BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Court of Justice of the European Communities (including Court of First Instance Decisions) |
||
You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> FT (Copies du dossier medical) (Processing of personal data - Data subject's right of access to his or her data undergoing processing free of charge - Judgment) [2023] EUECJ C-307/22 (26 October 2023) URL: http://www.bailii.org/eu/cases/EUECJ/2023/C30722.html Cite as: [2024] WLR 3030, [2024] 1 WLR 3030, EU:C:2023:811, [2023] WLR(D) 472, [2023] EUECJ C-307/22, ECLI:EU:C:2023:811 |
[New search] [Contents list] [Buy ICLR report: [2024] 1 WLR 3030] [View ICLR summary: [2023] WLR(D) 472] [Help]
Provisional text
JUDGMENT OF THE COURT (First Chamber)
26 October 2023 (*)
(Reference for a preliminary ruling – Processing of personal data – Regulation (EU) 2016/679 – Articles 12, 15 and 23 – Data subject’s right of access to his or her data undergoing processing – Right to obtain a first copy of those data free of charge – Processing of a patient’s data by his or her medical practitioner – Medical records – Reasons for the request for access – Use of data for the purpose of triggering the liability of the person providing treatment – Concept of ‘copy’)
In Case C‑307/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Federal Court of Justice, Germany), made by decision of 29 March 2022, received at the Court on 10 May 2022, in the proceedings
FT
v
DW,
THE COURT (First Chamber),
composed of A. Arabadjiev, President of the Chamber, T. von Danwitz, P.G. Xuereb, A. Kumin and I. Ziemele (Rapporteur), Judges,
Advocate General: N. Emiliou,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– the Latvian Government, by K. Pommere, acting as Agent,
– the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 20 April 2023,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 12(5), Article 15(3) and Article 23(1)(i) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between FT and DW concerning the refusal by FT, a dentist, to provide her patient with a first copy of his medical records free of charge.
Legal context
European Union law
3 Under recital 4 of the GDPR:
‘… The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in [the Charter of Fundamental Rights of the European Union] as enshrined in the Treaties, in particular … freedom to conduct a business …’
4 Recitals 10 and 11 of the GDPR state:
‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …
(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data …’
5 Pursuant to recital 13 of the GDPR:
‘… In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. …’
6 Recital 58 of the GDPR states:
‘The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand’.
7 As is stated in recital 59 of the GDPR:
‘Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. …’
8 Recital 63 of the GDPR is worded as follows:
‘A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided …’
9 Article 4 of the GDPR provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…’
10 Article 12 of the GDPR provides:
‘1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. …
…
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
…’
11 Article 15 of the GDPR states:
‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’
12 Articles 16 and 17 of that regulation enshrine, respectively, the data subject’s right to obtain the rectification of inaccurate personal data (right to rectification) and the right, in certain circumstances, to have those data erased (right to erasure or ‘right to be forgotten’).
13 Article 18 thereof, entitled ‘Right to restriction of processing’, provides, in paragraph 1 thereof:
‘The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.’
14 Article 21 of the GDPR, entitled ‘Right to object’, provides, in paragraph 1 thereof:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
15 Under Article 23(1) of the GDPR:
‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(i) the protection of the data subject or the rights and freedoms of others;
…’
German law
16 According to Paragraph 630f of the Bürgerliches Gesetzbuch (Civil Code; ‘the BGB’), the person providing treatment is obliged to keep medical records in paper form or electronically for the purpose of documentation in direct temporal connection with the treatment. The person providing treatment is obliged to record in the patient’s medical records all measures which, from a professional point of view, are essential for the current and future treatment, and the results of those measures, in particular the patient’s history, diagnoses, examinations, results of examinations, findings, therapies and the effects thereof, procedures and the effects thereof, consents and any explanations given. The person providing treatment must retain the patient’s medical records for a period of 10 years after completion of the treatment, unless other retention periods exist under other provisions.
17 Under the first sentence of subparagraph 1 of Paragraph 630g of the BGB, upon request, the patient must be granted immediate access to all the medical records concerning him or her, unless such access is precluded by significant treatment-related reasons or other significant rights of third parties. Pursuant to the first sentence of subparagraph 2 of Paragraph 630g of the BGB, the patient may also request electronic copies of his or her medical records. In view of the explanatory memorandum to the law, this must be understood as meaning that the patient may choose to request that either physical or electronic copies be produced. The second sentence of subparagraph 2 of Paragraph 630g of the BGB provides that the patient must reimburse the person providing treatment for the costs incurred.
