What has to be in a copy? – Art 15 GDPR on the European test bench The first preliminary ruling of the Federal Administrative Court concerning information proceedings

03.03.2022

For the first time since the entry into force of the General Data Protection Regulation, the Federal Administrative Court has submitted a request for a preliminary ruling to the European Court of Justice regarding a decision by the data protection authority on the binding interpretation of EU provisions. The subject of the question is the right of access respectively the receipt of a copy of personal data.

In its decision (11.9.2019, GZ DSB-D124.059/0005-DSB/2019), the data protection authority stated, among other things, regarding a request for information under data protection law, that the requirement for information under data protection law is satisfied if the person requesting information is provided with information about the data and data records, the processing systems and duration of processing, as well as the legal basis in a transparent manner.

A request for a copy of the data, which was also made by the person requesting information, was also satisfied if the person requesting information was not provided with a "facsimile" but the data about which information was being provided was already known in accordance with the transparency requirement. The complainant appealed to the Federal Administrative Court, arguing that the content of the reasoning was incorrect and that the opinion derived from the literature that full information, without a "facsimile" copy, covers the right to copy data pursuant to Article 15 (3) of the GDPR, was correct.

By decision W211 2222613-2/12E of August 9, 2021, the cognizant senate of the Federal Administrative Court referred the following questions to the European Court of Justice for the purpose of binding interpretation of European secondary law pursuant to Article 267 Treaty on the function of der European Union:

  1. Is the German term "Kopie" (copy) in Article 15 (3) of the General Data Protection Regulation to be interpreted as meaning a photocopy or facsimile or an electronic copy of an (electronic) datum, or does the term also include a "Abschrift" (copy), un "double" {"duplicata"} or a "transcript" (transcript), as understood in German, French and English dictionaries?

  2. Is the first sentence of Art. 15 (3) GDPR, according to which the controller shall provide a copy of the personal data undergoing processing, to be interpreted as including a general legal right of a data subject to receive a copy of - also - entire documents in which personal data of the data subject are processed or a copy of an excerpt from a database if the personal data are processed in such a database, or does this mean that the data subject only has a legal right to a faithful reproduction of the personal data to be provided pursuant to Article 15 (1) of the GDPR?

  3. In the event that the answer to question 2. is that the data subject only has a legal right to a faithful reproduction of the personal data to be provided pursuant to Art. 15(1) GDPR, the first sentence of Article 15(3) GDPR must be interpreted as meaning that, due to the nature of the data processed (for example, in relation to the diagnoses, examination results, findings or also documents in connection with an examination within the meaning of the judgment of the Court of Justice of the European Union of 20 December 2017, C-434/16, Case C-434/16), it is not possible for the data subject to obtain the original data and the transparency requirement in Article 12 (1) of the GDPR, it may nevertheless be necessary in individual cases to also make text passages or entire documents available to the data subject?

  4. Is the term 'information' which, under the third sentence of Article 15(3) of the GDPR, must be provided to the data subject 'in a commonly used electronic format' where the data subject makes the request electronically 'unless he or she indicates otherwise' to be interpreted as meaning solely the 'personal data which are the subject of the processing' referred to in the first sentence of Article 15(3)?

a. If question 4. is denied:

Is the term 'information', which under the third sentence of Article 15(3) of the GDPR must be provided to the data subject 'in a commonly used electronic format' if the data subject submits the request electronically, 'unless the data subject indicates otherwise', to be interpreted as also referring to the information pursuant to Article 15(1)(a) to (h) of the GDPR?

 

b. If question 4.a. is also answered in the negative:

Is the term "information" which, according to the third sentence of Article 15(3) of the GDPR, must be provided to the data subject "in a commonly used electronic format" if the data subject submits the request electronically "unless he or she indicates otherwise" to be interpreted as meaning, for example, associated metadata in addition to the "personal data which are the subject of the processing" and the information referred to in Article 15(1)(a) - (h) of the GDPR? This fundamental question has already been addressed by the Austrian courts: The Supreme Court rules (OGH, 17. 12. 2020, 6 Ob 138/20t) in reference to the German literature on Art 15 (3) GDPR in Paal/Pauly and Kühling/Buchner, for example, that the submission of a patient letter - a shortened copy of a medical record, as it were - is not sufficient to satisfy the related right to information.

 

As a result of a decision by the data protection authority, the Federal Administrative Court has also already recognized the right to information on one's own data regarding the submission of account statements (W258 2205602-1). However, neither of these rulings applies to cases in which the data was already available to the person requesting the information. Although the data protection authority has now also ruled that the right to copy data exists separately and independently, the unanimous opinion in the literature, which is also reflected in Haidinger in Knyrim, DatKomm on Art 15 para 3 rectical 5, is particularly relevant, namely that information is not objectionable if it meets the criteria of Art 12 and Art 5 para 1 of the GDPR. The case is also judged similarly in the German judiciary.

The Federal Court of Justice has already ruled (15.6.2021, VI ZR 576/19) that "even any duplicates and supplements to the insurance policy, to which the plaintiff's request for information also extends as evidenced by the minutes of the meeting, are not in principle excluded from the claim to information under data protection law, insofar as the personal data contained therein are processed by the defendant."

According to the literature and case law, the question of whether the claims for a copy of the data and for complete information under data protection law are congruent must therefore be answered in the negative. While the question of whether the claims also exist in parallel and independently of each other at the same time is to be answered with reference to Art 12 (5) GDPR as a manifestly unfounded or excessive request by the information seeker.

In particular, with regard to the purposes of information under data protection law, as they emerge from Recital 63 and have found expression in particular in Rijkebeer, ECLI:EU:C:2009:293 and Y. S. ua, C-141/12 and C-372/12, ECLI:EU:C:2014:2081: The purpose of the request for information under data protection law is, as a procedural accompanying right, to obtain knowledge of the nature, scope and purpose of the data processing.

 

Article provided by INPLP member: Clemens Thiele (EUROLAWYER, Austria)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.