THE BOTTOM LINE
- Data Access Requests (DSARs) Just Got More Demanding: Companies can no longer satisfy a GDPR “right to a copy” request with a simple summary of a customer’s personal data. You must be prepared to provide a full, faithful, and intelligible reproduction of the actual data you hold.
- “Raw Data” Is Personal Data: Data generated by user activity, such as telematics from a car, detailed journey logs, or driving style scores, is unequivocally personal data. Arguing it is merely “raw” or “technical” data will not hold up.
- Urgent Review of Data Processes Needed: This ruling impacts any business model built on user data analytics, from dynamic insurance pricing and e-commerce profiling to IoT devices. CEOs and legal teams must now re-evaluate their technical ability and internal processes for extracting and providing complete data copies to customers.
THE DETAILS
The case was brought before the Court of Justice of the European Union (CJEU) by a customer of a German car insurance company, HUK-Coburg. The customer had a “telematics” policy, where a smartphone app tracked his driving behaviour—including acceleration, braking, and speed—to calculate a bonus or penalty on his premium. When the customer exercised his right of access under the GDPR and requested a copy of his personal data, the insurer provided a summary but refused to hand over the detailed journey logs and raw driving style data, arguing it was not essential.
The Court’s judgment provides a crucial clarification on Article 15(3) of the GDPR. It ruled that the term “copy” must be interpreted literally. It means a faithful and intelligible reproduction of all personal data undergoing processing. The goal is to enable the data subject to fully exercise their rights to rectify or erase data, or to restrict its processing. A mere summary or general description is insufficient. This places a significant operational burden on companies to ensure they can produce an exact replica of the data for the individual who requests it.
Crucially, the CJEU’s reasoning reinforces the broad scope of what constitutes “personal data.” The Court confirmed that data points like the time of journeys, distances covered, and scores assigned to driving styles are personal data because they are linked to an identifiable person. The purpose for which the data is processed—in this case, calculating an insurance premium—does not change its fundamental nature as personal data. This decision signals that controllers cannot arbitrarily decide which data points are “relevant” to a user’s request; if it’s being processed and it’s linked to them, they have a right to a copy of it.
SOURCE
Court of Justice of the European Union
