The right of access under art. 15 GDPR is probably the most relevant data subject right under the GDPR and a perennial issue in data protection compliance for businesses. In particular, businesses are required to accurately document the receipt of requests for information and not to exceed the legal deadline.
In its ruling of 26 October 2023 (Case C-307/22), the European Court of Justice (ECJ) extended its case law under art. 15 GDPR in one further point
The starting point for the request for a preliminary ruling in this case was a legal dispute between a patient and his dentist regarding a copy of the patient file. The dentist demanded reimbursement of the costs for the copy in accordance with Section 630g (2) sentence 2 BGB.
The ECJ has now not only ruled that (the first) access to the patient file must be free of charge in accordance with art. 12(5) GDPR and art. 15(1) and (3) GDPR, but also that this also applies if the request in question is based on a purpose other than those stated in sentence 1 of recital 63 of the GDPR. It is emphasised several times that a request for information does not have to be justified.
To date, the ECJ has emphasised that the data subject must be provided with a faithful and intelligible reproduction of all such data.
According to the ECJ, this right presupposes the right “to obtain a copy of extracts from documents or even of entire documents containing, where the provision of such a copy is indispensable to enable the data subject to exercise effectively the rights conferred on him by this regulation.”
With the current decision, however, the ECJ also justifies requests for information that go beyond the preparation of the rights conferred under the GDPR. As a result, the discussions as to whether art. 15 GDPR constitutes a kind of pre-discovery claim will increase again.
This development in case law also follows an initiative of the European Data Protection Board according to which the right of access (art. 15 GDPR) is to be made the subject of a coordinated enforcement measure for the GDPR.
Practical significance: Dealing with data subject rights in your own company must be prioritised for data protection compliance. Otherwise, even small mistakes can all too quickly lead to an unwelcome inspection by the data protection authorities and, in the worst case, to fines. One way to minimise this risk is to establish an internal procedure for dealing with data subject rights and templates. We would be happy to support and advise you on this.