New CJEU Judgment on Access Requests by Data Subjects: the advent of a “Legitimate Access Assessment”?

A significant new data protection judgment of the CJEU was rendered today in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH) on the topic of access requests by data subjects.

The questions referred to the CJEU by the Austrian Federal Administrative Court relate to the scope of the controller’s obligations in relation to access requests by data subjects pursuant to article 15 of the GDPR.

Does the obligation to provide a “copy” of the data entail:

  • transmission of personal data in the form of a summary table or
  • a sort of “autonomous right” to the transmission of document extracts or entire documents, as well as database extracts, in which those data are reproduced

It turns out, neither really. The Court toes the line by rejecting the “autonomous right” while simultaneously consecrating a broad understanding of the right of access:

  1. The controller must give the data subject a faithful and intelligible reproduction of all personal data undergoing processing

    This obligation derives from the necessity for the data subject to assess whether the personal data is correct (we understand, “accurate”) and whether they are processed in a lawful manner.

    As a result, data subjects’ right to access is conceptualised as a gateway right for the exercise of other data subject rights.


  2. This may include an obligation to provide copies of entire or partial documents and/or databases if essential to enable data subjects to exercise their rights under the GDPR effectively

    As the Court states, “the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential, […] where the contextualisation of the data processed is necessary in order to ensure the data are intelligible” (§41).


  3. This right of access must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, and in particular, the copyright protecting the software

The Court essentially reiterates the necessity for controllers to conduct a balancing exercise between the rights of the data subject and the rights and freedoms of others – which may result in not providing “full and complete access” to the personal data but may not result in “a refusal to provide all information to the data subject”.

What does this mean for data controllers: this decision essentially imposes an additional requirement on controllers to assess whether the information it intends to provide to the data subject is sufficiently intelligible by conducting a sort of “legitimate access assessment”. As always, this assessment should be thoroughly documented in accordance with the principle of accountability and should properly identify and consider, where relevant, any rights and freedoms of others limiting the exercise of the data subject’s right (e.g., removal of personal data from other data subjects, a given intellectual property asset, etc.).

The press release for this decision can be found here, and the full decision here.