BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Court of Justice of the European Communities (including Court of First Instance Decisions) |
||
You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> FT (Copies du dossier medical) (Protection of personal data - Right of access by the data subject to personal data undergoing processing - Right to receive a copy of personal data free of charge - Opinion) [2023] EUECJ C-307/22_O (20 April 2023) URL: http://www.bailii.org/eu/cases/EUECJ/2023/C30722_O.html Cite as: [2023] EUECJ C-307/22_O, EU:C:2023:315, ECLI:EU:C:2023:315 |
[New search] [Contents list] [Help]
OPINION OF ADVOCATE GENERAL
EMILIOU
delivered on 20 April 2023(1)
Case C‑307/22
FT
v
DW
(Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Articles 12, 15 and 23 – Right of access by the data subject to personal data undergoing processing – Right to receive a copy of personal data free of charge – Reimbursement of expenses – Patient’s medical records – Doctor processing the data)
I. Introduction
1. Articles 12 and 15 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (‘the GDPR’) (2) grant data subjects far-reaching rights of access in respect of personal data being processed. Inter alia, those provisions require controllers to provide data subjects, free of charge, with a copy of that data.
2. May data subjects request access to their personal data, on the basis of the provisions of the GDPR, for purposes other than those relating to data protection? May Member States restrict the right to obtain a copy of the data by requiring data subjects to pay, in some specific cases, the costs incurred by the data controller for the production of the copies? Should controllers provide copies of all documents containing personal data, or can they compile the data requested by data subjects?
3. These are, in essence, the main issues raised by the request for a preliminary ruling submitted by the Bundesgerichtshof (Federal Court of Justice, Germany) in a case concerning the ability of a patient to obtain, free of charge, copies of documents contained in his medical records.
II. Legal framework
A. European Union law
4. Recitals 4, 13 and 63 of the GDPR read:
‘(4) … The right to the protection of personal data is not an absolute right; it must … be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular … freedom to conduct a business …
(13) … [T]he Union institutions and bodies, and Member States … are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation …
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing … That right should not adversely affect the rights or freedoms of others …’
5. Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides:
‘1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language ….
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. …
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. …
…
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
…’
6. Under the terms of Article 15 of the GDPR, entitled ‘Right of access by the data subject’:
‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
…
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. …
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’
7. Article 23(1) of the GDPR, dealing with ‘Restrictions’, provides:
‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 … when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(e) other important objectives of general public interest of the Union or of a Member State, in particular … public health …;
…
(i) the protection of the data subject or the rights and freedoms of others;
…’
B. National law
8. Paragraph 630f, entitled ‘Documentation of treatment’, of the Bürgerliches Gesetzbuch (German Civil Code; ‘the BGB’) provides:
‘(1) The person providing treatment is obliged to keep medical records in paper form or electronically for the purpose of documentation in direct temporal connection with the treatment. …
(2) The person providing treatment is obliged to record in the medical records all measures which, from a professional point of view, are essential for the current and future treatment, and the results of those measures, in particular the patient’s history, diagnoses, examinations, results of examinations, findings, therapies and the effects thereof, procedures and the effects thereof, consents and any explanations given. Doctors’ letters shall be included in the medical records.
…’
9. Paragraph 630g, entitled ‘Access to medical records’ of the BGB states:
‘(1) Upon request, the patient shall be granted immediate access to the complete medical records concerning him or her, unless such access is precluded by significant treatment-related reasons or other significant rights of third parties. …
(2) The patient may also request electronic copies of the medical records. He or she must reimburse the person providing treatment with the costs incurred.
…’
III. Facts, procedure and the questions referred
10. DW (the applicant in the main proceedings) received dental care treatment from FT (the defendant in the main proceedings). Suspecting improper treatment, DW requested FT to provide him, free of charge, with a copy of all medical records concerning him that were being held by the latter. FT took the view that she would be required to provide a copy of the medical records only if the patient reimbursed the costs.
11. DW brought proceedings against FT before the Amtsgericht (Local Court, Germany) which upheld his action. FT lodged an appeal before the Landgericht (Regional Court, Germany) which was dismissed on the ground that the fact that DW requested the information in order to verify whether he had claims under medical liability law did not nullify his rights under Article 15 of the GDPR.
12. In her appeal on a point of law before the Bundesgerichtshof (Federal Court of Justice), FT sought the annulment of the judgment of the Landgericht (Regional Court) and dismissal of DW’s action. According to the Bundesgerichtshof (Federal Court of Justice), the success of the appeal on a point of law hinges on whether the court which ruled on the appeal on the merits erred in law in finding that – as asserted by DW – the action is well founded under the provisions of the GDPR.
