A significant new data protection judgment of the CJEU was rendered today in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH) on the topic of access requests by data subjects.
The questions referred to the CJEU by the Austrian Federal Administrative Court relate to the scope of the controller’s obligations in relation to access requests by data subjects pursuant to article 15 of the GDPR.
Does the obligation to provide a “copy” of the data entail:
It turns out, neither really. The Court toes the line by rejecting the “autonomous right” while simultaneously consecrating a broad understanding of the right of access:
This obligation derives from the necessity for the data subject to assess whether the personal data is correct (we understand, “accurate”) and whether they are processed in a lawful manner.
As a result, data subjects’ right to access is conceptualised as a gateway right for the exercise of other data subject rights.
As the Court states, “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, […] where the contextualisation of the data processed…