CJEU on Art. 15 GDPR right of access by the data subject
- Author: Wolfgang von Sandersleben, DP-Dock GmbH
- Last updated: November 2023
- Category: Data Security
More and more clients of ours ask us what is the right way to approach and subsequently respond a data subject’s Art. 15 GDPR access request (DSAR). Recently, the Court of Justice of the European Union (CJEU) shed some light on that matter. More specifically, a patient of a dental practice in Germany suspecting malpractice requested a copy of his medical records. The dental practice initially refused to comply with his request citing a German law that required a patient to cover the cost of obtaining such copies.
The case quickly escalated to the CJEU, which ruled out that even though the patient was “fishing” for evidence to establish his legal case, the reasonings behind a DSAR are irrelevant and the Data Controllers (in this case the dental practice) is obliged to provide the data subject with an “accurate and clear copy of their data”: On the question of national legislation requiring the patient to pay for the cost, the Court ruled that this is restricting - unlikely to be allowed after the introduction of the GDPR and that the first copy of the medical records shall be provided without additional costs.
It remains to be seen whether the German legislator will take the decision into account and to which reforms this decision may lead. For more info, please read here: CJEU rules individuals have right to free copy of their personal data (iapp.org)
