Article 15 GDPR: Difference between revisions

From GDPRhub
(style consistency)
Line 208: Line 208:


==Commentary==
==Commentary==
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness concerning any relevant processing operation, exercising practical control over their data and checking accuracy and lawfulness of data processing. Such information – a prerequisite to possibly exercise data subjects GDPR rights (rectification, erasure, restriction, etc)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).</ref> – is a key principle of the entire data protection framework<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', § 51–52. See also, CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin number 57.</ref> and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not a data processing is taking place, what the actual processing operations are as well as full access to the data undergoing processing.
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).</ref> – is a key principle of the entire data protection framework<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', 7 May 2009, margin numbers 51–52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=74028&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]). See also, CJEU, Joined Cases C-141/12 and C-372/12, ''YS and Others'', 17 July 2014, margin number 57 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=155114&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]).</ref> and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not data is being processed, what the actual processing operations are, as well as full access to the data undergoing processing.  
===(1) The Right of Access===
===(1) The Right of Access===
Under Article 15(1) GDPR, the right of access includes three components: (i) the right to obtain from the controller confirmation as to whether data concerning him or her are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the list under Article 15(1)(a-h).
The right of access under Article 15(1) GDPR includes three components: (i) the right to obtain confirmation from the controller as to whether data concerning them are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the list under Article 15(1)(a-h) GDPR.  


The request by which the data subject or another duly authorised person exercises the right of access does not require any formality.<ref>See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 21: "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''". </ref> The data subject may define the scope of their request<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> and does not need to outline the reasons behind it, nor has the controller any power in assessing such reasons.<ref>As the EDPB puts it, "''controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 9</ref> If the request is unclear and a large amount of data is being processed, the controller may, however, ask the data subject to specify what processing activities the request relates to (Recital 63 GDPR). Nonetheless, if the data subject requests access to all their personal data, the controller will have to comply with the request.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.</ref> The above is confirmed by the EDPB<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 15.</ref> so differing interpretations do no seem correct.<ref>For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]). </ref>
The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 21 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]): "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''".</ref> The data subject may define the scope of their request<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> and does not need to outline the reasons behind it. Even if they did, the controller does not have the jurisdiction to assess their reasons.<ref>As the EDPB puts it, "''controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 9 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> However, if the request is unclear and a large amount of data is being processed, the controller may ask the data subject to specify what processing activities the request relates to (Recital 63 GDPR). If the data subject nonetheless requests access to all their personal data, the controller has to provide this information,<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.</ref> as confirmed by the EDPB<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 21 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> and national courts.<ref>For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]).</ref>  


Under [[Article 12 GDPR|Article 12(6) GDPR]], the controller shall also take any necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).</ref> However, the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.<ref>Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available [https://www.aepd.es/es/documento/td-00013-2021.pdf here]). </ref> Requiring disproportionate information to authenticate the data subject identity violates the data minimization principle, since in many cases the data requested for it, such as a copy of an ID, would not be necessary.<ref>Data Protection Commission, 16 December 2020, Groupon International Limited (available [https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf here]). </ref>
Under [[Article 12 GDPR|Article 12(6) GDPR]], the controller shall take any necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).</ref> However, the controller shall not use this requirement to hinder the exercise of the right of access. For example, when the data subject sends an access request from the same email as they used when first providing their personal data, there can be no doubt as to their identity.<ref>Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available [https://www.aepd.es/es/documento/td-00013-2021.pdf here]).</ref> A controller that requires disproportionate information from data subjects to identify them violates the data minimisation principle, as the requested data (e.g. a copy of an ID) would not be strictly necessary in many cases.<ref>Data Protection Commission, 16 December 2020, Groupon International Limited (available [https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf here]).</ref>
 
Hindering the exercise of the right to access amounts to a violation of the GDPR,<ref>Autoriteit Persoonsgegevens, 29 June 2020, BKR (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:3159 here]).</ref> regardless of the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.


