noyb win at CJEU: Right of access may include documents and database extracts
noyb wins at the CJEU: Right to information must include context - in some cases also documents and database excerpts
Yesterday, the Court of Justice of the European Union (CJEU) ruled that users must not only receive a copy of their raw data, but also the context of the data in an understandable way. This can also include the documents that contain personal data. The term "copy" means true and accurate reproduction of the actual data.
Mere listing of raw data, or true copy? The initial legal dispute concerned a request for information under Article 15 of the GDPR to the credit reporting agency CRIF - which noyb has also successfully prosecuted for other data protection violations. CRIF responded to the data subject with a mere list of the data processed about him. The data subject, who requested a copy of all data relating to him, including database extracts, lodged a complaint with the Austrian Data Protection Authority. The case eventually ended up before the Austrian Federal Administrative Court, which referred several questions to the CJEU for a preliminary ruling on the scope of the right to receive a "copy of data" under Article 15(3) GDPR.
GDPR requires that user understands processing. In its ruling, the CJEU emphasizes that the purpose of the GDPR is to strengthen and precisely define the rights of data subjects. The right to access is of particular importance in this context, as it enables data subjects to exercise further rights, such as deletion, rectification or objection - which would only be possible to a limited extent without knowledge of the specific data processed.
Max Schrems: "We are pleased that the CJEU emphasizes the importance of the right of access. Without the context of the processing, it is often impossible for data subjects to understand what is being stored about them."
Database extracts and documents can be necessary. It is also important that the CJEU emphasizes the need to contextualize the information provided. It is not enough to for companies to send a mere list of raw data. The data must be provided to the data subject in full, in context, and true to the original. This is particularly important for data that is generated from other data - as in the case at hand, where credit scores were calculated based on the data of the data subject. Here, it will regularly be essential to provide excerpts of documents, entire documents or even database excerpts, as the CJEU emphasizes. It is otherwise hard for the data subject to understand the true meaning of the data, but also if the data is manipulated, inconsistent or only partially provided.
Max Schrems: "The ruling puts an end to the unlawful practice of simply providing a dump of data without any further explanations. Especially in the case of more complex processing, companies must ensure full comprehensibility of the processed data - if necessary also by providing a database extract or a copy of documents."