13. The Bundesgerichtshof (Federal Court of Justice) states that, under the provisions of national law, FT is not obliged to provide DW with copies of the medical records concerning him free of charge. However, DW’s right to have them provided free of charge could arise – as the Landgericht (Regional Court) stated – directly from Article 15(3) of the GDPR, read in conjunction with Article 12(5) thereof. Therefore, harbouring doubts as to the correct interpretation of those provisions, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the first sentence of Article 15(3) of the [GDPR], read in conjunction with Article 12(5) thereof, be interpreted as meaning that the controller (in the present case: the doctor providing treatment) is not obliged to provide the data subject (in the present case: the patient), free of charge, with a first copy of his or her personal data processed by the controller where the data subject does not request the copy in order to pursue the purposes referred to in the first sentence of recital 63 of the GDPR, namely to become aware of the processing of his or her personal data and to be able to verify the lawfulness of that processing, but pursues a different purpose – one which is not related to data protection but is legitimate (in the present case: to verify the existence of claims under medical liability law)?
(2)(a) If Question 1 is answered in the negative: In accordance with Article 23(1)(i) of the GDPR, can a national provision of a Member State adopted prior to the entry into force of the GDPR also be regarded as a restriction of the right to be provided, free of charge, with a copy of the personal data processed by the controller, as provided for in the first sentence of Article 15(3) of the GDPR, read in conjunction with Article 12(5) thereof?
(b) If Question 2(a) is answered in the affirmative: Must Article 23(1)(i) of the GDPR be interpreted as meaning that the rights and freedoms of others, as referred to therein, also include their interest in being relieved of the costs associated with the provision of a copy of data in accordance with the first sentence of Article 15(3) of the GDPR and other expenses incurred in making the copy available?
(c) If Question 2(b) is answered in the affirmative: In accordance with Article 23(1)(i) of the GDPR, can national legislation which, in the context of the doctor-patient relationship, provides that the doctor always has a claim for reimbursement of expenses against the patient, irrespective of the specific circumstances of the individual case, where the doctor provides the patient with a copy of the patient’s personal data from the patient’s medical records be regarded as a restriction of the obligations and rights arising from the first sentence of Article 15(3) of the GDPR, read in conjunction with Article 12(5) thereof?
(3) If Question 1 is answered in the negative and Question 2(a), 2(b) or 2(c) is answered in the negative: In the context of the doctor-patient relationship, does the entitlement under the first sentence of Article 15(3) of the GDPR include entitlement to be provided with copies of all parts of the patient’s medical records containing the patient’s personal data, or does it extend only to the provision of a copy of the patient’s personal data as such, with the doctor who processes the data deciding the manner in which he or she compiles the data for the patient concerned?’
14. Written observations in the present proceedings have been submitted by the Latvian Government and the Commission.
IV. Analysis
A. First question: access to data for purposes not related to data protection
15. By its first question, the referring court asks the Court whether Articles 12(5) and 15(3) of the GDPR should be interpreted as requiring a data controller to provide the data subject with a copy of his or her personal data, free of charge, where the data subject does not request the copy for the purposes referred to in the first sentence of recital 63 of the GDPR (namely, to become aware of the processing of his or her personal data and to be able to verify the lawfulness of that processing), but for a different purpose, such as to verify the existence of claims under medical liability law.
16. In essence, the present question raises the issue whether a data subject has the right to receive, under the provisions of the GDPR, a copy of his or her personal data from the data controller, when his or her request is made in order to pursue purposes which are legitimate, but unrelated to data protection.
17. In my view, the right of access the GDPR grants to data subjects is not conditional on their intention to use the data concerned for purposes relating to data protection, such as those set out in recital 63 thereof. A textual, contextual and systemic reading of the relevant provisions of the GDPR supports that view.
18. First and foremost, no such restriction can be derived from the wording of either Article 12 or Article 15 of the GDPR. Those two provisions lay down – in a sort of a ‘game of mirrors’ – the data controller’s obligation to provide, and the data subject’s right to request, access to the personal data being processed. (3) Neither of the two provisions requires the data subject to indicate the reasons for his or her request of access nor affords the data controller the discretion to demand and evaluate those reasons.
19. Article 12 of the GDPR requires the controller to ‘take appropriate measures to provide any information … and any communication’ in question, and to ‘facilitate the exercise of data subjects rights’. (4) The provisions of Article 12 are, in fact, mainly concerned with the manner in which, and time frame within which, the data controller ought to, inter alia, grant access. (5) The only exceptions placed on the controller’s obligation to act promptly are: (i) to request additional information or refuse to act in case of reasonable doubts about the identity of the data subject; (6) and (ii) to charge a reasonable fee or refuse to act in case of manifestly unfounded or excessive requests. (7)
20. Article 15 of the GDPR is also formulated in very broad terms, granting data subjects far-reaching forms of access: to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, receive detailed information in that regard;(8) and to obtain a copy of the personal data being processed. (9) No express condition or limit is provided for the data subject’s exercise of his or her right of access under Article 15 of the GDPR.
21. That is unlike what is laid down in other provisions of the regulation, dealing with other rights of data subjects. For example, Article 17(3) of the GDPR provides for the situations in which the right to be forgotten, enunciated in paragraphs 1 and 2 of the same provision, ‘shall not apply’. Article 20 of the GDPR, which concerns the right to data portability, is similarly structured, with exceptions being provided for in paragraph 3 of that provision. In turn, Article 21(6) of the GDPR sets out the conditions under which, in some specific circumstances, data subjects are entitled to exercise their right to object, as laid down in paragraph 1 thereof.
