ECJ, C‑307/22: Advo­ca­te Gene­ral – Right to infor­ma­ti­on also for pre­pa­ra­ti­on of pro­ce­e­dings, but copies of docu­ments only in excep­tio­nal cases

In the Case C‑307/22 Advo­ca­te Gene­ral Emi­li­ou on April 20, 2023 his Opi­ni­on posed. The pro­ce­du­re is based on a Refe­rence for a preli­mi­na­ry ruling from the Ger­man Fede­ral Court of Justi­ce of May 10, 2022.

The back­ground to this is an initi­al­ly suc­cessful lawsu­it filed by a pati­ent who suspec­ted a (den­tal) error in tre­at­ment and the­r­e­fo­re deman­ded that the den­tist pro­vi­de him with free of char­ge, a copy of all medi­cal records con­cer­ning him/her to make available.

Infor­ma­ti­on for non-pri­va­cy purposes?

In doing so, the BGH pre­sen­ted three que­sti­ons, first the following:

Is the first sen­tence of Artic­le 15(3) in con­junc­tion with Artic­le 12(5) [GDPR] to be inter­pre­ted as mea­ning that the con­trol­ler […] is not obli­gedto pro­vi­de the data sub­ject […] with a first copy of his […] per­so­nal data free of char­ge if the data sub­ject does not request the copy for the pur­su­it of the pur­po­ses refer­red to in reci­tal 63, first sen­tence […], […] but ano­ther – pur­po­se that is not rela­ted to data pro­tec­tion, but is legi­ti­ma­te. (here: the exami­na­ti­on of the exi­stence of medi­cal lia­bi­li­ty claims)?

The Advo­ca­te Gene­ral pro­po­ses the fol­lo­wing response:

[…] that Artic­le 12(5) and Artic­le 15(3) of the GDPR must be inter­pre­ted as obliging the con­trol­ler to pro­vi­de the data sub­ject with a copy of his or her per­so­nal data, as fol­lows even thenif the data sub­ject does not use the copy for the pur­po­ses refer­red to in the 63rd reci­tal of the GDPR, but for a other, non-pri­va­cy rela­ted pur­po­se applied for.

The BGH asks about non-pri­va­cy-rela­ted, “but legi­ti­ma­te” pur­po­ses, the Advo­ca­te Gene­ral ans­wers gene­ral­ly for non-pri­va­cy-rela­ted pur­po­ses – but this means litt­le, becau­se fun­da­men­tal­ly ille­gi­ti­ma­te pur­po­ses were not at issue.

It is then under­stan­da­ble that the per­son pro­vi­ding the infor­ma­ti­on is not bound to the pur­po­ses men­tio­ned in reci­tal 63 (awa­re­ness, con­trol of lawful­ness). Howe­ver, the que­sti­on would have been whe­ther a pro­hi­bi­ti­on of abu­se of rights does not app­ly within the frame­work of the GDPR. The Advo­ca­te Gene­ral says not­hing about this – unfort­u­n­a­te­ly or for­t­u­n­a­te­ly. From his state­ments it only emer­ges – but still – that the­re is not per se is said to be abu­si­ve of the right not to pur­sue a data pro­tec­tion-spe­ci­fic purpose.

Reim­bur­se­ment of costs under natio­nal law?

The second que­sti­on refer­red for a preli­mi­na­ry ruling rela­tes to Sec­tion 630g of the Ger­man Civil Code (“Inspec­tion of the pati­ent file”). Accor­ding to this, pati­ents have the right to inspect their pati­ent file. Howe­ver, if a pati­ent wants an elec­tro­nic copy, he or she must pay the costs incur­red. Reim­bur­se costs. The BGH asks whe­ther such a pro­vi­si­on is com­pa­ti­ble with the GDPR.

The Advo­ca­te Gene­ral thinks in prin­ci­ple yes and sug­gests the fol­lo­wing answer:

[…] that a natio­nal rule requi­ring pati­ents who request copies of their per­so­nal data con­tai­ned in pati­ent files to reim­bur­se the doc­tors for the costs incur­red, under Artic­le 23(1) of the GDPR per­mis­si­ble is per­mis­si­ble, pro­vi­ded that the rest­ric­tion of the right to infor­ma­ti­on, taking into account all rele­vant cir­cum­stances with regard to the objec­ti­ves of pro­tec­ting public health and the entre­pre­neu­ri­al free­dom of phy­si­ci­ans is neces­sa­ry and pro­por­tio­na­te. In par­ti­cu­lar, the natio­nal court must deter­mi­ne whe­ther the costs for which phy­si­ci­ans may seek reim­bur­se­ment from pati­ents are strict­ly limi­t­ed to the actual­ly incur­red costs limi­t­ed are.