The dispute in the main proceedings and the questions referred for a preliminary ruling
18 DW received dental care from FT. Suspecting that errors had been made in the treatment he had been given, DW requested that FT provide, free of charge, a first copy of his medical records. FT informed DW that she would not grant his request unless he agreed to cover the costs connected with providing a copy of the medical records, as is provided for in national law.
19 DW brought an action against FT. Both at first instance and on appeal, DW’s request to be provided with a first copy of his medical records free of charge was upheld. Those decisions were based on an interpretation of the applicable national legislation in the light of Article 12(5) of the GDPR, as well as Article 15(1) and (3) thereof.
20 Hearing an appeal on a point of law (Revision) brought by FT, the Bundesgerichtshof (Federal Court of Justice, Germany) considers that the outcome of the dispute is dependent on the interpretation to be given in respect of the provisions of the GDPR.
21 The referring court notes that, under national law, the patient may obtain a copy of his or her medical records, provided that he or she reimburses the person providing treatment for the costs resulting therefrom.
22 However, it could be inferred from the first sentence of Article 15(3) of the GDPR, read in conjunction with the first sentence of Article 12(5) thereof, that the controller – in this instance, the person providing treatment – is required to provide the patient with a first copy of his or her medical records free of charge.
23 First, the referring court notes that DW is requesting a first copy of his medical records with a view to triggering the liability of FT. Such a purpose is not related to that referred to in recital 63 of the GDPR, which provides for the right to access personal data in order to become aware of the processing of those data and verify the lawfulness of that processing. However, the wording of Article 15 of that regulation does not make exercise of the right to communication subject to the existence of such grounds. In addition, that provision does not require the data subject to provide reasons for his or her request for communication.
24 Secondly, the referring court emphasises that Article 23(1) of the GDPR permits the adoption of national legislative measures restricting the scope of the obligations and rights provided for in Articles 12 to 22 of that regulation in order to safeguard one of the objectives referred to in that provision. In this instance, FT is relying on the objective of protecting the rights and freedoms of others which is set out in Article 23(1)(i) of the GDPR and argues that the charging system introduced by the second sentence of subparagraph 2 of Paragraph 630g of the BGB is a measure which (i) is necessary and proportionate to safeguard the legitimate interests of persons providing treatment and (ii) as a general rule, contributes to preventing requests for copies by the patients concerned which do not contain a statement of reasons.
25 However, the second sentence of subparagraph 2 of Paragraph 630g of the BGB was adopted prior to the entry into force of the GDPR.
26 In addition, the charging system introduced by the second sentence of subparagraph 2 of Paragraph 630g of the BGB is primarily intended to protect the economic interests of persons providing treatment. It is therefore necessary to determine whether the interest of those persons in being relieved of the costs and charges connected with providing copies of data is included in the rights and freedoms of others for the purposes of Article 23(1)(i) of the GDPR. Furthermore, the systematic transfer to patients of the costs connected with copies of their medical records could appear excessive, given that it does not take account either of the amount of costs actually incurred or of the circumstances specific to each request.
27 Thirdly, in so far as DW is requesting that a copy of all the medical documents concerning him, and thus of all his medical records, be provided, the referring court questions the scope of the right to obtain a copy of personal data undergoing processing, as enshrined in Article 15(3) of the GDPR. In that regard, that right could be complied with through the communication of a summary of the data processed by the medical professional. However, it appears that the objectives of transparency and verifying lawfulness pursued by the GDPR argue in favour of communicating a copy of all the data available to the controller in their original form, namely all the medical documents concerning the patient inasmuch as they contain such data.
28 In those circumstances the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the first sentence of Article 15(3) of [the GDPR], read in conjunction with Article 12(5) thereof, be interpreted as meaning that the controller (in the present case: the doctor providing treatment) is not obliged to provide the data subject (in the present case: the patient), free of charge, with a first copy of his or her personal data processed by the controller where the data subject does not request the copy in order to pursue the purposes referred to in the first sentence of recital 63 of the GDPR, namely to become aware of the processing of his or her personal data and to be able to verify the lawfulness of that processing, but pursues a different purpose – one which is not related to data protection but is legitimate (in the present case: to verify the existence of claims under medical liability law)?