22. Against that background, recital 63 cannot be read, to my mind, as introducing a condition for, or limitation to, the exercise of the right of access enshrined in Article 15 of the GDPR, of which there is no trace in the text of that provision (nor in the ‘twin-provision’, Article 12 of the GDPR).
23. As I see it, recital 63 is rather meant to emphasise the significance, within the scheme of the GDPR, of the right of access. That right is in fact instrumental to, and indispensable for, the effective exercise of many other rights that the GDPR grants to data subjects. (10) Individuals can hardly have ‘control of their own personal data’ – as recital 7 of the GDPR states with emphasis – unless they know the ‘if, what and why’ of data processing. That might explain why recital 63 states that data subjects should have the right to access ‘in order to be aware of, and verify, the lawfulness of the processing’. (11) The wording of recital 63 may perhaps be somewhat unclear but, in my view, it does not follow from it that the right of access is only granted for the purposes referred to therein.
24. Such a condition would be – I note in passing – often impossible to check for the controller, and thus easy to circumvent for the data subject, since it would hinge upon the subjective intention of the individual concerned. (12)
25. In addition, I agree with the referring court that a different interpretation of Article 15 of the GDPR cannot be inferred from paragraph 44 of the judgment in YS and Others. (13) In that passage, the Court – referring to the provisions of Directive 95/46/EC, (14) the precursor of the GDPR – stated that, ‘as is apparent from … the preamble to that directive, it is in order to carry out the necessary checks that the data subject has … a right of access to the data relating to him which are being processed’. (15)
26. In doing so, the Court essentially did no more than cite the text of recital 41 of Directive 95/46, whose wording was similar to that of recital 63 of the GDPR. Moreover – as rightly noted by the referring court – in YS and Others, the Court was asked to clarify the concept of ‘personal data’ in order to determine the scope of access. The present question raises a different legal issue – whether the purpose of the access sought may influence the possibility to be granted access – in respect of which I do not think that any useful guidance can be found in that judgment.
27. The interpretation of Article 15 of the GDPR put forward in this Opinion is also borne out by Article 8(2) of the Charter of Fundamental Rights of the European Union (‘the Charter’), concerning ‘Protection of personal data’, according to which: ‘Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified’. (16) The right of access appears to be, in the Charter, identified as a self-standing right, logically related to, but by no means necessarily dependent on, the right-holder’s ability or intention to exercise other rights (such as the right to rectification (17)).
28. I would add, finally, that this interpretation of Article 15 of the GDPR has also been suggested by the European Data Protection Board in its ‘Guidelines 01/2022 on data subject rights – Right of access’. (18) Point 13 of those guidelines reads: ‘Controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting … and whether they hold personal data relating to that individual …. [F]or example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller’.
29. Interestingly, the example given in those guidelines largely corresponds to the facts of the case pending before the referring court. The fact that the applicant in the main proceedings requested access to his personal data contained in the medical records – a situation specifically envisaged in recital 63 of the GDRP (19) – with a view to considering whether to bring proceedings for medical malpractice – an aim which the referring court correctly identifies as being ‘legitimate’ (20) – does not, therefore, authorise the controller to refuse the data subject’s request.
30. In the light of the above, I suggest that the Court answers the first question referred to the effect that Article 12(5) and Article 15(3) of the GDPR should be interpreted as requiring a data controller to provide the data subject with a copy of his or her personal data, even where the data subject does not request the copy for the purposes referred to in recital 63 of the GDPR, but for a different purpose, unrelated to data protection.
B. Second question: access to copies free of charge
31. By its second question, the referring court asks the Court, in essence, whether Article 23(1) of the GDPR permits national legislation, adopted prior to the entry into force of the GDPR, to restrict the right of data subjects to be provided, free of charge, with a copy of the personal data being processed by the controller, by requiring data subjects to cover the costs incurred by the data controller in that regard.
1. The principle and the exception
32. At the outset, it should be emphasised that there is no doubt that, according to the rules of the GDPR, data subjects have the right, in principle, to receive from the controller a first copy of their data being processed at no cost. That follows expressly from Article 12(5) of the GDPR, which states that information provided pursuant to, inter alia, Article 15 thereof ‘shall be provided free of charge’, and that only for requests ‘manifestly unfounded or excessive, in particular because of their repetitive character’, the controller may ‘charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested’.
33. That also follows, albeit implicitly, from Article 15(3) of the GDPR, according to which ‘for any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs’. (21) That means, quite obviously, that a fee cannot be charged for the first copy requested by the data subject.
34. However, according to Article 23(1) of the GDPR, EU or national laws ‘may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 … when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard’ one of the objectives listed therein. One such objective is, under letter (e) public health, and another one is, under letter (i) the rights and freedoms of others.
35. Having emphasised this point, I shall now turn to the key issue raised by the present question which, in my view, calls for a positive answer.
