in his medical file that contain, among other things, the said data, if the provision of such a copy is necessary to allow the person concerned to verify their accuracy and completeness and to guarantee their intelligibility.[2] In the case of data relating to the health of the person concerned, this right includes in any case that of obtaining a copy of the data in his or her medical file containing information such as diagnoses, examination results, opinions of treating doctors and any treatment or intervention administered to him or her.
Comment
The judgment makes sense and follows previous CJEU case law such as; Österreichische Post (Information regarding the recipients of personal data) (C-154/21), CJEU Österreichische Datenschutzbehörde and CRIF (C-487/21) and CJEU Pankki S (C-579/21).
Further Resources
Share blogs or news articles here!
- ↑ In this case the rights granted by reading first sentence of Article 15(3), in conjunction with Article 12(5) of the GDPR under Article 23(1)(i) GDPR.
- ↑ A copy including the 'full data' version seems to be limited to the need to enable the data subject to verify the accuracy and completeness of the data.
