Österreichische Datenschutzbehorde and CRIF (Protection of personal data - Data subject's right of access to his or her data undergoing processing - Judgment) [2023] EUECJ C-487/21 (04 May 2023)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Court of Justice of the European Communities (including Court of First Instance Decisions)


You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Österreichische Datenschutzbehorde and CRIF (Protection of personal data - Data subject's right of access to his or her data undergoing processing - Judgment) [2023] EUECJ C-487/21 (04 May 2023)
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C48721.html
Cite as: [2023] EUECJ C-487/21, ECLI:EU:C:2023:369, [2023] WLR(D) 226, EU:C:2023:369

[New search] [Contents list] [View ICLR summary: [2023] WLR(D) 226] [Help]


Provisional text

JUDGMENT OF THE COURT (First Chamber)

4 May 2023 (*)

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Data subject’s right of access to his or her data undergoing processing – Article 15(3) – Provision of a copy of the data – Concept of ‘copy’ – Concept of ‘information’)

In Case C‑487/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesverwaltungsgericht (Federal Administrative Court, Austria), made by decision of 9 August 2021, received at the Court on 9 August 2021, in the proceedings

F.F.

v

Österreichische Datenschutzbehörde,

intervening party:

CRIF GmbH,

THE COURT (First Chamber),

composed of A. Arabadjiev, President of the Chamber, P.G. Xuereb, T. von Danwitz, A. Kumin and I. Ziemele (Rapporteur), Judges,

Advocate General: G. Pitruzzella,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–        F.F., by M. Schrems,

–        Österreichische Datenschutzbehörde, by A. Jelinek and M. Schmidl, acting as Agents,

–        CRIF GmbH, by L. Feiler and M. Raschhofer, Rechtsanwälte,

–        the Austrian Government, by G. Kunnert, A. Posch and J. Schmoll, acting as Agents,

–        the Czech Government, by O. Serdula, M. Smolek and J. Vláčil, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and by M. Russo, avvocato dello Stato,

–        the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 15 December 2022,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2        The request has been made in proceedings between F.F. and the Österreichische Datenschutzbehörde (Austrian Data Protection Authority; ‘DSB’) concerning DSB’s refusal to require CRIF GmbH to send F.F. a copy of the documents and extracts from databases containing, inter alia, his personal data undergoing processing.

 Legal context

3        Recitals 10, 11, 26, 58, 60 and 63 of the GDPR are worded as follows:

‘(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the [European] Union. …

(11)      Effective protection of personal data throughout the [European] Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data …

(26)      The principles of data protection should apply to any information concerning an identified or identifiable natural person. … To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. …

(58)      The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language … be used.

(60)      The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. …

(63)      A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. … Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. …’

4        Article 4 of that regulation states:

‘For the purposes of this Regulation:

(1)      “personal data” means any information relating to an identified or identifiable natural person …; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means …;

…’

5        Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides:

‘1.      The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

3.      The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. … Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

…’

6        Pursuant to Article 15 of the GDPR, headed ‘Right of access by the data subject’:

‘1.      The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a)      the purposes of the processing;

(b)      the categories of personal data concerned;

(c)      the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d)      where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)      the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)      the right to lodge a complaint with a supervisory authority;

(g)      where the personal data are not collected from the data subject, any available information as to their source;

(h)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.      Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3.      The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.      The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’

7        Article 16 of the GDPR, headed ‘Right to rectification’, provides:

‘The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.’

8        Article 17 of that regulation, entitled ‘Right to erasure (“right to be forgotten”)’, states in paragraph 1 thereof:

‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay …

…’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

9        CRIF is a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties. It was for that purpose that it processed the personal data of the applicant in the main proceedings.

10      On 20 December 2018, the applicant applied to CRIF, on the basis of Article 15 of the GDPR, for access to the personal data concerning him. In addition, he asked to be provided with a copy of the documents, namely emails and database extracts containing, inter alia, his data, ‘in a standard technical format’.

11      In response to that request, CRIF sent the applicant in the main proceedings, in summary form, the list of his personal data undergoing processing.

12      Being of the view that CRIF should have sent him a copy of all the documents containing his data, such as emails and database extracts, the applicant in the main proceedings lodged a complaint with DSB.