2. The requirements of Article 23(1) of the GDPR
36. In the first place, it is common ground that the data subjects’ right of access to their personal data – set out in Article 15 of the GDPR – is one of the rights that falls within the ambit of Article 23(1) of the GDPR and, consequently, whose scope may be restricted by means of a EU or Member State legislative measure. (22)
37. Secondly, if Member States can generally restrict the scope of the right of access, for example by excluding it in some situations or in respect of certain data, they should also be permitted – in line with the maxim a maiore ad minus (23) – to introduce a rather limited restriction to its exercise. Indeed, only one form of access is restricted (the right to obtain a copy of the data), and only by making it conditional upon the payment, by data subjects, of the costs incurred by the controllers.
38. Thirdly, a restriction such as that at issue – expressly provided for in a civil code or equivalent legal instrument – is provided for ‘in a legislative measure’, as required under Article 23(1) of the GDPR. That condition echoes that set out in Article 52(1) of the Charter, according to which limitations to fundamental rights must be ‘provided for by law’.
39. In this context, I would add that the fact that the national legislation at issue pre-dates the entry into force of the GDPR is, to my mind, plainly irrelevant to determine whether that legislation satisfies the conditions set out in Article 23(1) of the GDPR. As observed by the Commission, neither that provision nor, for that matter, any other provision of the GDPR, requires the EU’s or Member States’ restrictive measures to be included in ad hoc legislative instruments, a fortiori instruments adopted after the entry into force of the GDPR. Member States are thus permitted to both maintain and introduce restrictions that comply with the requirements of Article 23(1) of the GDPR. A comparison of the different language versions of that provision confirms that view. (24)
40. Fourthly, because of the relatively innocuous nature of the restriction in question, mentioned in point 37 above, I am of the view that national legislation such as that at issue clearly does not impinge on the ‘essence’ of that right (another requirement set out in both Article 23(1) of the GDPR and Article 52(1) of the Charter). That legislation does not deprive individuals of the nucleus durus of their right to data protection. Inter alia, it is even hard to imagine situations – among those governed by the national legislation at issue – where the amount of those costs would be so significant that the data subjects’ obligation to bear them would be tantamount, in practice, to denying them access.
41. Fifthly, it seems to me that national legislation such as that at issue pursues objectives that are permissible under Article 23(1) of the GDPR and, more broadly, legitimate under EU law.
42. Subject to verification by the referring court, I understand that the relevant national legislation aims at discouraging unnecessary or frivolous requests of copies, in order to (i) protect the economic interests of doctors, who are often a one-man undertaking or work in small teams and, by doing so, (ii) ensure that, while exercising their professional activities, doctors spend (most of) their time on their core medical tasks, rather than performing avoidable administrative tasks.
43. The second objective is connected to the aim of protecting public health. Under letter (e), Article 23(1) expressly envisages restrictions necessary to safeguard ‘important objectives of general public interest of the Union or of a Member State’ such as ‘public health’. That is in line with Article 35 of the Charter, entitled ‘Health care’, providing that ‘everyone has the right of access to preventive health care and the right to benefit from medical treatment under the conditions established by national laws and practices. A high level of human health protection shall be ensured in the definition and implementation of all the EU’s policies and activities’. (25)
44. The first objective is, admittedly, intended to protect a (private) interest of certain individuals – the doctors which, in the situation here at issue, act as data controllers – and is of an economic nature. Yet, neither of those elements mean that a restriction to the right of access is, as a matter of principle, unacceptable.
45. Indeed, under letter (i), Article 23(1) of the GDPR permits restrictions necessary to safeguard ‘the rights and freedoms of others’. Interestingly, the same terms can also be found in Article 15(4) and in recital 63 of the GDPR which, precisely with regard to the right to obtain a copy of the data being processed, state that that right should not ‘adversely affect the rights and freedoms of others’.
46. At the outset, I would point out that Article 15(4), Article 23(1)(i), and recital 63 of the GDPR refer to ‘rights and freedoms of others’ (26) and not – as other provisions of the regulation do – ‘of third parties’. (27) This also means, logically, that restrictions necessary to protect certain rights of the controller may be acceptable under that provision. (28)
47. Next, the fact that one of the interests protected by the national legislation at issue is of an economic nature does not, in and of itself, mean that it could not be such as to justify restrictions under Article 23(1) of the GDPR. Recital 4 of the GDPR is quite clear: ‘the right to the protection of personal data is not an absolute right [and must] be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the … freedom to conduct a business …’. (29)
48. In that connection, I would recall that Title II of the Charter (‘Freedoms’) includes various rights of an economic nature: beyond the already mentioned freedom to conduct a business (Article 16 thereof), one finds also the ‘freedom to choose an occupation and right to engage in work’ (Article 15 thereof) and the right to property (Article 17 thereof). Fundamental rights of an economic nature cannot be regarded as being ‘children of a lesser god’, in comparison with other (civil, social or political) rights. There is no need to be familiar with the writings of Ludwig von Mises (30) to appreciate that all those rights are inextricably linked: their enjoyment cannot but go hand-in-hand since taking away economic rights would inevitably affect the individuals’ ability to enjoy fully their civil, social and political rights and vice-versa.
