The Court of Justice of the European Union's judgment in FT v. DW (Case C‑307/22) has been released, illustrating some key provisions on data subject access requests. The case involved a patient, DW, who requested a free initial copy of their medical records from a dentist, FT. This request triggered a legal dispute that raised important questions about data access and the rights of individuals.

The patient had received dental treatment from the dentist and suspected malpractice in the treatment. He requested a free first copy of his medical records, but the dentist refused, citing German national law requiring patients to cover costs for obtaining copies of medical records. The patient refused to pay, and the dispute made its way through the legal system up to the CJEU. Both initial and appellate courts supported the patient's request, citing Articles 12(5), 15(1) and 15(3) of the EU General Data Protection Regulation. The case eventually reached Germany's Federal Court of Justice, Bundesgerichtshof, which found that the decision hinged on the interpretation of the GDPR and referred the case to the CJEU.

Question one: The right to access personal data

The central question, in this case, revolved around whether a controller, such as a medical practitioner processing patient data, is obligated to offer an individual a free copy of their personal data, even if the reason for the request isn't explicitly listed in the GDPR's Recital 63. 

In this case, it seems likely the patient requested the personal data as evidence to bring legal action against the treatment provider. This approach is common in data subject access requests, where data subjects make "fishing expeditions" to gain evidence to sue another party they feel aggrieved by. Controllers often naturally feel upset by this; Recital 63 explains the access right is to be aware of and verify the lawfulness of the processing, not to provide ammunition to sue.

The CJEU considered Articles 12 and 15 of the GDPR. Article 12(5) explains that accessing personal data should generally be cost-free for individuals. Article 15(3) indicates that a person should be provided with a free initial copy of their personal data. The court considered these provisions and found Recital 63 does not limit the grounds for a request. The GDPR doesn't require individuals to provide reasons for requesting access to their personal data, and controllers are not entitled to ask for justification. Transparency is a fundamental principle underpinning the GDPR, and gatekeeping access to personal data by means of the purpose for which it is requested is not permitted. 

The court concluded the GDPR mandates controllers to provide a free first copy of processed personal data to individuals, irrespective of the reason for the request. This does not affect the right to refuse where a request is "manifestly unfounded or excessive." However, arguments that individuals should be barred from using an access request to get documents for legal cases instead of using established legal discovery methods no longer hold much weight. 

Question two: Balancing economic interests 

The second question focused on whether Article 23(1)(i) of the GDPR allows national legislation, established before the GDPR came into force, to require data subjects to bear the costs for a first copy of their processed personal data. Article 23(1) permits member states to restrict obligations and rights under the GDPR if such restrictions adhere to fundamental rights and are necessary to protect the rights and freedoms of others. The dentist argued that the national legislation allowing a charge to patients for access to medical files was protecting the economic interests of health care providers. The CJEU found that while Article 23(1)(i) might apply to legislation adopted before the GDPR's enforcement, it does not allow such legislation to make data subjects pay for the first copy of their processed personal data to protect the controller's economic interests.

Question three: Access to complete medical records

Finally, the CJEU explored the interpretation of Article 15(3) of the GDPR and the nature of access a patient should have to their medical data. Specifically, whether patients are entitled to a complete copy of documents in their medical records containing their personal data or just a summary of that data.

The CJEU emphasized that Article 15(3) ensures that individuals receive an accurate reproduction of their personal data. It found that the term "copy" in the GDPR does not refer to the physical document itself but rather to the comprehensive personal data it contains, which must be complete. The GDPR's intent is to allow data subjects access to ensure their data is correct and lawfully processed. Consequently, patients should receive an accurate and clear copy of all their data. This might mean a controller is obliged to provide entire documents if it helps the data subject effectively exercise their rights. Merely providing a summary can risk missing or misrepresenting crucial information, making it difficult for patients to verify and understand their data.

The CJEU explained that what is required is contextual. In some situations, the reproduction of extracts from documents may be enough. In others, entire documents should be provided. The main thing is to provide a faithful and intelligible reproduction of the data. Recital 63 specifically covered medical information, so it was necessary to provide direct source material for diagnoses, examination results, doctor evaluations, treatments, etc. 

Conclusion

The CJEU's judgment in FT v DW is a useful decision in guiding the approach to data subject access requests. The CJEU has helpfully clarified that individuals have the right to a free initial copy of their personal data regardless of the purpose, the national legislation imposing fees on first-time access to personal data is unlikely to be allowed, and that patients are entitled to a comprehensive reproduction of their medical data, not just a summary.