EU Court of Justice Rules Individuals Have Right To Free Copy Of Medical Records
The judgment is seen as a guiding approach to such requirements
EU Court of Justice Rules Individuals Have Right To Free Copy Of Medical Records
The judgment is seen as a guiding approach to such requirements
The Court of Justice of the European Union (CJEU) has given its verdict in the FT vs. DW (C‑307/22) case, illustrating some key provisions on requests for data subject access.
The case involved a patient, DW, who requested a free copy of his medical records from the dentist, FT. The demand triggered a legal dispute that raised important questions about data access and the rights of individuals.
The patient had received dental treatment and suspected malpractice. When he requested a free first copy of his medical records, the dentist refused citing German national law requiring patients to cover costs for obtaining copies of medical records.
The patient refused to pay, and the initial and appellate Courts, both supported the patient's request citing Articles 12(5), 15(1), and 15(3) of the EU General Data Protection Regulation (GDPR).
Eventually, the matter reached Germany's Federal Court of Justice, (Bundesgerichtshof), which found that the decision hinged on the interpretation of the GDPR and referred the case to the CJEU.
The primary question in the case was whether a controller, herein, a medical practitioner processing patient data, was obligated to offer an individual a free copy of his personal data, even if the reason for the request was not explicitly listed in Recital 63 of the GDPR.
The patient had sought the personal details as evidence to bring legal action against the treatment provider. The approach is common where data subjects make ‘fishing expeditions’ to gain evidence to sue another party they feel aggrieved by. Thus, often controllers feel upset over this.
Recital 63 explains the access right is to be aware of and verify the lawfulness of the processing, not to provide ammunition to sue.
The CJEU considered Articles 12 and 15. Article 12(5) cites that accessing personal data should be cost-free for individuals. Article 15(3) also indicates that a person should not be charged for a copy.
Thus, the Court observed that Recital 63 did not limit the grounds for a request. The GDPR did not require individuals to provide reasons for requesting access to their personal data and controllers were not entitled to seek justification. Transparency was a fundamental principle underpinning the GDPR, and gatekeeping access to personal data for which it was requested, was not permitted.
The Court ruled that the GDPR mandated controllers to provide a free first copy of processed personal data, irrespective of the reason. It did not affect the right to refuse where a request was ‘manifestly unfounded or excessive.’ It, however, added that the argument that individuals should be barred from using an access request to get documents for legal cases instead of using established legal discovery methods did not hold much weight.
Another question before the Court was whether Article 23(1)(i) allowed the legislation (established before the GDPR came into force), to require data subjects to bear the costs for a first copy of their processed personal data. Article 23(1) permitted member states to restrict obligations and rights under the GDPR if such restrictions adhered to the fundamental rights and were necessary to protect the rights and freedoms of others.
The dentist argued that the national legislation requiring a patient to pay for accessing his medical files meant protecting the economic interests of the healthcare providers.
The CJEU stated that while Article 23(1)(i) might apply to the legislation adopted before the GDPR's enforcement, it did not require people to pay for the first copy of their processed personal data to protect the controller's economic interests.
The third important question explored by the CJEU was the interpretation of Article 15(3) and the nature of access a patient could have to his medical records. Specifically, whether he was entitled to complete medical records or just the data summary.
The CJEU emphasized that Article 15(3) ensured that individuals receive an accurate reproduction of their personal data. The term ‘copy’ in the GDPR did not refer to the physical document but the comprehensive complete personal data. The intent was to allow such access to ensure the data was correct and lawfully processed. Therefore, patients should receive an accurate and clear copy of all records. A controller must provide entire documents, as providing a summary could risk missing or misrepresenting crucial information, making it difficult for a patient to verify and understand the details.
The Court explained that the requirement was contextual. While in some cases, the reproduction of extracts from documents may be enough, in others, total data was required. The need was to provide a factual reproduction. Recital 63 specifically covered medical information, so it was necessary to provide direct source material for diagnoses, examination results, doctor evaluations, and treatments.
The CJEU clarified that individuals have the right to a free initial copy of their personal data regardless of the purpose. The legislation imposing fees on first-time access to medical records would not be allowed. The patients were entitled to not just a summary, but a comprehensive reproduction of their medical documents.