49. Furthermore, as pointed out by the referring court, recital 13 of the GDPR encourages Member States to ‘take account of the specific needs of micro, small and medium-sized enterprises in the application of [the regulation]’. Member States are thus permitted to consider the specific characteristics of undertakings of limited size and of self-employed professionals, as it is often the case with doctors.
50. Accordingly, I have no difficulty to come to the conclusion that, Article 23(1) of the GDPR not only permits restrictions aimed at protecting public health, but also those intended to protect some fundamental economic rights of individuals, (31) including those of the controllers.
51. Finally, however, national legislation restricting the right of access to personal data is permissible under Article 23(1) of the GDPR only if it can be considered ‘a necessary and proportionate measure’ to safeguard a public interest among those listed therein. This provision thus requires – in line with a well-established principle – that a ‘proportionality test’ of the restriction that requires justification be carried out.
3. Proportionality of the national legislation
52. In order to verify the proportionate nature of the restriction, three cumulative requirements must be examined. The measure must be suitable to secure the attainment of the objective pursued (‘suitability’), and not go beyond what is necessary in order to attain it (‘necessity’). In addition, the national measure must be ‘proportionate stricto sensu’, meaning that it must strike a fair balance between the interests at stake (the interests pursued by the State with the measure in question and those of the people adversely affected). (32)
53. In my view, whether specific national measures derogating from general rules of EU law comply with the principle of proportionality is, often, an assessment that national courts are best placed to carry out. However, with the view to assist the referring court in resolving the dispute pending before it, I would offer the following considerations.
54. To begin with, it seems to me that national legislation such as that at issue is, in principle, suitable to achieve the objectives pursued by the national legislature, meaning that it appears capable of making a meaningful contribution towards their achievement. Indeed, the requirement that data subjects pay the administrative costs associated with the production of the copies requested may actually discourage them from making unnecessary or frivolous requests of access. This means that doctors are less likely to have to employ their time and resources for avoidable administrative tasks.
55. Next, whether national legislation such as that at issue goes beyond what is necessary to achieve its objectives and/or fails to strike a fair balance between the interests at stake are issues that, in my opinion, are not so straightforward and will, thus, require a more in-depth evaluation from the referring court.
56. In that regard, I would stress again (33) the relatively innocuous nature of the restriction in question. Whereas Article 15 of the GDPR grants various forms of access to data subjects, the national legislation at issue restricts only one of those forms (the right to obtain a copy of the data), and only by making it conditional upon the data subjects paying the costs incurred by the controllers in that respect.
57. Nevertheless, the Commission expressed some doubts on the necessity of the national legislation at issue, pointing out that it applies in respect of all requests of access to medical records, irrespective of the professional status and type of activity of the doctor concerned: he or she may be self-employed, by himself/herself or in multi-doctor cabinets, or as an employee, for example in a public hospital or in a large private clinic.
58. I must admit that certain arguments made by the Commission have some force. It may indeed be true that not all the situations covered by the national legislation at issue are entirely comparable for the purposes of Article 23(1)(e) and (i) of the GDPR. For instance, large medical cabinets, hospitals and private clinics normally have dedicated staff and equipment to perform all the administrative tasks associated with the provision of medical services. So, it is not obvious that, in those cases too, national legislation such as that at issue has the effect of relieving doctors from having to bear unnecessary expenses or use their valuable time in performing avoidable clerical tasks.
59. In addition, unlike doctors that are bound to apply publicly set tariffs, doctors who are free to set their tariffs at the level they see fit are able, if they deem it appropriate, to recover the extra costs by raising their tariffs, thereby ‘spreading’ those costs among all their patients. Accordingly, some doctors may arguably require a higher level of ‘legislative protection’ than others.
60. On the other hand, however, I am not sure that a rule which would treat differently doctors and, by way of a consequence, patients depending on whether the doctors, for example, (a) are self-employed or as employees, (b) work in – to use the terms of recital 13 of the GDPR – ‘micro, small and medium-sized enterprises’, or for large hospitals and clinics, and/or (c) are bound by public tariffs or can freely set their tariffs, would be either practical or reasonable and fair.
61. Finding the right criteria to distinguish the situations where the patients should bear the costs, from those where the doctors should, in order to best achieve the objectives set by the national legislature, is not an easy task. More importantly, any such differentiation would be introducing a certain complexity (and, possibly, a source of confusion) with regard to situations which, because of the usually quite limited amount of money involved, are probably more easily governed by a clear rule of automatic application.
62. As the Court has held, Member States cannot be denied the possibility of pursuing objectives in the public interest through the introduction of general and simple rules which will be easily understood and applied by users, and easily managed and supervised by the competent authorities. (34) More generally, as I stated in a recent Opinion, Member States cannot be required to adopt – for the sake of proportionality – alternative measures that are of uncertain feasibility or effectiveness, or that would result in an intolerable (organisational or financial) burden on them. (35)
63. Finally, a perverse effect of a rule with a more limited scope than that at issue cannot be excluded: it could encourage patients to go to larger clinics (that provide copies of medical records free of charge) rather than to smaller medical cabinets (which require an additional payment for those copies).