Hindering the exercise of the right of access amounts to a violation of the GDPR<span lang="EN-GB">The
possibility to receive consistent, reliable, complete and updated information
regarding processing activities allows individuals to obtain and/or increase
their awareness of any relevant processing operation, exercise practical
control over their data, and scrutinise the accuracy and lawfulness of data
processing. Such information – a prerequisite to exercising data subjects GDPR
rights (rectification, erasure, restriction, etc.)</span><ref>Autoriteit Persoonsgegevens, 30 July 2019, BKR (available [https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/besluit_bkr_30_juli_2019.pdf here]).</ref> regardless of the way in which it is carried out (e.g. charging a fee for access to the data or a copy thereof; obliging the data subject to exercise the right via a complicated procedure or means; etc.) The right should be both free to exercise and not entail any unnecessary burden.
====Right to Receive Confirmation About the Processing====
====Right to Receive Confirmation About the Processing====
The first step in exercising the right to access consists of the right to receive a confirmation about whether one’s own personal data are being processed. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 35.</ref> The controller should respond even if no personal data is processed, in the form of a negative confirmation.<ref>The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710 here]). </ref>   
The first step in exercising the right of access consists of the right to receive a confirmation about whether one’s personal data are being processed. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 35 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> The controller should respond with a confirmation even if no personal data are processed.<ref>The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710 here]).</ref>   


==== Right to Receive Information About the Processing ====
==== Right to Receive Information About the Processing ====
Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain additional information about the processing.<ref>The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in [https://gdprhub.eu/index.php%3Ftitle=Article_22_GDPR Article 22(1) and (4) GDPR] and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.</ref> This information is different from that provided through the privacy policies under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]].<ref>Under Article 13, for example, the controller must provide a description of what he intends to do ''after'' obtaining the user data: (c) purposes of the processing for which personal data are ''intended''; (e) recipients or categories of recipients, ''if any''; (f) the fact that the controller ''intends'' to transfer personal data; (2)(e) ''possible'' consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's intentions, but to what the controller actually does with the previously received data : (1)(a) purpose of the processing; (1)(b) categories of personal data ''concerned''; (1)(c) recipients or categories of recipients to whom the personal data ''have been disclosed or will be disclosed''. These are two very different pieces of information. The former gives a rough indication of what is going to happen, while the latter provides a specific indication of what is happening with the personal data. Interestingly, when providing for an "''overview'' ''of the intended processing''”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.</ref> It must be precise and tailored to the specific position of the data subject.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 36.</ref>
Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain additional information about the processing.
 
The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This information must be precise and tailored to the specific position of the data subject,<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 36 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> and is different from that provided under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]].<ref>Under Article 13, for example, the controller must provide a description of what he intends to do ''after'' obtaining the user data: (c) purposes of the processing for which personal data are ''intended''; (e) recipients or categories of recipients, ''if any''; (f) the fact that the controller ''intends'' to transfer personal data; (2)(e) ''possible'' consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's intentions, but to what the controller actually does with the previously received data : (1)(a) purpose of the processing; (1)(b) categories of personal data ''concerned''; (1)(c) recipients or categories of recipients to whom the personal data ''have been disclosed or will be disclosed''. These are two very different pieces of information. The former gives a rough indication of what is going to happen, while the latter provides a specific indication of what is happening with the personal data. Interestingly, when providing for an "''overview'' ''of the intended processing''”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.</ref>
 
Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued for a given user. This provision does not contain an obligation to mention the legal basis tied to each single purpose. However, such information should nevertheless be included, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 36 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>  


Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued for a given user. This provision does not contain an obligation to mention the legal basis tied to each single purpose. However, such information should nevertheless be included, otherwise it would be impossible for the data subject to verify the lawfulness of a certain processing operation.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 36.</ref>
Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. In accordance with the data minimisation and transparency principles, such categories should be specifically listed and linked to the specific purpose. For example, data subjects have the right to know which categories of data are processed on their behalf. Thus, an e-commerce website should not process data relating to their political preferences.  


Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. In accordance with the data minimisation and transparency principles, such categories should be specifically listed and linked to the specific purpose.
Article 15(1)(c) GDPR requires the controller to disclose information about recipients or categories of recipients to whom the personal data have been or will be disclosed. The wording of the provision has led to debate on whether controllers have to name each recipient or only the categories of recipients. Controllers tend to opt for the former rather than the latter, with the effect they only describe general categories of recipients that may have already be mentioned in the privacy policies.  


<u>Example</u>: the user has the right to know which categories of data are processed on his or her behalf. For example, an e-commerce website should not process data relating to the political preferences of the data subject.
However, this approach does not seem correct.  


Article 15(1)(c) GDPR requires the controller to disclose information about recipients or categories of recipients to whom the personal data have been or will be disclosed. The wording of the provision has fed a debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. Controllers tend to omit the specific indication of recipients, preferring to opt for the more generic option, in which they only describe general categories of recipients that may have already be mentioned in the privacy policies.  
First, it contradicts the essential purpose of the right of access because it does not allow the data subject to "''be aware of, and verify, the lawfulness of the processing''" (Recital 63). In this regard, the WP29, in its Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information includes the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.<ref>See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref>


This line of action, however, does not seem correct. First, it contradicts the essential purpose of the right of access because it does not allow the data subject to "''be aware of, and verify, the lawfulness of the processing''" (Recital 63).<ref>In this regard, the WP29, in its Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information includes the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so. See, WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, [https://ec.europa.eu/newsroom/article29/items/622227 p. 37]. </ref> Second, it is at odd with the clear wording of [[Article 19 GDPR]], which requires the controller to “''inform the data subject about'' [the specific] ''recipients if the data subject requests it''”.<ref>Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).</ref> Whilst the EDPB seems to share these arguments,<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 37.</ref> at the moment, the question remains open and a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients).<ref>Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ba1d6267-c184-4993-b7ed-4347c384b2a8&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210218_OGH0002_0060OB00159_20F0000_000 here] and summarised [[OGH - 6Ob159/20f|here]]). </ref>
Second, it is at odd with the clear wording of [[Article 19 GDPR]], which requires the controller to “''inform the data subject about'' [the specific] ''recipients if the data subject requests it''”.<ref>Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).</ref> Whilst the EDPB seems to share this argument,<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 37 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> at the moment the question remains open. Indeed, a preliminary ruling is currently pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients).<ref>Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ba1d6267-c184-4993-b7ed-4347c384b2a8&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210218_OGH0002_0060OB00159_20F0000_000 here] and summarised [https://gdprhub.eu/OGH%20-%206Ob159/20f here]).</ref>


<u>Example</u>: in its privacy policy a data controller affirms that the user's personal data can be passed on to “''commercial'' ''partners and travel agencies''”. This information, which is in principle acceptable for a privacy policy, is greatly insufficient in the context of an access request. For instance, it does not say anything about the geographical location of such partners, making it impossible to verify the lawfulness of the transfer under Article 44 GDPR.
Example: In its privacy policy, a data controller affirms that the user's personal data can be passed on to “''commercial'' ''partners and travel agencies''”. This information, which is in principle acceptable for a privacy policy, is greatly insufficient in the context of an access request. For instance, it does not say anything about the geographical location of these partners, making it impossible to verify the lawfulness of the data transfer under Article 44 GDPR.  


Under Article 15(1)(d) the controller must provide information relating to the time of processing. In such circumstances, the information must enable the user to understand how long a particular piece of information may be held by the controller.  
Under Article 15(1)(d), the controller must provide information relating to the time of processing. This information must enable the user to understand how long their data may be held by the controller.  


