On 4 May 2023, the Court of Justice of the European Union has delivered two groundbreaking judgments. Case C-487/21 F.F. v Österreichische Datenschutzbehörde and Case C-300/21 UI v Österreichische Post AG. Both judgments present a few important clarifications regarding (1) the data subject's right to obtain a copy of personal data (Case C-487/21) and (2) the right to compensation for an infringement of the GDPR (Case C-300/21). This blogpost outlines the key points of both cases and explains their relevance.
Case C-487/21 F.F. v Österreichische Datenschutzbehörde
In this case, the applicant submitted an access request with CRIF GmbH, a business consulting agency that provides information on the creditworthiness of third parties. In this context, the applicant also requested copies of the documents, such as emails and database extracts, containing his personal data. Following that request, CRIF provided the applicant with information about his personal data in a summary form but did not provide copies of the documents in which his personal data were included. Subsequently, the applicant filed a complaint with the Austrian Data Protection Authority (DPA) in which he claimed that the response to his request was incomplete and that CRIF should also have sent him a copy of all the documents that contained his personal data. As the complaint was rejected, the applicant brought an action against the DPA's decision before the Austrian court. Therefore, that Austrian court sought clarification as to the exact meaning of the concept of a 'copy' of the personal data in the context of an access request.
In this judgment the Court finds that the right of access gives the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, processed by a data controller. The Court emphasizes that the term "copy" generally does not relate to a copy of an actual document as such, but only to the personal data processed. However, the Court also states that pursuant to article 15(3) GDPR, the data subject must be given a faithful reproduction or transcription of all that data. In some cases, this may entail the right to obtain copies from extracts of documents, or even entire documents, or extracts from databases, containing his persona data, if this is essential to enable the data subject to effectively exercise his rights under the GDPR.
Further, the Court considers that if there is a conflict between a data subject's right to full and complete access to his personal data and the rights or freedoms of others, a balance must be struck between the two. Thus, methods of sharing personal data that do not violate the rights and freedoms of others should be chosen, but refusing to provide all or any information to the data subject must not be an outcome of this balancing exercise.
To summarize: there is no general obligation for a controller to provide full copies of documents or databases in response to an access request. However, depending on the context, providing extracts or copies thereof to the data subjects may be required in certain cases.
Case C-300/21 UI v Österreichische Post AG
This case relates to the question whether a mere infringement under the GDPR immediately gives the right to compensation under article 82 GDPR. This question was raised by an Austrian individual in a case against Österreichische Post AG.
In the past Österreichische Post processed personal data about this individual without his consent, using an algorithm linking his person to certain political views. The individual inter alia claimed immaterial damages, arguing that he considered the political affinity attributed to him, to be insulting and shameful, and extremely damaging to his reputation. He claimed that this caused him great upset, a loss of confidence and a feeling of public exposure.
Oberster Gerichtshof requested clarification on the question whether a mere infringement of the GDPR leads to the right to claim compensation under article 82 GDPR for damages resulting from infringement of the GDPR.
First, the Court provides clarity that the right to compensation under the GDPR is subject to three cumulative conditions: (i) infringement of the GDPR, (ii) material or non-material damages resulting from that infringement and (iii) a causal link between the damage and the infringement. This means that not every infringement of the GDPR by itself gives rise to a right to compensation. Thus, an infringement of the GDPR does not necessarily result in damages. A causal link must exist between the infringement in question and the damage suffered to establish a right to compensation.
The Court also clarifies that there is no threshold of seriousness with respect to the right to compensation to non-material damages. The GDPR does not provide for this. The Court also finds that such threshold would be contrary to the broad concept of damage in EU legislature. The Court further notes that the GDPR does not contain any rules governing the assessment of damages. This means that it is for the legal system of each Member State to prescribe the detailed rules for actions intended to safeguard rights under the GDPR. This Member State legislation should provide the criteria for determining the extent of compensation payable in that context. Such national instruments seek to ensure full and effective compensation for the damage suffered.
With this judgment, it is clear that an infringement of the GDPR does not directly result in a data subject's right to compensation. There is no requirement for the non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation and such compensation needs to be assessed in accordance with applicable Member State law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.