64. Indeed, the overall fairness or, put differently, reasonableness of alternative rules could also be questioned. If assessed from the perspective of doctors, a tailor-made rule that only shields independent doctors and small practices from such costs may appear reasonable: it protects the ‘weakest’ professionals. However, if assessed from the perspective of patients, the same measure may look different. Indeed, the patients who seek medical services from large hospitals and clinics, especially those where the doctors are free to set their tariffs at the level they see fit, would be those that benefit from the rule. That would be so despite the fact that (i) those patients may often be more wealthy than those using local self-employed doctors and (ii) the costs incurred for the copies of the medical records are likely to constitute a very minor (possibly negligible) part of the overall costs borne by them for the medical services, as opposed to patients who seek medical services through the national health system (typically at no cost, or for nominal fees). So, one could argue that the protection of the ‘weakest professionals’ would come at the expense of the ‘weakest consumers’.
65. In the light of the above, unlike the Commission, I remain unconvinced that the one-size-fits-all approach chosen by the German legislature goes beyond what necessary to achieve the aims pursued by the national legislation in question. I could not identify any alternative measure that is less restrictive vis-à-vis the right to data protection of individuals, whilst being equally effective to safeguard the interests which the national legislation at issue is meant to protect.
66. Nor do I see any element suggesting that the German legislature failed to strike the right balance between the various interests at stake.
67. Admittedly, it could be argued that the balance between the various interests at stake as regards the provision of copies of personal data was made by the EU legislature: the data controller must give the first copy free of charge, and may request the payment of a fee only for excessive and/or further copies. However, the broad text of Article 23(1) and of recital 13 of the GDPR does not lend itself to any such restrictive reading. Nor does recital 63, which specifically refers to the data subjects’ right of access to data concerning ‘their health’, include any specific reference in that regard.
68. More importantly, it cannot be overlooked that, in the field of the protection and improvement of human health, the European Union has only a supporting competence. (36) The Court has consistently stated that it is for the Member States to determine the level of protection which they wish to afford to public health and the way in which that level is to be achieved. Since that level may vary from one Member State to another, Member States should be allowed a measure of discretion. (37)
69. Having weighed up the various interests at stake, the German legislature decided that, with regard to requests of copies of medical records made by patients to doctors, there were grounds to consider that the costs incurred should be borne by the data subjects and not by the controllers. I think that that is a policy decision which, not being manifestly irrational or implausible, falls within the margin of appreciation of the Member State in question. In any event, reviewing that choice is a task that belongs to the referring court and not to the Court of Justice.
70. That being said, there is certainly an element which, in my view, the referring court should check. In situations such as those governed by the national legislation at issue, it is in my view imperative that the costs for which the doctors may seek reimbursement from the patients are strictly limited to the actual costs for producing and making available the copies requested. This means that the recoverable costs are only those relating to the material (such as paper, toner for printer machines or copy machines, and/or USB sticks, etc.) and the labour required to that end. Those costs cannot, to my mind, include any profit whatsoever made by the professionals. (38) Given the current state of digitalisation of documents and archives, I would be surprised (and thus suspicious) if the amount normally charged by doctors for that purpose exceeded a handful of euros.
71. In the light of the above, I suggest that the Court answers the second question referred to the effect that Article 23(1) of the GDPR permits national legislation which requires patients seeking copies of their personal data contained in medical records to reimburse the doctors for the costs incurred, provided that the restriction to the right of access is, in the light of all relevant circumstances, necessary and proportionate to the objectives of protecting public health and the doctors’ freedom to conduct a business. In particular, it is for the national court to verify that the costs for which doctors may ask for reimbursement from the patients are strictly limited to the actual costs incurred in that regard.
C. Third question: concept of ‘copy of the data’
72. Finally, by its third question, the referring court asks the Court whether, in the context of a doctor-patient relationship, the phrase ‘copy of the personal data undergoing processing’ in the first sentence of Article 15(3) of the GDPR, should be interpreted as conferring on the data subject a general right to obtain a full copy of the documents included in his medical file.
73. The main issue raised by the present question has been addressed – in my view convincingly – by Advocate General Pitruzzella in his recent Opinion in F.F.. (39)
74. In that case, the referring court sought clarification from the Court on the scope of the right of access granted to data subjects by Article 15 of the GDPR. In order to address that issue, Advocate General Pitruzzella discussed, inter alia, the concept of ‘copy’ within the meaning of Article 15(3) and (4) of the GDPR. Following a literal, contextual and teleological interpretation of the provision, he came to the following conclusions, which are relevant to the present case.
