CJEU - C-487/21 - Österreichische Datenschutzbehörde and CRIF

From GDPRhub
CJEU - C-487/21 Österreichische Datenschutzbehörde and CRIF
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 15(3) GDPR
Decided: 04.05.2023
Parties: DSB (Austria)
Case Number/Name: C-487/21 Österreichische Datenschutzbehörde and CRIF
European Case Law Identifier: ECLI:EU:C:2023:369
Reference from: BVwG (Austria)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: mg


The CJEU stated that the right to a copy under Article 15(3) GDPR entails that the data subject must be given a faithful and intelligible reproduction of all their personal data, which is necessary for them to exercise their rights.

English Summary

Facts

The controller – CRIF – was a company that provided its client with information concerning the creditworthiness of third parties. The data subject asked the controller to provide them with a copy of their data undergoing processing. The controller replied by submitting a summary with the list of such personal data.

In the context of a complaint before the Austrian DPA, the data subject lamented that this was not sufficient. However, the supervisory authority held that the controller did not violate the GDPR.

The data subject appealed the DPA decision and the court referred the matter to the CJEU.

Holding

The preliminary question concerned the scope of the right to a copy of data undergoing processing pursuant to Article 15(3) GDPR.

According to the CJEU, the GDPR does not contain any definition of “copy”. However, this word, in its usual meaning, indicates a “faithful reproduction or transcription of an original” in opposition to a “purely general description” of data.

The true question, however, was whether Article 15(3) GDPR covers “extracts from documents or even entire documents or extracts from databases”. The copy does not refer to the document as such but to the personal data undergoing processing, which must be complete. The Court stressed that the right to a copy – originally not provided by the data protection directive – aims to enable the data subject to protect their rights and interests under the GDPR. As the protection of data subjects’ rights is the rationale behind the right to a copy (and more in general behind the principle of transparency) a copy of data undergoing processing must reproduce data “fully and faithfully” in a manner that enables the data subject to exercise their rights.

In conclusion, the right to a copy under Article 15(3) GDPR entails that data subject must be given a faithful and intelligible reproduction of all their personal data. This may include, to the extent that it is necessary to protect their rights and interests, copies of extracts from documents, entire documents or extracts from databases.

Comment

The CJEU seems to envisage a functional definition of what “copy”. The definition of copy is not rigidly fixed and may vary depending of what is necessary to exercise the data subject’s rights.

Further Resources

Share blogs or news articles here!