CJEU Clarifies the Scope of the Right to Access: Restrictions, Grounds and the Notion of “Copy”

Reading Time: 4 minutes


Claudia Martorelli | Data Protection Advisor

Date: 22 November 2023

On the 26th October 2023, the Court of Justice of the European Union (CJEU) issued a ruling in case C307/22 shedding light on the reach of the data subject right of access, and specifically in the context of health data, under Article 15(3) of the General Data Protection Regulation (GDPR). The case arose from a request for a preliminary ruling filed by the German Federal Court of Justice during a dispute between a dentist and their patient. The patient (data subject) sought access to their medical records suspecting treatment errors, yet the dentist (data controller) declined to furnish the patient with a cost-free copy of the medical records. The refusal was based on German national law, which stipulates that patients may obtain a copy of their medical records only if they cover the associated expenses.  

This article presents the key findings from the judgment, concerning the justifications that may underly data access requests, the interaction between the right to access and any restrictions resulting from national law, and the interpretation of the notion of “a copy of the personal data undergoing processing” (contained within Article 15), in the context of a doctor-patient relationship. 

Key Findings

The key takeaways from the CJEU judgment bring to light significant implications for organisations that handle personal data: 

Reasons underlying an access request: The first question posed by the referring court to the CJEU concerned whether a data controller is obliged to furnish the data subject with a first copy of their personal data, free of charge. More specifically, whether this obligation still applies where the purpose of the request is unrelated to the purposes outlined in recital 63 GDPR, “to be aware of, and verify, the lawfulness of the processing”. In response to this, the CJEU clarified that the relevant provisions of the GDPR (Articles 12(5), 15(1) and (3)) do not require data subjects to provide reasons to justify their access requests. Additionally, they confirmed that GDPR recitals cannot restrict the scope of what is stipulated under GDPR Articles. Therefore, recital 63 GDPR cannot restrict the scope of Article 15 or 12. The court stressed that Article 15 of GDPR guarantees the data subject’s right of access which implies that this right should be unencumbered by conditions not expressly mandated by EU law. Therefore, a data subject has the right to file a data access request regardless of the reason for their request, and the controller may not condition its response on the reason that the data subject gives for such a request, or the lack thereof.  

Right to access and restrictions based in national laws: By its second question, the referring court asked whether pre-GDPR national legislation could be applied as a lawful restriction to the right to access. In particular, whether a German statutory provision intended to protect the economic interests of the healthcare provider could fall within Article 23(1)(i) where aimed at safeguarding the ‘rights and freedoms of others’. The CJEU clarified that national measures enacted before the GDPR’s implementation can fall within the scope of Article 23(1) GDPR, if they meet the conditions set therein. In this specific case, the primary purpose for the German law is the protection of the economic interests of healthcare providers, through compelling data subjects to bear the costs of obtaining the copy of their medical records, so to deter superfluous requests. The CJEU emphasised that the economic interests of controllers are already accounted for under Article 12(5) and Article 15(3) of the GDPR. These Articles define the circumstances in which the controller may charge a fee for providing a copy of the personal data undergoing processing. As these economic interests are already accounted for within GDPR, they cannot be protected further by the exemptions outlined in Article 23(1)(i), whereby national legislation can take precedence over Article 15 to safeguard “rights and freedoms of others”. 

The notion of “copy” in doctor-patient relationships: The third question posed to the court concerned the interpretation of the word “copy” which is included in Article 15(3) GDPR: “The controller shall provide a copy of the personal data undergoing processing”. The referring court inquired whether, in a doctor-patient relationship, Article 15(3) of the GDPR requires data controllers to provide a complete copy of the documents within a data subject’s medical record, or solely a copy of the personal data processed. The CJEU clarified that “copy” pertains not to the document itself, but to the personal data it contains. Such a copy must provide a faithful and intelligible reproduction of all the personal data undergoing processing. It may also involve reproducing extracts or even entire documents if contextualisation is essential for comprehending the processed data. Regarding health data, the provision of a simple summary or a compilation of this data could create the risk of omissions and inaccuracies. It could also hinder the patient’s ability to verify how accurate and exhaustive this data is, and to understand it. As a result, when the right of access is exercised with regard to health data, that right allows for patients to be provided with a copy of all their personal data contained within medical records, such as diagnoses, examination results, assessments, treatment etc. 

Main Implications for Data Controllers 

This ruling underscores the importance of organisations implementing appropriate technical and organisational measures to handle data subjects’ requests.  

To address the implications of this judgment, organisations should implement or update data access procedures and policies so to:  

  • Ensure that they apply clear criteria when determining the level of detail to include in responses to data subject access requests, so that the copy of the data is complete and intelligible.  
  • Eliminate any fees associated with providing copies of personal data to data subjects and make it clear that data subjects can exercise the right to access without needing to provide a reason.  

By proactively addressing the implications of this ruling, organisations can foster customer trust and demonstrate compliance with the GDPR’s data rights framework. Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations in developing data protection policies and procedures, including in relation to the handling of data subjects’ requests. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance. 

Related posts

Let's discuss your career