(2)(a) If Question 1 is answered in the negative: In accordance with Article 23(1)(i) of the GDPR, can a national provision of a Member State adopted prior to the entry into force of the GDPR also be regarded as a restriction of the right to be provided, free of charge, with a copy of the personal data processed by the controller, as provided for in the first sentence of Article 15(3) of the GDPR, read in conjunction with Article 12(5) thereof?
(2)(b) If Question 2(a) is answered in the affirmative: Must Article 23(1)(i) of the GDPR be interpreted as meaning that the rights and freedoms of others, as referred to therein, also include their interest in being relieved of the costs associated with the provision of a copy of data in accordance with the first sentence of Article 15(3) of the GDPR and other expenses incurred in making the copy available?
(2)(c) If Question 2(b) is answered in the affirmative: In accordance with Article 23(1)(i) of the GDPR, can national legislation which, in the context of the doctor-patient relationship, provides that the doctor always has a claim for reimbursement of expenses against the patient, irrespective of the specific circumstances of the individual case, where the doctor provides the patient with a copy of the patient’s personal data from the patient’s medical records be regarded as a restriction of the obligations and rights arising from the first sentence of Article 15(3) of the GDPR, read in conjunction with Article 12(5) thereof?
(3) If Question 1 is answered in the negative and [Question 2(a), (b) or (c)] is answered in the negative: In the context of the doctor-patient relationship, does the entitlement under the first sentence of Article 15(3) of the GDPR include entitlement to be provided with copies of all parts of the patient’s medical records containing the patient’s personal data, or does it extend only to the provision of a copy of the patient’s personal data as such, with the doctor who processes the data deciding the manner in which he or she compiles the data for the patient concerned?’
Consideration of the questions referred
The first question
29 By its first question, the referring court asks, in essence, whether Article 12(5) and Article 15(1) and (3) of the GDPR are to be interpreted as meaning that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation.
30 As a preliminary point, it should be borne in mind that, in accordance with settled case-law, in order to interpret a provision of EU law it is necessary to take account not only of the wording of that provision, but also of its context and the objectives pursued by the rules of which it forms part (judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C‑154/21, EU:C:2023:3, paragraph 29).
31 Regarding, first, the wording of the relevant provisions, it should be noted that Article 12(5) of the GDPR establishes the principle that the exercise of the data subject’s right of access to his or her data undergoing processing and to the information relating thereto is not to entail any cost for the data subject. Furthermore, that provision envisages two reasons why a controller may either charge a reasonable fee taking into account administrative costs or refuse to act on a request. Those reasons relate to instances of abuses of rights, in which the data subject’s requests are ‘manifestly unfounded’ or ‘excessive’, in particular because of their repetitive character.
32 In that regard, the referring court has expressly stated that the data subject’s request was not abusive.
33 In addition, the data subject’s right of access to his or her data undergoing processing and to the information relating thereto, which is an integral part of the right to the protection of personal data, is guaranteed in Article 15(1) of the GDPR. According to the wording of that provision, data subjects have the right to access their personal data undergoing processing.
34 In addition, it is apparent from Article 15(3) of the GDPR that the controller is to provide a copy of the personal data undergoing processing and that it may charge a reasonable fee for any further copies requested by the data subject. In that regard, Article 15(4) of that regulation specifies that Article 15(3) thereof confers a ‘right’ on that data subject. Such a fee may therefore be charged by the controller only where the data subject has already received, free of charge, a first copy of his or her data and is once again requesting a copy of those data.
35 As has already been held by the Court, it follows from the literal analysis of the first sentence of Article 15(3) of the GDPR that that provision confers on the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, that are subject to operations that can be classified as ‘processing carried out by the controller’ (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 28).
36 Accordingly, it follows from a combined reading of Article 12(5) of the GDPR and Article 15(1) and (3) thereof that (i) the data subject has the right to obtain a first copy, free of charge, of his or her personal data undergoing processing and (ii) the controller is given the option, under certain conditions, to charge a reasonable fee taking administrative costs into account or to refuse to act on a request if it is manifestly unfounded or excessive.
