Scope of the obligation to provide «a copy of the personal data undergoing processing» (Article 15(3) GDPR).

#EDPB in draft #Guidelines 01/2022 attempted to clarify the scope of the controller’s obligation to provide «a copy of the personal data undergoing processing» (Article 15(3) #GDPR).

What Article 15(3) implies by «a copy» – has long been a controversial issue, while approaches varied across #EU Member States. Below are some examples:

#Germany: there have been contradictory views as to how the term “copy” should be understood – i.e. whether it should be literally a copy or just summary (

#Austria: GDPR (Article 15(3)) does not grant a right of access to files or documents. However, the content of documents may qualify as personal data. Providing copies of personal data stored within a document will often be the easiest option by redacting superfluous information and providing the document to the applicant (

More insights can be obtained from the #IAPP article –

Now, EDPB seems to take a so-called ‘fit-for-purpose’ approach to how the notion of ‘copy’ should be understood.

Para 23, 25 of the draft Guidelines 01/2022 say that a right to obtain a copy refers ‘not necessarily to a reproduction of the original documents’ and ‘that the information on the personal data concerning the person who makes the request is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it’.

Further to this, para 150 stipulates that ‘an obligation to provide the data subject with a copy of the personal data undergoing processing […] does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents. Such copy of the personal data could be provided through a compilation containing all personal data covered by the right of access as long as the compilation makes it possible for the data subject to be made aware and verify the lawfulness of the processing’.

In other words, against this purpose, ‘it is the responsibility of the controller to decide upon the appropriate form in which the #personaldata will be provided’.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.