The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations. Conversely, information on the possibility to lodge a complaint (Article 15(1)(f) GDPR) does not require any kind of personalisation.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 38.</ref>
The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations. Conversely, information on the possibility to lodge a complaint (Article 15(1)(f) GDPR) does not require any kind of personalisation.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 38 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>


A high degree of specificity is required in relation to the sources from which the controller has obtained the data. Under Article 15(1)(g) GDPR, "''where the personal data are not collected from the data subject",'' controllers have to provide ''" any available information as to their source''”.<ref>Controllers can only receive data from trusted sources which lawfully process personal data. ''Vice versa'', a controller may collect personal information from unauthorized entities without having to give any account of the legitimacy of such source. This would encourage an unacceptable personal data black market.</ref>
A high degree of specificity is required in relation to the sources from which the controller has obtained the data. Under Article 15(1)(g) GDPR, "''where the personal data are not collected from the data subject",'' controllers have to provide ''" any available information as to their source''”.<ref>Controllers can only receive data from trusted sources which lawfully process personal data. ''Vice versa'', a controller may collect personal information from unauthorized entities without having to give any account of the legitimacy of such source. This would encourage an unacceptable personal data black market.</ref>


Article 15(1)(h) provides that every data subject should have the right to be informed, in a meaningful way, inter alia, about the existence and underlying logic of automated decision-making including profiling concerning the data subject and about the significance and the envisaged consequences that such processing could have. With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under [[Article 22 GDPR|Article 22(1) and (4) GDPR]]. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.<ref>Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=f2a9b55f-02bc-446d-a8fa-4fd931cb1b57&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200908_2020_0_436_002_00) here]). </ref> For further information, please refer to [[Article 22 GDPR]]. According to the EDPB, "''If possible, information under Art. 15(1)(h) has to be more specific in relation to the reasoning that lead to specific decisions concerning the data subject who asked for access''".<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 38.</ref>
Article 15(1)(h) provides that every data subject has the right to be informed in a meaningful way about, inter alia, the existence and underlying logic of automated decision-making, including profiling concerning the data subject, as well as the significance and intended consequences of the processing operation. With respect to automated decision making, the Austrian DPA has held that the right of access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under [[Article 22 GDPR|Article 22(1) and (4) GDPR]]. Additionally, the DPA in the same decision stated that the protection of a trade secret forms an exception to the complainants' right to obtaining such information.<span lang="EN-GB">The
possibility to receive consistent, reliable, complete and updated information
regarding processing activities allows individuals to obtain and/or increase
their awareness of any relevant processing operation, exercise practical
control over their data, and scrutinise the accuracy and lawfulness of data
processing. Such information – a prerequisite to exercising data subjects GDPR
rights (rectification, erasure, restriction, etc.)</span><ref>Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available [https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20200908_2020_0_436_002_00/DSBT_20200908_2020_0_436_002_00.rtf here]). For more information, see [https://gdprhub.eu/Article%2022%20GDPR Article 22 GDPR].] According to the EDPB, "[i]''f possible, information under Art. 15(1)(h) has to be more specific in relation to the reasoning that lead to specific decisions concerning the data subject who asked for access''".[EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 39 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref>


=== (2) Right to Receive Information About the Appropriate Safeguards ===
=== (2) Right to Receive Information About the Appropriate Safeguards ===
The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from [[Article 46 GDPR]], where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.<ref>EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, [https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf pp. 35-37].</ref>
The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from [[Article 46 GDPR]], where personal data are transferred to a third country or to an<span lang="EN-GB">The
possibility to receive consistent, reliable, complete and updated information
regarding processing activities allows individuals to obtain and/or increase
their awareness of any relevant processing operation, exercise practical
control over their data, and scrutinise the accuracy and lawfulness of data
processing. Such information – a prerequisite to exercising data subjects GDPR
rights (rectification, erasure, restriction, etc.)</span> international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.<ref>EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, [https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf pp. 35-37].</ref>


=== (3) Right to Receive a Copy of the Personal Data ===
=== (3) Right to Receive a Copy of the Personal Data ===

Revision as of 12:37, 25 April 2022

Article 15 - Right of access by the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals

Recital 58: Modalities for Transparent Information Provision
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Modalities and Scope of Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary

The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.)[1] – is a key principle of the entire data protection framework[2] and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not data is being processed, what the actual processing operations are, as well as full access to the data undergoing processing.

(1) The Right of Access

The right of access under Article 15(1) GDPR includes three components: (i) the right to obtain confirmation from the controller as to whether data concerning them are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the list under Article 15(1)(a-h) GDPR.

