CJEU rules on SARs: Are legal ‘fishing expeditions’ ‘manifestly unfounded’?
Posted: November 14, 2023
The Court of Justice of the European Union (CJEU) settled a dispute between a dentist and a patient recently by in late October 2023 by answering three important questions about the “right of access” under the EU General Data Protection Regulation (GDPR).
The judgment in DW vs FT (Case C‑307/22) explores:
- Whether the data subject’s motivation for submitting a subject access request matters,
- The conditions under which national laws may take precedence over the GDPR, and
- Whether the controller can sometimes provide a summary of the personal data in response to an access request.
Facts and questions
FT was a dentist, and DW was FT’s patient. DW suspected that FT had failed to properly fix his teeth. He submitted a subject access request to FT to obtain a copy of his medical records.
FT suspected that DW was preparing a lawsuit, and asked DW to cover the costs.
Under German law, healthcare practitioners are entitled to charge an administrative fee for reproducing medical records. Under the GDPR, charging a fee in response to a subject access request is generally only permitted when the request is “manifestly unfounded or excessive”.
The CJEU considered the following three main questions about the “right of access” in this case:
- Does the data subject’s motivation for submitting a subject access request matter?
- Which law takes precedence for the purpose of access to medical records – the German Civil Code, or the GDPR?
- Is a controller obliged to provide the entire contents of a data subject’s medical records (or, by extension, any other type of document), or can the controller provide a summary of the personal data contained within the records?
Here’s what the court said.
Does motivation matter?
DW requested access to his medical records to see if he had a legal claim against FT. Is that a valid reason under the GDPR?
Recital 63 of the GDPR suggests that the right of access exists to enable data subjects to check whether their personal data has been processed lawfully.
But is that the only reason? And does it even matter why a data subject makes a request?
The CJEU found that verifying the lawfulness of processing is not the only valid reason for a subject access request. In fact, the data subject is not required to state a reason.
DW’s motivation, which the CJEU describes as “to verify the existence of claims under medical liability law”, was deemed an acceptable reason to submit a subject access request.
So regardless of the purpose of the data subject’s request, the controller must provide the first copy of personal data for free – unless, of course, a request is “manifestly unfounded or excessive”.
Relatedly, the Court of Appeal of England and Wales reached a similar conclusion in Dawson-Damer v Taylor Wessing LLP (2020).
German Civil Code vs GDPR
When insisting that DW cover the cost of his subject access request, FT cited Section 630g (2) of the German Civil Code, which states that the patient must “reimburse the treating party for the costs incurred” in providing copies of medical records.
Article 23 (1) of the GDPR allows EU member states to adopt national legislation that restricts the scope of some GDPR provisions under certain conditions, including where such legislation aims to protect people’s rights and freedoms.
FT argued that Section 630g (2) of the Civil Code was such a law – and a proportionate one, at that—because it safeguards healthcare practitioners’ legitimate interests (by reducing the number of frivolous subject access requests).
The CJEU made two findings here:
- It did not matter that the relevant provision in the German Civil Code had been adopted prior to the enactment of the GDPR. The national legislation referred to in Article 23 (1) of the GDPR can be older laws.
- However, “protecting the economic interests of the controller” did not count as “the protection of… the rights and freedoms of others”, per Article 23 (1) (i).
As such, the GDPR takes precedence over national laws that purport to restrict the right of access to protect the economic interests of the controller.
Extent of personal data
Finally, the CJEU considered whether a data subject is entitled to a full copy of their medical records, or whether a summary of the personal data might be sufficient.
Under Article 15 (3) of the GDPR, data subjects can obtain “a copy of the personal data undergoing processing”. According to the CJEU, this means controllers must provide a “full and faithful copy” of all personal data concerning the data subject if requested.
In the healthcare context, a “full and faithful” copy of personal data would include complete medical records.
By providing all the personal data it is processing, the controller enables the data subject to check that the personal data is accurate and lawful. This is not guaranteed if the controller provides a summary of the data – so a full copy is required.
Download our Data Subject Access Requests (DSARs) guide
Certain legislations grant individuals the right to access their personal data from organizations to understand what data they hold and how it is being used. DSARs aren’t new for organizations but regulations like GDPR have introduced changes that make responding to these requests more challenging.
Read our guide and discover how combining Cassie with our DSARs module can create more efficiency and transparency with your customers.