European Union: Issued CJEU Ruling in Case C-487/21 regarding GDPR Right to Copies of Personal Data

On 4 May 2023, the Court of Justice of the European Union (CJEU) issued its judgement in Case C-487/21 concerning a clarification request by the Federal Administrative Court in Austria that is currently evaluating a complaint brought forth by an individual who requested a copy of his processed data from CRIF, a company specialising in credit and business information systems, analytics, outsourcing and processing services. The company had provided a mere summary of the requested data and not a complete account of emails, database entries, or other relevant data. The individual claimed he had the right to obtain a complete copy of his data. The CJEU clarifies that a copy entails a "faithful and intelligible" account of the data and that a "copy" is to be understood as a complete report of any processed data. Additionally, the controller must provide individuals with copies that are legible, clear, easily accessible, and transparent. The CJEU found that apart from the exact definition of "copy", another relevant factor is how easily the data may be understood. For copies to facilitate understanding for the reader, a complete copy may be needed to achieve that (e.g. including complete documents or database extracts). The only caveat remains to ensure that a balance exists between providing the right to a complete copy of data and not infringing on the rights of others.