The right to obtain a copy of data (Article 15 of the GDPR) gives individuals the opportunity to obtain information about whether and what personal data about them is being processed by an organization, as well as to obtain a copy of that data. A data subject may request information from the data controller (the organization processing the data) regarding:
Data processing purposes
Categories of personal data processed.
Recipients or categories of recipients to whom the data has been or will be disclosed.
The period of storage of personal data or the criteria for determining this period.
The rights of the data subject, including the right to rectification, erasure or restriction of data processing and the right to object to processing.
The right to lodge a complaint with the supervisory authority.
Sources of data, if not collected directly from the data subject
Information on automated decision-making, including profiling, and the logic behind it and the envisaged consequences of such processing for the data subject.
The data controller is obligated to provide this information and a copy of the personal data within one month of receiving the request, with the possibility of extending this period by two additional months in the case of complex or numerous requests. In most cases, providing the information and copies of data should be free of charge, unless the request is manifestly unfounded or excessive. In such a case, the controller may charge a fee commensurate with the costs of fulfilling the request or refuse to fulfill it.
Judgment of the Court of Justice of the EU of 4 May 2023 in case Österreichische Datenschutzbehörde / CRIF GmbH ( C-487/21 )
The case concerned CRIF, an agency that, at the request of its clients, provides information on the solvency of individuals by processing their personal data. One individual requested access to their data middle east mobile number list from CRIF, along with copies of documents such as emails and database extracts containing their data "in a standard format." In response, CRIF provided the individual with a summary of its data, which she deemed insufficient.
The requester filed a complaint with the Austrian data protection authority, the Österreichische Datenschutzbehörde, but lost the case, as the authority found that CRIF had not violated the right to access personal data. Subsequently, a complaint was filed with the Federal Administrative Court, which referred the matter to the Court of Justice of the European Union (CJEU) for an interpretation of the GDPR provisions regarding the content and scope of the right of access for data subjects.
The Court of Justice of the European Union has issue
EU's General Data Protection Regulation (GDPR). The court determined that the right to compensation is based on a three-criteria standard, explaining that "not every infringement of the GDPR automatically entitles you to compensation." The CJEU also emphasized that compensation need not be limited to material damage, and national courts will have discretion in assessing the damages.
The Court further ruled that the right of a data subject to obtain a copy of their personal data means that they must receive a "faithful and intelligible reproduction" of all that data. This right includes the possibility of obtaining copies of extracts from documents or even entire documents, or extracts from databases containing that information, where this is necessary for the effective exercise of that data subject's rights under the GDPR, the CJEU stated.