Entit­le­ment to copy documents?

The third que­sti­on con­cerns the right to request copies of per­so­nal data:

If the cla­im […] in the doc­tor-pati­ent rela­ti­on­ship inclu­des a cla­im to Pro­vi­si­on of copies of all parts of the patient’s file con­tai­ning the patient’s per­so­nal data or is it only on Release of a copy of the patient’s per­so­nal data as such direc­ted, lea­ving it up to the data-pro­ce­s­sing phy­si­ci­an to deci­de how to com­pi­le the data for the pati­ent concerned?

Here the Advo­ca­te Gene­ral says that it is no fun­da­men­tal cla­im docu­ments that con­tain per­so­nal data, that such a right exists, and that the in cer­tain situa­tions but could exist:

[…] not may be inter­pre­ted as con­fer­ring on the data sub­ject a gene­ral right to obtain a Com­ple­te copy of all docu­ments con­tai­ned in their pati­ent file to recei­ve. This does not exclude the pos­si­bi­li­ty that the data con­trol­ler must pro­vi­de data sub­jects with a copy of cer­tain docu­ments, in part or in full. This is the case when a copy of the docu­ment is neces­sa­ry to ensu­re that the data trans­mit­ted are intel­li­gi­ble and that the data sub­ject is able to veri­fy that the data trans­mit­ted are com­ple­te and accu­ra­te are.

Whe­ther the ECJ sees the mat­ter in the same way is open – one way or ano­ther, this result can at most be adopted in part for Switzerland:

  • It goes wit­hout say­ing that the data pro­tec­tion law Right to infor­ma­ti­on only on per­so­nal data direct. The cla­im does not affect docu­ments any more than it does the ser­ver on which the data is stored; both are things that con­tain per­so­nal data but are not.
  • Accor­ding to Art. 16(4) DPA, the “form” of the infor­ma­ti­on must be com­pre­hen­si­ble – so it is the form that is at issue, not the con­tent. This is not a sophism, but also the view of the expl­ana­to­ry report: “If per­so­nal data are stored in a tech­ni­cal formIf the data is deli­ver­ed in a for­mat that is not com­mon, for exam­p­le, in a file for­mat that is not rea­da­ble and/or under­stan­da­ble by the data sub­ject, the data con­trol­ler must be able to pro­vi­de the data sub­ject with the infor­ma­ti­on. sup­ple­men­ta­ry expl­ana­ti­ons to give, for exam­p­le, oral­ly”. If the data pro­tec­tion infor­ma­ti­on comes in a JSON for­mat, the data sub­ject can at best ask for it. This can be seen as such, becau­se an incom­pre­hen­si­ble dis­clo­sure is a non-dis­clo­sure. Howe­ver, an objec­ti­ve stan­dard applies, not sub­jec­ti­ve restrictions.
  • In any case, howe­ver, this does not mean that the per­son respon­si­ble must give the data sub­ject Con­text infor­ma­ti­on must pro­vi­de. If the infor­ma­ti­on is pro­vi­ded in a rea­da­ble for­mat, the duty to pro­vi­de infor­ma­ti­on is basi­cal­ly ful­fil­led. The per­son respon­si­ble then does not have to pro­vi­de any addi­tio­nal expl­ana­ti­ons – unless this is infer­red from the Gene­ral clau­se in Art. 25 Para. 2 nDSG. In this case, howe­ver, the obli­ga­ti­on to explain is not punis­ha­ble becau­se the gene­ral clau­se is far too vague to with­stand the requi­re­ment of certainty.
  • But even if one were to affirm an obli­ga­ti­on to pro­vi­de expl­ana­ti­ons: This would result in a cla­im for neces­sa­ry expl­ana­ti­ons, but still no right to copies of docu­ments also with refe­rence to non-per­so­nal passages.




Rela­ted articles