Subject Access Requests: Court Rules on the Meaning of ‘Copy’
Monday 5th June 2023
Earlier this year, we published an article on data subject rights in our ‘Back to Basics’ series.
The Court of Justice of the European Union (CJEU) has recently decided a case which broadens the interpretation of what a “copy” [of personal data] means in respect of data subject access requests (DSAR). Although this isn’t binding on the UK, it’s an interesting development nonetheless.
By far the most common data request organisations receive is for a copy of all personal data belonging to an individual which the relevant organisation holds about them. Sometimes organisations provide copies of personal data in a summary format or in a table, whilst not disclosing original extracts.
What is the legal obligation?
Article 15(3) of the GDPR states that the data controller must provide a copy of the personal data in the event of a DSAR. But what does “copy” mean? Copy isn’t defined in the UK GDPR, nor has it been tested in the courts up until this point – so what should be provided?
The CJEU examined this issue in a case which centred around an Austrian credit report provider who received a DSAR. The data subject requested copies of their data, such as emails, but the company provided a summary of their personal data in the form of a table. The Court was asked to clarify what “copy” means in the context of a DSAR.
What was the decision?
The CJEU ruled that a DSAR “entails the right to obtain copies of extracts from documents or even entire documents… from databases which contains [personal] data”.
It went on to say the right to obtain a “copy” means the individual must be given “a faithful and intelligible reproduction of all those data”, and that a purely general description (i.e., a summary or in a table) of the individual’s personal data doesn’t correspond with the usual meaning of the word “copy”. With this in mind, original documents should form the bulk of a DSAR response, subject to redactions and exemptions, rather than a summary of personal data.
What does this mean?
If the UK courts followed suit with this broad interpretation, it’s likely organisations would need to devote more time and resources into complying with DSARs. It could also mean that individuals are more particular about the format in which they want a “copy” of their personal data, possibly resulting in more complaints to the Information Commissioner’s Office.