37 In this instance, it should be noted that a medical practitioner carrying out the processing operations referred to in Article 4(2) of the GDPR concerning his or her patients’ data must be regarded as being a ‘controller’ within the meaning of Article 4(7) of that regulation who is subject to the obligations which that status entails, in particular guaranteeing access to personal data at the request of data subjects.
38 It must be pointed out that neither the wording of Article 12(5) of the GDPR nor that of Article 15(1) and (3) thereof make the provision, free of charge, of a first copy of personal data conditional upon data subjects putting forward reasons to justify their requests. Therefore, those provisions do not give the controller the possibility of demanding that reasons be given for the request for access submitted by the data subject.
39 Regarding, secondly, the context in which the provisions referred to above occur, it should be emphasised that Article 12 of the GDPR forms part of Section 1 of Chapter III of that regulation, which concerns, inter alia, the principle of transparency, set out in Article 5(1)(a) thereof.
40 Article 12 of the GDPR thus sets out the general obligations incumbent on the controller as regards the transparency of information and communications, as well as the rules governing the exercise of the rights of the data subject.
41 Article 15 of the GDPR, which forms part of Section 2 of Chapter III thereof, concerning information and access to personal data, complements the framework of transparency of that regulation by granting the data subject a right of access to his or her personal data and a right to information regarding the processing of those data.
42 It should also be noted that, in accordance with recital 59 of the GDPR, ‘modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object’.
43 Given that, as can be seen from paragraph 38 of the present judgment, the data subject is not required to state the reasons for the request for access to data, the first sentence of recital 63 of the GDPR cannot be interpreted as meaning that that request must be rejected if it concerns an objective other than that of becoming aware of the processing of data and verifying the lawfulness of that processing. That recital cannot restrict the scope of Article 15(3) of that regulation as recalled in paragraph 35 of the present judgment.
44 In that regard, it should be borne in mind that it follows from settled case-law that the preamble to an act of EU law has no binding legal force and cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner that is clearly contrary to their wording (judgment of 13 September 2018, Česká pojišťovna, C‑287/17, EU:C:2018:707, paragraph 33).
45 In addition, the second sentence of recital 63 of the GDPR states that the right which data subjects are recognised as having to access personal data includes, as regards data relating to their health, ‘the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided’.
46 In those circumstances, the right to access data relating to health guaranteed in Article 15(1) of the GDPR cannot be restricted, either by refusing to grant access or by requiring the payment of consideration, to one of the reasons referred to in the first sentence of recital 63 thereof. The same applies as regards the right to obtain a first copy free of charge as provided for in Article 12(5) and Article 15(3) of that regulation.
47 Thirdly, regarding the objectives pursued by the GDPR, it should be noted that the purpose of that regulation, as indicated by recitals 10 and 11 thereof, is to ensure a consistent and high level of protection of natural persons within the Union, as well as to strengthen and set out in detail the rights of data subjects.
48 It is precisely in order to achieve that objective that Article 15(1) of the GDPR guarantees the data subject a right to access his or her personal data (see, to that effect, judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 57 and the case-law cited).
49 Accordingly, Article 12(5) and Article 15(1) and (3) of the GDPR form part of the provisions intended to guarantee that right of access as well as the transparency, vis-à-vis the data subject, of the manner in which personal data are processed (see, to that effect, judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C‑154/21, EU:C:2023:3, paragraph 42).
50 The principle that the first copy of the data should be free of charge and the lack of a need to rely on a specific reason to justify the request for access necessarily contribute to facilitating the exercise, by the data subject, of the rights conferred on him or her by the GDPR.
51 Consequently, given the importance which the GDPR ascribes to the right to access personal data undergoing processing, as guaranteed in Article 15(1) thereof, for achieving such objectives, the exercise of that right cannot be made subject to conditions which have not been expressly laid down by the EU legislature, such as the obligation to rely on one of the reasons referred to in the first sentence of recital 63 of that regulation.
52 Having regard to all of the foregoing, the answer to the first question is that Article 12(5) and Article 15(1) and (3) of the GDPR must be interpreted as meaning that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation.
The second question
53 By its second question, the referring court asks, in essence, whether Article 23(1)(i) of the GDPR is to be interpreted as permitting a piece of national legislation, adopted prior to the entry into force of that regulation, which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.
