On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.

A patient seeking to uncover errors in his dentist’s work requested access to his medical records.  The dentist replied that, under German law, access to the patient’s medical records could be conditional on the data subject’s payment of the costs connected with providing the records.The patient claimed that this was inconsistent with the GDPR, which gives data subjects a right to access a copy of their data (Article 15).

The CJEU held that, generally, exercising the right of access under the GDPR should not entail any cost for the data subject and that such cost may be only imposed where the data subject has already received a first copy of his or her data free of charge.  The Court also clarified that the GDPR does not require data subjects to provide reasons for their request, and therefore, the data holder cannot reject an access request on the grounds that the data subject access request is not aimed at verifying GDPR compliance.

Finally, the CJEU reiterated that the data subject must be given a “faithful and intelligible reproduction” of the data (see our blog post here).  This includes sharing a full copy of documents containing the data subject’s personal data – rather than just extracts – if doing so is “essential” for the data subject to understand and verify the accuracy and exhaustiveness of the data processing.

The scope of GDPR’s right of access (see our blog posts here and here) has been heavily litigated both at EU and national level.  At national level, in a surprising decision earlier this year the Belgian Data Protection Authority held that it would be excessive to ask an employer to search its email servers for all emails concerning a former employee.  According to the Authority, this would constitute a “disproportionate effort” for the former employer as, among other things, the requestor had been an employee for eight years and, for some period of time, the email address the requestor used was also used by other employees.  In addition, the requestor had not provided any parameters that could aid the former employer in its search through the email servers. 

*                             *                             *

Covington’s Data Privacy and Cybersecurity Practice regularly advises on data subject access requests, and on privacy investigations and disputes including at the CJEU.  If you have any questions about the interaction between data protection and local laws we are happy to assist.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.