On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.
A patient seeking to uncover errors in his dentist’s work requested access to his medical records. The dentist replied that, under German law, access to the patient’s medical records could be conditional on the data subject’s payment of the costs connected with providing the records.The patient claimed that this was inconsistent with the GDPR, which gives data subjects a right to access a copy of their data (Article 15).
The CJEU held that, generally, exercising the right of access under the GDPR should not entail any cost for the data subject and that such cost may be only imposed where the data subject has already received a first copy of his or her data free of charge. The Court also clarified that the GDPR does not require data subjects to provide reasons for their request, and therefore, the data holder cannot reject an access request on the grounds that the data subject access request is not aimed at verifying GDPR compliance.
Finally, the CJEU reiterated that the data subject must be given a “faithful and intelligible reproduction” of the data (see our blog post here). This includes sharing a full copy of documents containing the data subject’s personal data – rather than just extracts – if doing so is “essential” for the data subject to understand and verify the accuracy and exhaustiveness of the data processing.
The scope of GDPR’s right of access (see our blog posts here and here) has been heavily litigated both at EU and national level. At national level, in a surprising decision earlier this year the Belgian Data Protection Authority held that it would be excessive to ask an employer to search its email servers for all emails concerning a former employee. According to the Authority, this would constitute a “disproportionate effort” for the former employer as, among other things, the requestor had been an employee for eight years and, for some period of time, the email address the requestor used was also used by other employees. In addition, the requestor had not provided any parameters that could aid the former employer in its search through the email servers.
* * *
Covington’s Data Privacy and Cybersecurity Practice regularly advises on data subject access requests, and on privacy investigations and disputes including at the CJEU. If you have any questions about the interaction between data protection and local laws we are happy to assist.
(This blog post was written with the contributions of Alberto Vogel.)