A significant new data protection judgment of the CJEU was rendered today in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH) on the topic of access requests by data subjects.
The questions referred to the CJEU by the Austrian Federal Administrative Court relate to the scope of the controller’s obligations in relation to access requests by data subjects pursuant to article 15 of the GDPR.
Does the obligation to provide a “copy” of the data entail:
It turns out, neither really. The Court toes the line by rejecting the “autonomous right” while simultaneously consecrating a broad understanding of the right of access:
This obligation derives from the necessity for the data subject to assess whether the personal data is correct (we understand, “accurate”) and whether they are processed in a lawful manner.
As a result, data subjects’ right to access is conceptualised as a gateway right for the exercise of other data subject rights.
As the Court states, “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, […] where the contextualisation of the data processed is necessary in order to ensure the data are intelligible” (§41).
The Court essentially reiterates the necessity for controllers to conduct a balancing exercise between the rights of the data subject and the rights and freedoms of others – which may result in not providing “full and complete access” to the personal data but may not result in “a refusal to provide all information to the data subject”.
What does this mean for data controllers: this decision essentially imposes an additional requirement on controllers to assess whether the information it intends to provide to the data subject is sufficiently intelligible by conducting a sort of “legitimate access assessment”. As always, this assessment should be thoroughly documented in accordance with the principle of accountability and should properly identify and consider, where relevant, any rights and freedoms of others limiting the exercise of the data subject’s right (e.g., removal of personal data from other data subjects, a given intellectual property asset, etc.).
The press release for this decision can be found here, and the full decision here.