13      By decision of 11 September 2019, DSB rejected that complaint, taking the view that CRIF had not in any way infringed the right of access of the applicant in the main proceedings to his personal data.

14      The referring court, hearing the action brought by the applicant in the main proceedings against that decision, is uncertain as to the scope of the first sentence of Article 15(3) of the GDPR. It wonders in particular whether the obligation laid down in that provision to provide a ‘copy’ of the personal data is fulfilled where the controller transmits the personal data in the form of a summary table or whether that obligation also entails the transmission of document extracts or entire documents, as well as database extracts, in which those data are reproduced.

15      More specifically, the referring court asks whether the first sentence of Article 15(3) of the GDPR merely defines the form in which the right of access to information referred to in Article 15(1) of that regulation must be guaranteed, or whether that first provision enshrines an autonomous right of the data subject to access information relating to the context in which that person’s data are processed, in the form of copies of document extracts, or entire documents or database extracts which contain, inter alia, those data.

16      In addition, the referring court asks whether the term ‘information’, which appears in the third sentence of Article 15(3) of the GDPR, includes the information referred to in Article 15(1)(a) to (h) of that regulation, or even additional information such as metadata related to the data, or whether it covers only the ‘personal data undergoing processing’ referred to in the first sentence of Article 15(3) of that regulation.

17      In those circumstances, the Bundesverwaltungsgericht (Federal Administrative Court, Austria) decided to stay the proceedings and to refer the following questions to the Court for a preliminary ruling:

‘(1)      Is the term “copy” in Article 15(3) of [the GDPR] to be interpreted as meaning a photocopy, a facsimile or an electronic copy of [an] (electronic) item of data, or does it also cover an “Abschrift”, a “double” (“duplicata”) or a “transcript”, in line with the understanding of the term in German, French and English dictionaries?

(2)      Is the first sentence of Article 15(3) of the GDPR, according to which “the controller shall provide a copy of the personal data undergoing processing”, to be interpreted as affording a general right for a data subject to obtain a copy of – also – entire documents in which the personal data of that data subject are processed, or to receive a copy of a database extract if the personal data are processed in such a database, or does the data subject have a right – only – to an exact reproduction of the personal data about which information is to be provided pursuant to Article 15(1) of the GDPR?

(3)      In the event that Question 2 is answered to the effect that the data subject has a right only to an exact reproduction of the personal data about which information is to be provided pursuant to Article 15(1) of the GDPR, is the first sentence of Article 15(3) of the GDPR to be interpreted as meaning that, depending on the nature of the data processed (for example in relation to the diagnoses, examination results and assessments mentioned in recital 63 or documents in relation to an examination within the meaning of the judgment of the Court of Justice of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994) and the transparency requirement in Article 12(1) of the GDPR, it may nevertheless be necessary in individual cases to make text passages or entire documents available to the data subject?

(4)      Is the term “information” which, pursuant to the third sentence of Article 15(3) of the GDPR, “where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, … shall be provided in a commonly used electronic form”, to be interpreted as referring solely to the “personal data undergoing processing” mentioned in the first sentence of Article 15(3) of the GDPR?

(a)      If Question 4 is answered in the negative: Is the term “information” which, pursuant to the third sentence of Article 15(3) of the GDPR, “where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, … shall be provided in a commonly used electronic form” to be interpreted as also referring to the information pursuant to Article 15(1)(a) to (h) of the GDPR?

(b)      If Question 4a also is answered in the negative: Is the term “information” which, pursuant to the third sentence of Article 15(3) of the GDPR, “where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, … shall be provided in a commonly used electronic form” to be interpreted as referring, beyond the “personal data undergoing processing” and the information pursuant to Article 15(1)(a) to (h) of the GDPR, to associated metadata, for example?’

 Consideration of the questions referred

 The first, second and third questions referred

18      By its first three questions, which it is appropriate to examine together, the referring court asks, in essence, whether the first sentence of Article 15(3) of the GDPR, read in the light of the transparency requirement laid down in Article 12(1) of that regulation, must be interpreted as meaning that the right to obtain a copy of the personal data undergoing processing means that the data subject must be given not only a copy of those data, but also a copy of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data. That court is uncertain, in particular, of the extent of that right.

