Article 15 GDPR

From GDPRhub
Article 15 - Right of access by the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]

Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals[edit | edit source]

Recital 58: Modalities for Transparent Information Provision
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Modalities and Scope of Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary on Article 15[edit | edit source]

Article 15 GDPR provides the data subjects the right to access their personal data. The right is divided in three parts: the right to receive confirmation whether personal data is being processed, the right to receive a copy of one’s personal data, and the right to receive additional information on the processing of personal data.

Additionally, the right to access can be considered to be the other side of the coin of the right to be informed from Articles 13 and 14 GDPR. While the right to be informed refers to information about the processing provided a priori and in a general sense, the right to access refers to a more specific information provided a posteriori. As remarked by Ehmann, the right to access is also a first step for the exercise of further rights,[1] as well as a means for data subjects to verify the accuracy of their data and the compliance of the processing with the GDPR (cf. Recital 63 GDPR).[2]

The right to access, as opposed to the obligation to inform from Articles 13 and 14 GDPR – that imposes a proactive obligation to the controller –, requires an action from the data subject, that shall make an request to the controller. This access request does not necessarily need to fulfil any formalities, but rather show clearly the intention of the data subject to access their personal data.[3]

The right to access can only be exercised by the data subjects themselves, as well as by any legal representative of the data subject as regulated by national law, since there is no specific reference about the matter in the GDPR.

The right must be exercised against the controller, who is responsible for its compliance. According to Zanfir-Fortuna, the controller could also have an agreement with the processor, in the form of a data protection agreement or any other type of contract, to directly handle the access request of personal data in the possession of the processor.[4] The access request may also be exercised against any of the joint controllers, in case there is more than one, as both have the same obligations with regards to data subject’s rights, according to Article 36 GDPR.

Pursuant to Article 12(3) GDPR, the controller has to answer the access request “without undue delay and in any event within one month of receipt of the request”. This deadline may be extended two months when the request is complex or when the data subject has exercised multiple rights.[5] Any extension of the deadline must be communicated to the data subject, along for the reasons for it, according to Paragraph 4 of the same Article.

The data subject does not need to justify in any way the reasons for requesting their personal data. The controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to Zanfir-Fortuna, if the data subject requests access to all their personal data, the controller will have to comply with the request.[6] Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.

This is, however, controversial. For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications.[7]

As provided by Recital 64 GDPR and Article 12(6) GDPR, the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[8] However, the controller shall only ask for proof of identity when there is reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.[9] Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.[10]

Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,[11] regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.

The controller must be able to demonstrate compliance, and therefore shall provide the answer in writing. Furthermore, Article 15(3) GDPR specifies that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The provision of electronic means is not, however, an obligation for the controller. Nevertheless, Recital 63 GDPR expressly indicates that, where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to their personal data; therefore, encouraging the controller to facilitate the exercise of access requests.

However, the controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[12] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

(1) Right to Receive Confirmation and Information[edit | edit source]

Right to Receive Confirmation About the Processing[edit | edit source]

The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. This shall be done even when no personal data is processed, in the form of a negative confirmation. The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means.[13]

Right to Receive Information About the Processing[edit | edit source]

The controller is obliged to provide the data subject certain additional information about the processing contained in Article 15(1)(a) to (h) GDPR. This obligation partially overlaps with the information to be provided under Articles 13 and 14 GDPR. However, it is to be understood that the logic of this provision allows the data subject to ask for a more granular and specific information than the generic information provided under Articles 13 and 14 GDPR. Therefore, the data subject may request specific information about certain processing activities, and shall be entitled to receive a more extensive answer on them, as compared to the already provided information from the mentioned provisions.

The additional information entails, namely: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Regarding the information about recipients and categories of recipients, there is debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. At the moment, a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.[14]

In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.[15]

Additionally, it may also be inferred from the wording of Article 19 GDPR (“The controller shall inform the data subject about those recipients if the data subject requests it”) that the legislator intends to enable the data subject to have access to this information, since it is in their interest to know who is processing their personal data.

With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.[16] For further information, please refer to Article 22 GDPR.

(2) Right to Receive Information About the Appropriate Safeguards[edit | edit source]

The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[17]

(3) Right to Receive a Copy of the Personal Data[edit | edit source]

According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to Directive 95/46/EC, under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[18] In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.[19] However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.[20] In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.[21]

Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

(4) Rights and Freedoms of Others[edit | edit source]

Furthermore, according to Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights, as provided by Recital 63 GDPR, may be trade secrets or intellectual property, in particular the copyright protecting the software. This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[22]

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 15 GDPR

References[edit | edit source]

  1. Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).
  2. CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin numbers 57 et seqq. (available here https://curia.europa.eu/juris/document/document.jsf?docid=155114&doclang=EN).
  3. Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, p. 9 (available here https://ico.org.uk/media/for-organisations/documents/2619803/right-of-access-1-0-20210520.pdf).
  4. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 461 (Oxford University Press, Oxford, 2020).
  5. Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, pp. 16-17 (available here https://ico.org.uk/media/for-organisations/documents/2619803/right-of-access-1-0-20210520.pdf).
  6. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020).
  7. Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG).
  8. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
  9. Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here https://www.aepd.es/es/documento/td-00013-2021.pdf).
  10. Data Protection Commission, 16 December 2020, Groupon International Limited (available here https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf).
  11. Autoriteit Persoonsgegevens, 29 June 2020, BKR (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:3159).
  12. Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBLIM:2021:2946).
  13. Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710).
  14. Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ba1d6267-c184-4993-b7ed-4347c384b2a8&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210218_OGH0002_0060OB00159_20F0000_000 and summarised here).
  15. WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 37.
  16. Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=f2a9b55f-02bc-446d-a8fa-4fd931cb1b57&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200908_2020_0_436_002_00).
  17. EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
  18. Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here  http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/D9EDB20F259B7F76C2258596003B9748/$file/%CE%9F%CE%9A%CE%A5%CE%A0%CE%A5%20%CE%91%CE%9D%CE%9F%CE%9D%CE%A5%CE%9C%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97.pdf).
  19. Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:1020).
  20. Rechtbank Gelderland, 28 April 2020, 365592 (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:7103).
  21. LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available here http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=27411).
  22. Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-24FR-2021-sous-forme-anonymisee.pdf).