Last month the CJEU handed down judgment in the case of Österreichische Datenschutzbehörde v CRIF. CRIF is an organisation that provides information on creditworthiness. They received a DSAR from an individual asking for a copy of the documents containing their personal data. CRIF sent a summary of the personal data they held, in the form of a list. The data subject, on the basis that he had requested a copy, lodged a complaint with the supervisory authority.
The question brought before the CJEU was what constitutes a “copy” of personal data under Article 15(3) EU GDPR, whether this extends to a copy of, extracts of or even entire documents or extracts from data bases?
In its judgment the court stated that:
A general description of the data undergoing processing or a reference to categories of personal data does not correspond to the definition of copy, which must contain all the personal data undergoing processing.
Whilst there is no standalone right to a copy of documents themselves (a copy does not mean a document), the data subject must be given a faithful and intelligible reproduction of all [their] data and so the right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data if that is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the EU GDPR.
In order to make the information easy to understand a controller may need to provide extracts or whole documents to contextualise the personal data.
The court made the point that the ability to exercise other rights, such as rectification, erasure etc. depend upon having a full and faithful record of what data is processed.
The court also gave its findings on the definition of “information” in the following sentence in Article 15 (3) EU GDPR “Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
The court held that “it must be interpreted as meaning…. the personal data of which the controller must provide a copy…” (it does not go beyond this to meta data).
If you would like some help in responding to data subject access requests, we would be happy to assist. Simply raise this with your usual contact or send a message to email@example.com.
A link to the case can be found here.