19      As a preliminary point, it should be recalled that, according to the Court’s settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording, by reference to its usual meaning in everyday language, but also the context in which it occurs and the objectives pursued by the rules of which it is part (see, to that effect, judgments of 2 December 2021, Vodafone Kabel Deutschland, C‑484/20, EU:C:2021:975, paragraph 19 and the case-law cited, and of 7 September 2022, Staatssecretaris van Justitie en Veiligheid (Nature of the right of residence under Article 20 TFEU), C‑624/20, EU:C:2022:639, paragraph 28).

20      As regards the wording of the first sentence of Article 15(3) of the GDPR, that provision states that the controller ‘shall provide a copy of the personal data undergoing processing’.

21      Although the GDPR does not contain a definition of the term ‘copy’ thus used, account must be taken of the usual meaning of that term, which refers, as the Advocate General observed in point 30 of his Opinion, to the faithful reproduction or transcription of an original, with the result that a purely general description of the data undergoing processing or a reference to categories of personal data does not correspond to that definition. Furthermore, it is apparent from the wording of the first sentence of Article 15(3) of that regulation that the disclosure obligation relates to the personal data undergoing the processing in question.

22      Article 4(1) of the GDPR defines the concept of ‘personal data’ as ‘any information relating to an identified or identifiable natural person’ and specifies that ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

23      The use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (see, by analogy, judgment of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 34).

24      In that regard, it has been held that information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (see, to that effect, judgment of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 35).

25      As regards the ‘identifiable’ nature of a natural person, recital 26 of the GDPR states that account should be taken of ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.

26      Thus, as the Advocate General observed, in essence, in points 36 to 39 of his Opinion, the broad definition of the concept of ‘personal data’ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person, such as the assessment of that person’s creditworthiness or his or her ability to pay.

27      In that respect, it should also be added that the EU legislature intended to give the concept of ‘processing’, as defined in Article 4(2) of the GDPR, a broad scope by using a non-exhaustive list of operations (see, to that effect, judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraph 35).

28      Accordingly, it follows from the literal analysis of the first sentence of Article 15(3) of the GDPR that that provision confers on the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, that are subject to operations that can be classified as processing carried out by the controller.

29      That said, it must be held that the wording of that provision does not, in itself, enable an answer to be given to the first three questions in so far as it contains no indication regarding any right to obtain not only a copy of the personal data undergoing processing, but also a copy of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data.

30      As regards the context of which the first sentence of Article 15(3) of the GDPR forms part, it should be noted that Article 15 of the GDPR, which is entitled ‘Right of access by the data subject’, defines, in paragraph 1 thereof, the subject matter and scope of the data subject’s right of access and enshrines that data subject’s right to obtain from the controller access to his or her personal data and the information referred to in points (a) to (h) of that paragraph.

31      Article 15(3) of the GDPR sets out the practical arrangements for the fulfilment of the controller’s obligation, specifying, inter alia, in its first sentence, the form in which that controller must provide the ‘personal data undergoing processing’, namely in the form of a ‘copy’. In addition, the third sentence of that paragraph states that the information is to be provided in a commonly used electronic form where the request is made by electronic means, unless otherwise requested by the data subject.

32      As a result, Article 15(3) of the GDPR cannot be interpreted as establishing a separate right from that provided for in Article 15(1). Moreover, as the European Commission noted in its written observations, the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. The copy must therefore contain all the personal data undergoing processing.

33      As regards the objectives pursued by Article 15 of the GDPR, it should be noted that the purpose of the GDPR, as stated in recital 11 thereof, is to strengthen and set out in detail the rights of data subjects. Article 15 of that regulation provides, in that regard, for a right to obtain a copy, unlike the second indent of Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), which merely required ‘communication … in an intelligible form of the data undergoing processing’. Recital 63 of the GDPR states that ‘a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing’.

34      Thus, the right of access provided for in Article 15 of the GDPR must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner (see, to that effect, judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C‑154/21, EU:C:2023:3, paragraph 37 and the case-law cited).

35      In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR (judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C‑154/21, EU:C:2023:3, paragraph 38 and the case-law cited).

36      It should also be noted that recital 60 of the GDPR states that the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, it being stressed that the controller should provide any other information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed.

37      Furthermore, in accordance with the principle of transparency, alluded to by the referring court, to which recital 58 of the GDPR refers and which is expressly enshrined in Article 12(1) of that regulation, any information sent to the data subject must be concise, easily accessible and easy to understand, and formulated in clear and plain language.

