Home Knowledge Copy That: “Faithful and Intelligible Reproduction” is the Standard for DSAR Responses

Copy That: "Faithful and Intelligible Reproduction" is the Standard for DSAR Responses

July 5, 2023
Copy That:
Senior Associate
Rachel Hayes
Partner
Leo Moore
Partner
David Cullen

On 4 May 2023, the Court of Justice of the European Union (CJEU) provided clarity around the right of individuals to access their personal data under the GDPR, often referred to as data subject rights requests (DSARs).

In the Austrian case of Österreichische Datenschutzbehörde v CRIF GmbH, the CJEU held that controllers must provide “a faithful and intelligible reproduction” of personal data relating to an individual to comply with Article 15(3) GDPR. This entails a right for individuals to obtain copies of extracts from documents or even entire documents or extracts from databases which contain an individual’s personal data to exercise their right of access effectively. Nonetheless, the right of access must be balanced between the right of the individual and the rights & freedoms of others.

Background of the Case

The applicant made a DSAR to CRIF, a company which provides information on the creditworthiness of third parties. The applicant’s DSAR included a request for copies of his personal data in documents contained in emails, and database extracts to be made available ‘in standard technical format’. In response, CRIF provided his personal data in summary form.

The applicant wanted more than CRIF’s response; he expected to receive actual copies of the documents containing his personal data and, as a result, complained to the Austrian Data Protection Authority (ADPA). The ADPA rejected his complaint on the basis that CRIF had not infringed on the applicant’s right of access. The applicant then escalated the matter to the Federal Administrative Court in Austria.

The Austrian Court referred questions to the CJEU on the obligation to provide a ‘copy’ of personal data under Article 15(3) GDPR. In particular, the Austrian Court sought clarification on the appropriate form a “copy” of personal data should take in the context of DSARs, such as a summary table or document extracts or even entire documents, as well as database extracts.

CJEU Decision

In considering this question, the CJEU lent credence to the purpose of the right of access, which is to enable individuals to ensure that their personal data are accurate and that the processing of such data is lawful. The CJEU also considered the meaning of the term “copy”, looking at its standard meaning (since the GDPR does not define it).

The CJEU held:

  • Article 15(3) GDPR confers a right on individuals to receive a “faithful and intelligible reproduction” of their personal data which is to be understood in a “broad sense”.
  • Article 15(3) GDPR sets out the “practical arrangements” for DSAR responses which specifies the form in which a controller must provide personal data, namely a “copy”. It does not create a separate right from that under Article 15(1) GDPR (i.e. right of access).
  • A “copy” refers to a copy (in the normal meaning) and not necessarily the original document in which personal data are recorded.
  • A “copy” of personal data must have all the characteristics necessary for the individual to exercise their right of access effectively and consequently reproduce such data fully and faithfully.
  • Providing a mere summary or general description of personal data is not a sufficiently comprehensive response to a DSAR.

The CJEU acknowledged that, depending on the circumstances, reproductions of extracts of documents, or even entire documents or extracts from databases, might be the format necessary to facilitate the objectives underpinning DSARs.

The CJEU confirmed that responding to a DSAR will often require a balancing act between the rights of the individual concerned and the rights and freedoms of third parties. While the protection of third parties rights is not an adequate basis for a refusal to provide an individual with copies of their personal data, the CJEU held that, wherever possible, the information should be transmitted in a form that does not infringe on the rights of others.

Conclusion

While the CJEU has provided welcome clarity on the obligations of controllers when responding to DSARs, this decision highlights that in practice, each DSAR (and the response) will be context and fact specific when considering the appropriate method of making copies of personal data available to an individual. From an Irish data protection law perspective, the Data Protection Commission expects a high standard of compliance from businesses in relation to handling DSARs (see our previous article here), with the right of access being the main subject of complaints it receives year-on-year.

If your business requires guidance on navigating the nuances and complexities which can arise with DSARs, please contact Rachel Hayes, Leo Moore David Cullen or your usual William Fry contact.

 

Contributed by Louisa Muldowney

Recommended Insights

See all
Article and Insights
19
Apr 2024
EDPB Issues Opinion on ‘Pay or OK’ Consent Models Applied by Large Online Platforms
The EDPB has issued an opinion on the use of "Pay or OK" consent models by large o...
WF_author_blank
Partner
Leo Moore
Article and Insights
11
Apr 2024
Stricter Rules for the GDPR’s One-Stop-Shop?
The EDPB, in its new opinion, looks at the criteria to be fulfilled for a controll...
WF_author_blank
Partner
John O’Connor
Article and Insights
12
Mar 2024
Food, Beverage & Agribusiness Podcast – Data Protection & Cyber Security
In this episode Laura considers how these issues have become an increasingly criti...
WF_author_blank
Associate
Laura Casey
Article and Insights
9
Feb 2024
Dark Patterns: Not a new concept but will now be heavily regulated
The Digital Services Act prohibits the use of dark patterns online. Many online bu...
WF_author_blank
Partner
Leo Moore
Article and Insights
26
Jan 2024
Data Protection Day: Expectations for 2024 & 2023 Look Back
William Fry is celebrating the Council of Europe’s annual Data Protection Day toda...
WF_author_blank
Partner
Leo Moore
Article and Insights
18
Jan 2024
Considerations for the Entertainment Industry after the SAG-AFTRA Deal
A deal has been ratified between the Screen Actors Guild-American Federation of Te...
WF_author_blank
Partner
David Cullen
Article and Insights
8
Dec 2023
ECJ Says No in SCHUFA Case: New Decision on Automated Decision Making
In a significant ruling on automated decisions, the European Court of Justice dete...
WF_author_blank
Consultant
Barry Scannell
Article and Insights
21
Nov 2023
DSARs: Motive and a Coordinated Action
DSARs: motive is not a relevant factor to Europe's highest court and regulators wi...
WF_author_blank
Partner
David Cullen
Article and Insights
8
Sep 2023
AdTech Update: CJEU Landmark Data Protection Ruling for Online and Behavioural Advertising
The CJEU has handed down a landmark ruling that clarifies what legal bases control...
WF_author_blank
Partner
Leo Moore
Article and Insights
4
Aug 2023
The Data Act – Unlocking the EU’s Data Economy
On 14 July 2023, the committee representing the Council of the EU formally agreed ...
WF_author_blank
Partner
Leo Moore
prev
next
See all