75. First, the concept of ‘copy’, referred to in Article 15(3) and (4) of the GDPR, must be understood as ‘a faithful reproduction in intelligible form of the personal data requested by the data subject, in material and permanent form, that enables the data subject effectively to exercise his or her right of access to his or her personal data in full knowledge of all his or her personal data that undergo processing’. He added that ‘the exact form of the copy is determined by the specific circumstances of each case and, in particular, the type of personal data in respect of which access is requested and the needs of the data subject’.(40)
76. Secondly, Article 15(3) of the GDPR ‘does not confer on the data subject a general right to obtain a partial or full copy of the document that contains his or her personal data or, if the personal data are processed in a database, an extract from that database’. That said, he also made clear that ‘that provision does not rule out … the data subject having to be provided with portions of documents, or entire documents or extracts from databases, if that were necessary to ensure that the personal data undergoing processing and in respect of which access is requested are fully intelligible’.(41)
77. For reasons of judicial economy, I am not reproducing here the reasons which led him to take that position. Suffices it to say that I fully share his views in that respect. After all, the GDPR is not a piece of legislation on access to documents, but on data protection. Consequently, its primary focus is ensuring access to data, not to documents that contain data. Whereas in some cases the latter may necessarily imply the former, that is not always so.
78. Having said that, it seems to me that, consistent with the principle of transparency (42) and with the requirement that the information be provided in a ‘concise, transparent, intelligible and easily accessible form’, (43) it is possible that, as far as documents contained in medical records are concerned, the right to obtain a copy of the data being processed might often require a right to be given a (partial or full) copy of the original documents. Especially when it comes to the results of analysis or tests (which typically include numerous technical data and/or images), I think that allowing the doctors (or their staff) to summarise or compile that data, in order to provide it in an aggregated form, may create the risk that certain relevant data is omitted (44) or reported incorrectly (45) or, in any event, make it more difficult for data subjects (namely, patients) to verify the accuracy and completeness thereof.
79. It is probably for that reason that, as mentioned already, recital 63 of the GDPR expressly states that the right to access to personal data ‘includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided’.
80. It would thus appear that the EU legislature itself emphasised the importance that access by individuals to personal data concerning their health be not only easily intelligible, but also as complete and accurate as possible. At the same time, it is clear that medical records may contain a variety of documents which do not include personal data of the patients (for example, scientific articles concerning pathologies or medical treatments). Obviously, patients have no right to access the information contained in those articles and, consequently, no right to have a copy thereof, on the basis of the GDPR.
81. In that connection, I note that the national legislation at issue – whose reform is, as far as I understand, being discussed by the competent national authorities (46) – may be granting patients a right of access to medical records and, in particular, of obtaining copies of documents included therein, that goes beyond that recognised under the GDPR.
82. I do not see any reason why that should not be possible under EU law, since it would fall under an area of law that is not regulated at EU level. Moreover, as far as I can see, there are no obvious issues of conflict with the rules of the GDPR. However, I hardly need to point out that a right of access to medical records that goes beyond that recognised by the GDPR would, to that extent, be governed by national law only. This means that the scope of that right (for example, the type of documents concerned) and the manner in which access is to be provided (for example, free of charge or against reimbursement of the costs incurred) are for the national legislature to determine.
83. Accordingly, I suggest that the Court answer the third question to the effect that, in the context of a doctor-patient relationship, the phrase ‘copy of the personal data undergoing processing’ in Article 15(3) of the GDPR, cannot be interpreted as conferring on the data subject a general right to obtain a full copy of all the documents included in his medical file. That does not exclude the possibility that the controller may need to provide data subjects with a partial or full copy of certain documents. That is the case when a copy of the document is necessary to ensure that the data provided is intelligible, and that the data subject is able to verify that the data provided is complete and accurate.
V. Conclusion
84. In conclusion, I propose that the Court answer the questions referred for a preliminary ruling by the Bundesgerichtshof (Federal Court of Justice, Germany) as follows:
Article 12(5) and Article 15(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as requiring a data controller to provide the data subject with a copy of his or her personal data, even where the data subject does not request the copy for the purposes referred to in recital 63 of the GDPR, but for a different purpose, unrelated to data protection.
Article 23(1) of the GDPR permits national legislation which requires patients seeking copies of their personal data contained in medical records to reimburse the doctors for the costs incurred, provided that the restriction to the right of access is, in the light of all relevant circumstances, necessary and proportionate to the objectives of protecting public health and the doctors’ freedom to conduct business. In particular, it is for the national court to verify that the costs for which doctors may ask for reimbursement from the patients are strictly limited to the actual costs incurred in that regard.
In the context of a doctor-patient relationship, the phrase ‘copy of the personal data undergoing processing’ in Article 15(3) of the GDPR, cannot be interpreted as conferring on the data subject a general right to obtain a full copy of the documents included in his or her medical file. However, the controller is to provide the data subject with a partial or full copy of the documents, when that is necessary to ensure that the data provided is intelligible, and that the data subject is able to verify that the data provided is complete and accurate.
1 Original language: English.
2 Regulation of the European Parliament and of the Council of 27 April 2016 (OJ 2016 L 119, p. 1).
3 The scope of Article 12 of the GDPR is, however, broader than that of Article 15 of the GDPR, since it concerns the controller’s obligations not only under Article 15 but also under other provisions of the same regulation.
