DSB (Austria) – CJEU Judgment (Austria, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a company must provide a complete and accurate copy of personal data when requested by individuals. This decision is important because it clarifies what 'copy' means under privacy laws, ensuring that people can fully understand what data is held about them. Companies need to be prepared to give clear and complete information to users.
What happened
A company failed to provide a complete copy of personal data to a user who requested it.
Who was affected
Individuals requesting access to their personal data held by companies.
What the authority found
The Court of Justice held that individuals are entitled to a faithful and complete reproduction of their personal data when they request it.
Why this matters
This ruling reinforces the right of individuals to access their data fully, pushing companies to improve transparency and data handling practices. It highlights the importance of clear communication about personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller – CRIF – was a company that provided its client with information concerning the creditworthiness of third parties. The data subject asked the controller to provide them with a copy of their data undergoing processing. The controller replied by submitting a summary with the list of such personal data. In the context of a complaint before the Austrian DPA, the data subject lamented that this was not sufficient. However, the supervisory authority held that the controller did not violate the GDPR. The data subject appealed the DPA decision and the court referred the matter to the CJEU. The preliminary question concerned the scope of the right to a copy of data undergoing processing pursuant to Article 15(3) GDPR. According to the CJEU, the GDPR does not contain any definition of “copy”. However, this word, in its usual meaning, indicates a “faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. The true question, however, was whether Article 15(3) GDPR covers “extracts from documents or even entire documents or extracts from databases”. The copy does not refer to the document as such but to the personal data undergoing processing, which must be complete. The Court stressed that the right to a copy – originally not provided by the data protection directive – aims to enable the data subject to protect their rights and interests under the GDPR. As the protection of data subjects’ rights is the rationale behind the right to a copy (and more in general behind the principle of transparency) a copy of data undergoing processing must reproduce data “fully and faithfully” in a manner that enables the data subject to exercise their rights. In conclusion, the right to a copy under Article 15(3) GDPR entails that data subject must be given a faithful and intelligible reproduction of all their personal data. This may include, to the extent that it is necessary to protect their rights and interests, copies of
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (5)
Other cases involving DSB (Austria) in AT
CJEU Judgment
Details
About this data
Cite as: Cookie Fines. DSB (Austria) - Austria (2023). Retrieved from cookiefines.eu
Last updated: