020 8004 8625
contact@dsar.ai
Revolutionising Subject Access Requests: Decoding the CJEU’s Landmark Judgment
On 4th May, the Court of Justice of the European Union (CJEU) delivered a pivotal judgment in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH), which significantly impacts data protection and the rights of data subjects. This case centred on access requests by data subjects under Article 15 of the General Data Protection Regulation (GDPR). The CJEU clarified the scope of the controller’s obligations, emphasising the importance of providing a “faithful and intelligible reproduction” of personal data and balancing the rights of data subjects with the rights and freedoms of others.
A Faithful and Intelligible Reproduction of Personal Data
The CJEU ruled that data controllers must provide data subjects with a clear and precise representation of all personal data undergoing processing. This obligation stems from the need for data subjects to assess the accuracy of their personal data and whether the data is processed lawfully. Consequently, the right to access serves as a fundamental gateway for exercising other data subject rights under the GDPR.
Obligation to Provide Copies of Documents and/or Databases
The Court emphasized that data controllers may need to provide copies of entire or partial documents and/or databases to ensure data subjects can effectively exercise their GDPR rights. As stated in the judgment, “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, […] where the contextualization of the data processed is necessary in order to ensure the data are intelligible” (§41).
Balancing the Rights of Data Subjects and Others
The CJEU reiterated the need for data controllers to balance the rights of data subjects with the rights and freedoms of others, including trade secrets, intellectual property, and copyright protection for software. While this balancing act may not always result in “full and complete access” to personal data, it should never lead to “a refusal to provide all information to the data subject.”
Implications for Data Controllers:
This judgment imposes an additional requirement on data controllers to conduct a “legitimate access assessment” to determine if the information provided to data subjects is sufficiently intelligible. This assessment should be thoroughly documented in line with the principle of accountability and should consider any rights and freedoms of others that may limit the exercise of the data subject’s right (e.g., removal of personal data from other data subjects or protection of intellectual property assets).