54 In the first place, regarding the question whether only national measures adopted after the entry into force of the GDPR are capable of falling within the scope of Article 23(1) thereof, it should be emphasised that the wording of that provision contains no indication in that regard.
55 Indeed, Article 23(1) of the GDPR merely indicates that a legislative measure of a Member State may restrict the scope of the obligations and rights provided for in Articles 12 to 22 of that regulation in so far as that measure corresponds to the rights and obligations provided for in those articles and when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure to safeguard, inter alia, the protection of the rights and freedoms of others.
56 Consequently, Article 23(1) of the GDPR does not exclude from its scope national legislative measures adopted prior to the entry into force of that regulation in so far as those measures satisfy the conditions laid down in that provision.
57 In the second place, regarding the question whether a piece of national legislation which, with a view to protecting the economic interests of persons providing treatment, makes the patient bear the costs connected with the provision of a first copy of the medical records requested by that patient, is covered by Article 23(1)(i) of the GDPR, it should be borne in mind, first, that, as is apparent from paragraphs 31 and 33 to 36 of the present judgment, under Article 12(5) and Article 15(1) and (3) of that regulation, the data subject is recognised as having a right to obtain a first copy, free of charge, of his or her personal data undergoing processing.
58 However, the second sentence of Article 15(3) of the GDPR authorises the controller to charge a reasonable fee, based on administrative costs, for any further copies. Furthermore, Article 12(5) of that regulation, read in the light of Article 15(1) and (3) thereof, permits the controller to protect itself against abuse of the right of access by charging a reasonable fee in the case of a manifestly unfounded or excessive request.
59 Secondly, pursuant to recital 4 of that regulation, the right to the protection of personal data is not an absolute right and must be balanced against other fundamental rights, in accordance with the principle of proportionality. Thus, the GDPR respects all the fundamental rights and observes the freedoms and principles recognised by the Charter of Fundamental Rights, as enshrined by the Treaties (judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraph 53).
60 In fact, Article 15(4) of the GDPR provides that ‘the right to obtain a copy … shall not adversely affect the rights and freedoms of others’.
61 Similarly, Article 23(1)(i) of that regulation recalls that a restriction of the scope of the obligations and rights provided for in, inter alia, Article 15 thereof is possible ‘when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard … the protection of … the rights and freedoms of others’.
62 Consequently, it follows from paragraphs 59 to 61 of the present judgment that the right which the data subject is recognised as having to obtain a first copy, free of charge, of his or her personal data undergoing processing is not absolute.
63 Thirdly, only considerations relating to, inter alia, the protection of the rights and freedoms of others would be such as to justify a restriction of that right, in so far as such a restriction respects the essence thereof and is a necessary and proportionate measure to safeguard that protection, as provided for in Article 23(1)(i) of the GDPR.
64 As is apparent from the order for reference, the charging system provided for in the second sentence of subparagraph 2 of Paragraph 630g of the BGB permits the person providing treatment to make the patient bear the costs connected with the provision of a first copy of his or her medical records. The referring court emphasises that that system is intended, primarily, to protect the economic interests of persons providing treatment, which deters patients from making needless requests for copies of their medical records. Thus, in so far as the essential objective of the piece of national legislation at issue in the main proceedings is to protect the economic interests of persons providing treatment, which it is for the referring court to ascertain, such considerations cannot be included in the ‘rights and freedoms of others’ referred to in Article 23(1)(i) of the GDPR.
65 First, such a piece of legislation deters not only needless requests, but also requests seeking to obtain, for a legitimate reason, a first copy, free of charge, of processed personal data. Consequently, it is necessarily in breach of the principle that the first copy should be free of charge and thereby undermines the effectiveness of the right of access provided for in Article 15(1) of the GDPR, as well as, as a result, the protection guaranteed by that regulation.
66 Secondly, it is not apparent from the order for reference that the interests protected by that piece of national legislation go beyond considerations of a purely administrative or economic nature.
67 In that regard, it should be emphasised that the economic interests of controllers were taken into account by the EU legislature under Article 12(5) and the second sentence of Article 15(3) of the GDPR, which, as has been recalled in paragraph 58 of the present judgment, define the circumstances in which the controller may charge a fee connected with the provision of a copy of personal data undergoing processing.