The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.[3] The data subject may define the scope of their request[4] and does not need to outline the reasons behind it. Even if they did, the controller does not have the jurisdiction to assess their reasons.[5] However, if the request is unclear and a large amount of data is being processed, the controller may ask the data subject to specify what processing activities the request relates to (Recital 63 GDPR). If the data subject nonetheless requests access to all their personal data, the controller has to provide this information,[6] as confirmed by the EDPB[7] and national courts.[8]

Under Article 12(6) GDPR, the controller shall take any necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[9] However, the controller shall not use this requirement to hinder the exercise of the right of access. For example, when the data subject sends an access request from the same email as they used when first providing their personal data, there can be no doubt as to their identity.[10] A controller that requires disproportionate information from data subjects to identify them violates the data minimisation principle, as the requested data (e.g. a copy of an ID) would not be strictly necessary in many cases.[11]

Hindering the exercise of the right of access amounts to a violation of the GDPRThe possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.)[12] regardless of the way in which it is carried out (e.g. charging a fee for access to the data or a copy thereof; obliging the data subject to exercise the right via a complicated procedure or means; etc.) The right should be both free to exercise and not entail any unnecessary burden.

Right to Receive Confirmation About the Processing

The first step in exercising the right of access consists of the right to receive a confirmation about whether one’s personal data are being processed. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems.[13] The controller should respond with a confirmation even if no personal data are processed.[14]

Right to Receive Information About the Processing

Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain additional information about the processing.

The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This information must be precise and tailored to the specific position of the data subject,[15] and is different from that provided under Articles 13 and 14 GDPR.[16]

Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued for a given user. This provision does not contain an obligation to mention the legal basis tied to each single purpose. However, such information should nevertheless be included, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.[17]

Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. In accordance with the data minimisation and transparency principles, such categories should be specifically listed and linked to the specific purpose. For example, data subjects have the right to know which categories of data are processed on their behalf. Thus, an e-commerce website should not process data relating to their political preferences.

Article 15(1)(c) GDPR requires the controller to disclose information about recipients or categories of recipients to whom the personal data have been or will be disclosed. The wording of the provision has led to debate on whether controllers have to name each recipient or only the categories of recipients. Controllers tend to opt for the former rather than the latter, with the effect they only describe general categories of recipients that may have already be mentioned in the privacy policies.

However, this approach does not seem correct.

First, it contradicts the essential purpose of the right of access because it does not allow the data subject to "be aware of, and verify, the lawfulness of the processing" (Recital 63). In this regard, the WP29, in its Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information includes the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.[18]

Second, it is at odd with the clear wording of Article 19 GDPR, which requires the controller to “inform the data subject about [the specific] recipients if the data subject requests it”.[19] Whilst the EDPB seems to share this argument,[20] at the moment the question remains open. Indeed, a preliminary ruling is currently pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients).[21]

Example: In its privacy policy, a data controller affirms that the user's personal data can be passed on to “commercial partners and travel agencies”. This information, which is in principle acceptable for a privacy policy, is greatly insufficient in the context of an access request. For instance, it does not say anything about the geographical location of these partners, making it impossible to verify the lawfulness of the data transfer under Article 44 GDPR.

Under Article 15(1)(d), the controller must provide information relating to the time of processing. This information must enable the user to understand how long their data may be held by the controller.

The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations. Conversely, information on the possibility to lodge a complaint (Article 15(1)(f) GDPR) does not require any kind of personalisation.[22]

A high degree of specificity is required in relation to the sources from which the controller has obtained the data. Under Article 15(1)(g) GDPR, "where the personal data are not collected from the data subject", controllers have to provide " any available information as to their source”.[23]

Article 15(1)(h) provides that every data subject has the right to be informed in a meaningful way about, inter alia, the existence and underlying logic of automated decision-making, including profiling concerning the data subject, as well as the significance and intended consequences of the processing operation. With respect to automated decision making, the Austrian DPA has held that the right of access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, the DPA in the same decision stated that the protection of a trade secret forms an exception to the complainants' right to obtaining such information.The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.)[24]

(2) Right to Receive Information About the Appropriate Safeguards

The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to anThe possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.) international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[25]

(3) Right to Receive a Copy of the Personal Data

Article 15(3) GDPR operationalises the second component of the right of access, which is the right to access the data by obtaining a copy of all personal data undergoing processing.