38      As the Advocate General stated in points 54 and 55 of his Opinion, it follows from that provision that the controller is obliged to take appropriate measures to provide the data subject with all the information referred to, inter alia, in Article 15 of the GDPR, in a concise, transparent, intelligible and easily accessible form, using plain and clear language, and that the information must be provided in writing or by other means, including, where appropriate, by electronic means, unless the data subject requests that it be provided orally. The purpose of that provision, which is an expression of the principle of transparency, is to ensure that the data subject is able fully to understand the information sent to him or her.

39      It follows that the copy of the personal data undergoing processing, which the controller must provide pursuant to the first sentence of Article 15(3) of the GDPR, must have all the characteristics necessary for the data subject effectively to exercise his or her rights under that regulation and must, consequently, reproduce those data fully and faithfully.

40      That interpretation corresponds to the objective of the GDPR, which seeks, inter alia, as is apparent from recital 10 thereof, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of such natural persons with regard to the processing of personal data throughout the European Union (see, to that effect, judgment of 9 February 2023, X-FAB Dresden, C‑453/21, EU:C:2023:79, paragraph 25 and the case-law cited).

41      In order to ensure that the information thus provided is easy to understand, as required by Article 12(1) of the GDPR, read in conjunction with recital 58 of that regulation, the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, as the Advocate General observed in points 57 and 58 of his Opinion, where the contextualisation of the data processed is necessary in order to ensure the data are intelligible.

42      In particular, where personal data are generated from other data or where such data result from empty fields, that is to say, where there is an absence of information which provides information about the data subject, the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data.

43      In any event, in accordance with Article 15(4) of the GDPR, read in conjunction with recital 63 of that regulation, the right to obtain a copy referred to in paragraph 3 of that article must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting the software.

44      Therefore, as the Advocate General stated in point 61 of his Opinion, in the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights and freedoms of others, a balance will have to be struck between the rights in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’.

45      In the light of the foregoing considerations, the answer to the first, second and third questions referred is that the first sentence of Article 15(3) of the GDPR

must be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.

 The fourth question referred

46      By the fourth question, the referring court asks, in essence, whether the third sentence of Article 15(3) of the GDPR must be interpreted as meaning that the concept of ‘information’ to which it refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph, or whether it also refers to all the information referred to in paragraph 1 of that article, or even covers elements going beyond that information, such as metadata.

47      As was pointed out in paragraph 19 above, in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it forms part.

48      In that regard, although the third sentence of Article 15(3) of the GDPR merely states that, ‘where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form’, without specifying what is to be understood by the term ‘information’, the first sentence of that paragraph states that ‘the controller shall provide a copy of the personal data undergoing processing’.

49      Accordingly, it follows from the context of the third sentence of Article 15(3) of the GDPR that the ‘information’ to which it refers necessarily corresponds to the personal data of which the controller must provide a copy in accordance with the first sentence of that paragraph.

50      Such an interpretation is confirmed by the objectives pursued by Article 15(3) of the GDPR, which are, as recalled in paragraph 31 above, to define the practical arrangements for the fulfilment of the controller’s obligation to provide a copy of the personal data undergoing processing. Consequently, that provision does not create a right separate from that which the data subject enjoys to obtain a faithful and intelligible reproduction of those data, enabling him or her effectively to exercise the rights conferred on him or her by that regulation.

51      It should be noted that no provision of that regulation establishes a difference in treatment of an application according to the form in which it is submitted, with the result that the scope of the right to obtain a copy cannot vary according to that form.

52      Furthermore, it should also be noted that, in accordance with Article 12(3) of the GDPR, where the request has been made by electronic means, the information referred to in Article 15, including that referred to in Article 15(1)(a) to (h), is to be provided by electronic means, unless otherwise indicated by the data subject.

53      In the light of the foregoing considerations, the answer to the fourth question referred is that the third sentence of Article 15(3) of the GDPR

must be interpreted as meaning that the concept of ‘information’ to which it refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph.

 Costs

54      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

1.      The first sentence of Article 15(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.

2.      The third sentence of Article 15(3) of Regulation 2016/679

must be interpreted as meaning that the concept of ‘information’ to which it refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph.

[Signatures]


*      Language of the case: German.

© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C48721.html