Are controllers obliged to provide copies of documents containing personal data upon request?

  • Home
  • /
  • News
  • /
  • Are controllers obliged to provide copies of documents containing personal data upon request?

On 04.05.2023, the Court of Justice of European Union (“CJEU”) published its preliminary ruling on the interpretation of Article 15 of Regulation (EU) 2016/679 (“GDPR”) in CJEU case C-487/21.

The request was made in a dispute between F.F., the data subject, on the one hand, and the Austrian Data Protection Authority, (“the Authority”), on the other hand, in relation to the Authority’s refusal to impose on CRIF GmbH, the controller, the obligation to provide F.F. with a copy of documents and extracts from databases containing his personal data that were being processed.

FF requested CRIF GmbH to have access to the personal data concerning him and to provide him with a copy of the documents, i.e. e-mails and database extracts, containing inter alia his data, “in a standard technical format”. CRIF provided FF with a summary list of his personal data being processed, but not the requested copies.

The questions submitted to the CJEU mainly concerned the interpretation of the notion of “copy” for the purposes of the GDPR, namely whether the obligation under Art. 15 para. (3) of the GDPR to provide a “copy” of personal data is fulfilled when the controller transmits personal data in the form of a summary table or involves the transmission of extracts from documents or even entire documents, as well as extracts from databases in which these data are reproduced.


The CJEU has ruled that the interpretation of Article 15 GDPR on the right to obtain from the controller a copy of personal data, requires the supply of a true and fair reproduction of all such data, by copying extracts from documents or even entire documents.

However, the limits in providing copies are (i) their indispensability for the exercise by the data subject of the rights laid down by the GDPR and (ii) to take into account the rights and freedoms of others, including trade secrets or intellectual property and, in particular, copyrights protecting software programs.

In addition to the interpretation made by the CJEU that the Romanian courts will be bound by, we consider that this decision has considerable practical implications for controllers, as it requires a clear record of the flow of data processed and of the documents containing these data, to be provided in the event of a request and fulfilment of the conditions set by the CJEU.