68 In those circumstances, the pursuit of the objective connected with the protection of the economic interests of persons providing treatment cannot justify a measure leading to the undermining of the right to obtain, free of charge, a first copy and, as a result, of the effectiveness of the data subject’s right of access to his or her personal data undergoing processing.
69 Having regard to all of the foregoing, the answer to the second question is that Article 23(1)(i) of the GDPR must be interpreted as meaning that a piece of national legislation adopted prior to the entry into force of that regulation is capable of falling within the scope of that provision. However, such a possibility does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.
The third question
70 By its third question, the referring court asks, in essence, whether the first sentence of Article 15(3) of the GDPR is to be interpreted as meaning that, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means the data subject is to be provided with a full copy of the documents included in his or her medical records and containing his or her personal data, or solely with a copy of those data as such.
71 First of all, the Court has held that, according to its wording, the first sentence of Article 15(3) of the GDPR confers on the data subject the right to obtain a faithful reproduction of his or her personal data, understood in a broad sense, that are subject to operations that can be classified as ‘processing’ carried out by the controller (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 28).
72 Next, the first sentence of Article 15(3) of the GDPR cannot be interpreted as establishing a separate right from that provided for in Article 15(1) thereof. Furthermore, the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. The copy must therefore contain all the personal data undergoing processing (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 32).
73 Lastly, regarding the objectives pursued by Article 15 of the GDPR, the purpose of that regulation is to strengthen and set out in detail the rights of data subjects. Thus, the right of access provided for in that provision must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner. Furthermore, the copy of the personal data undergoing processing, which the controller must provide pursuant to the first sentence of Article 15(3) of the GDPR, must have all the characteristics necessary for the data subject effectively to exercise his or her rights under that regulation and must, consequently, reproduce those data fully and faithfully (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraphs 33, 34 and 39).
74 In particular, in order to ensure that the information provided by the controller is easy to understand, as is required by Article 12(1) of the GDPR, read in the light of recital 58 of that regulation, the reproduction of extracts from documents or even of entire documents which contain, inter alia, the personal data undergoing processing may prove to be essential where the contextualisation of the data processed is necessary in order to ensure the data are intelligible (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 41).
75 Consequently, the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even of entire documents which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 45).
76 Regarding the information at issue in the case in the main proceedings, it should be noted that the GDPR identifies the material of which the applicant at first instance in the main proceedings should be able to request a copy. Thus, as regards personal data relating to health, recital 63 of that regulation specifies that the right of access of data subjects includes ‘the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided’.
77 In that regard, as was noted, in essence, by the Advocate General in points 78 to 80 of his Opinion, it is because of the sensitive nature of personal data relating to the health of natural persons that the EU legislature thus highlighted the importance of ensuring that those persons are given access to the data contained in their medical records as fully and precisely as possible, but also in a form which is intelligible.
78 Regarding examination results, assessments by treating physicians and treatments or interventions provided to a patient, which, as a general rule, involve a large amount of technical data, or even images, the provision of a simple summary or a compilation of those data by the medical practitioner, in order to present them in an aggregated form, could create the risk of some relevant data being omitted or incorrectly reproduced, or, in any event, of it being made harder for the patient to verify how accurate and exhaustive those data are and to understand those data.
79 Having regard to all of the foregoing, the answer to the third question is that the first sentence of Article 15(3) of the GDPR must be interpreted as meaning that, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in his or her medical records and containing, inter alia, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible. Regarding data relating to the health of the data subject, that right includes in any event the right to obtain a copy of the data in his or her medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided to him or her.
Costs
80 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (First Chamber) hereby rules:
1. Article 12(5) and Article 15(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation.
2. Article 23(1)(i) of Regulation 2016/679
must be interpreted as meaning that a piece of national legislation adopted prior to the entry into force of that regulation is capable of falling within the scope of that provision. However, such a possibility does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.
3. The first sentence of Article 15(3) of Regulation 2016/679
must be interpreted as meaning that, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in his or her medical records and containing, inter alia, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible. Regarding data relating to the health of the data subject, that right includes in any event the right to obtain a copy of the data in his or her medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided to him or her.
[Signatures]
* Language of the case: German.
© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.
BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C30722.html