4 Paragraphs 1 and 2 thereof (emphasis added).
5 See especially paragraphs 3 and 4 thereof.
6 Paragraph 6 thereof.
7 Paragraph 5 thereof.
8 Paragraph 1 thereof.
9 Paragraph 3 thereof.
10 To that effect, see, by analogy, judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994, paragraph 57).
11 Emphasis added.
12 Likewise, it would be impossible to preclude data subjects from, once the personal data is obtained under the GDPR for data protection purposes, subsequently suing the controller for other purposes.
13 Judgment of 17 July 2014 (C‑141/12 and C‑372/12, EU:C:2014:2081).
14 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31). That directive was repealed with effect from 25 May 2018 by Article 94 of the GDPR.
15 Emphasis added.
16 Emphasis added.
17 In the GDPR, set out in Article 16 thereof.
18 Guidelines adopted on 28 January 2022 and published on its website.
19 As mentioned in point 4 above, that recital states that ‘the right of access to personal data … includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided’. See also Article 4(4), (13) and (15) of the GDPR.
20 As pointed out by the referring court, the purpose for which the applicant in the main proceedings requested access to his or her personal data cannot be considered as giving rise to an ‘abuse of right’ which, according to the settled case-law of the Court, would prevent that applicant from relying on the rights conferred on him or her by EU law. See, inter alia, judgment of 27 October 2022, Climate Corporation Emissions Trading (C‑641/21, EU:C:2022:842, paragraph 39 and the case-law cited).
21 Emphasis added. See also recital 59 of the GDPR.
22 See above, point 7 of this Opinion.
23 The maxim means, literally, ‘from the larger to the smaller’: if you are allowed to do more, a fortiori you can do less.
24 See, for example, the English version (‘Union or Member State law … may restrict by way of a legislative measure’), the German version (‘Durch Rechtsvorschriften der Union oder der Mitgliedstaaten … können … im Wege von Gesetzgebungsmaßnahmen beschränkt werden’), the French version (‘Le droit de l’Union ou le droit de l’État membre … peuvent, par la voie de mesures législatives’), the Italian version (‘Il diritto dell’Unione o dello Stato membro … può limitare, mediante misure legislative’), the Spanish version (‘El Derecho de la Unión o de los Estados miembros … podrá limitar, a través de medidas legislativas’), and the Greek version (‘Το δίκαιο της ένωσης ή του κράτους-μέλους … μπορεί να περιορίζει μέσω νομοθετικού μέτρου’).
25 Similarly, Article 8(2) of the European Convention on Human Rights states that interferences by a public authority with the exercise of the right to respect for private and family life – which, under the Convention, covers aspects of data protection – may be permitted when in accordance with the law and necessary in the interests of, inter alia, ‘the protection of health’.
26 Emphasis added. This is true for the majority of language versions of the regulation.
27 Namely, Article 6(1)(f), Article 13(1)(d) and Article 14(2)(b) of the GDPR. See also the definition of ‘third party’ in Article 4(10) of the GDPR.
28 Similarly, Gawronski, M. (ed.), Guide to the GDPR, Wolters Kluwer, 2019, p. 138.
29 Emphasis added.
30 See, in particular, von Mises, L., Human Action: A Treatise on Economics, Yale University Press, first published in 1949.
31 See, by analogy, judgment of 12 January 2023, TP (Audiovisual editor for public television) (C‑356/21, EU:C:2023:9, paragraphs 73 and 74).
32 See, to that effect, judgment of 6 October 2020, Commission v Hungary (Higher education) (C‑66/18, EU:C:2020:792, paragraphs 178 and 179 and the case-law cited).
33 See above, points 37 and 40 of the Opinion.
34 See judgment of 29 June 2017, Commission v Portugal (C‑126/15, EU:C:2017:504, paragraph 84 and the case-law cited).
35 Opinion in Commission v Poland (C‑601/21, EU:C:2023:151, point 65).
36 Article 6(a) TFEU.
37 See, for example, judgment of 19 October 2016, Deutsche Parkinson Vereinigung (C‑148/15, EU:C:2016:776, paragraph 30 and the case-law cited).
38 In that regard, it is regrettable that the German Government did not submit observations in the present proceedings.
39 C‑487/21, EU:C:2022:1000.
40 Ibid., point 70.
41 Ibid.
42 See, in particular, recitals 39, 58 and Article 5(1)(a) of the GDPR.
43 Article 12(1) of the GDPR.
44 For example, the identity of the laboratory and/or doctor who made the analysis, the type of machine or technique used for the analysis and so forth may at times appear (and possibly is) of little relevance when access is requested, whereas it may later, in some circumstances, turn out to be important for a proper assessment of the data.
45 That may easily happen when, for example, large sets of numerical data are copied.
46 See, for example, ‘Lauterbachs "Turbo"-Plan für digitale Patientenakten’, Frankfurter Allgemeine, 9 March 2023.
© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.
BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C30722_O.html