The scope of the provision - and thus the width of the copy - coincides with the definition of personal data provided in Article 4(1) GDPR. According to the recent position paper of the EDPB, this includes, among the others, special categories of personal data as per Art. 9 GDPR; Personal data relating to criminal convictions and offences as per Art. 10 GDPR; Data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire); Observed data or raw data provided by the data subject by virtue of the use of the service or the device (data processed by connected objects, transaction history, activity logs such as access logs, history of website usage, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, particular way of walking or speaking); Data derived from other data, rather than directly provided by the data subject (e.g. credit ratio, classification based on common attributes of data subjects; country of residence derived from postcode); Data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalization or recommendation process); Pseudonymised data as opposed to anonymized data.[26]

This authoritative interpretation should help to calm the debate that has emerged, mainly in case law, on the subject of a what is to be considered personal data and, therefore, is included in the copy under Article 15(3).[27] In order to be included in the copy, the data must be undergoing processing. Accordingly, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[28]

The second sentence of Article 15(3) regulates cases where the data subject requests a new copy of his personal data. In such circumstances the controller may charge a reasonable fee based on the costs of administration. If the controller decides to do so, it "should indicate the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request".[29]

(4) Limits

The right of access is subject to the limits that result from Art. 15(4) GDPR (rights and freedoms of others) and Art. 12 (5) GDPR (manifestly unfounded or excessive requests). Furthermore, Union or Member State law may restrict the right of access in accordance with Art. 23 GDPR. Derogations regarding the processing of personal data for scientific, historical research or statistical purposes or archiving purposes in the public interest can be based on Art. 89(2) and Art. 89(3) GDPR accordingly and for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression on Art. 85(2) GDPR.

Rights and Freedoms of Others

Under Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights may be trade secrets or intellectual property, in particular the copyright protecting the software (Recital 63). This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[30]

Other Limits

The controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[31] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Decisions

→ You can find all related decisions in Category:Article 15 GDPR

References

  1. Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).
  2. CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, 7 May 2009, margin numbers 51–52 (available here). See also, CJEU, Joined Cases C-141/12 and C-372/12, YS and Others, 17 July 2014, margin number 57 (available here).
  3. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 21 (available here): "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
  4. In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
  5. As the EDPB puts it, "controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 9 (available here).
  6. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.
  7. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 21 (available here).
  8. For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
  9. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
  10. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
  11. Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
  12. Autoriteit Persoonsgegevens, 30 July 2019, BKR (available here).
  13. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 35 (available here).
  14. The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
  15. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 36 (available here).
  16. Under Article 13, for example, the controller must provide a description of what he intends to do after obtaining the user data: (c) purposes of the processing for which personal data are intended; (e) recipients or categories of recipients, if any; (f) the fact that the controller intends to transfer personal data; (2)(e) possible consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's intentions, but to what the controller actually does with the previously received data : (1)(a) purpose of the processing; (1)(b) categories of personal data concerned; (1)(c) recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed. These are two very different pieces of information. The former gives a rough indication of what is going to happen, while the latter provides a specific indication of what is happening with the personal data. Interestingly, when providing for an "overview of the intended processing”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.
  17. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 36 (available here).
  18. See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available here).
  19. Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).
  20. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 37 (available here).
  21. Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here and summarised here).
  22. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 38 (available here).
  23. Controllers can only receive data from trusted sources which lawfully process personal data. Vice versa, a controller may collect personal information from unauthorized entities without having to give any account of the legitimacy of such source. This would encourage an unacceptable personal data black market.
  24. Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here). For more information, see Article 22 GDPR.] According to the EDPB, "[i]f possible, information under Art. 15(1)(h) has to be more specific in relation to the reasoning that lead to specific decisions concerning the data subject who asked for access".[EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 39 (available here).
  25. EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
  26. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 14. The Board also points out that "the right of access includes both inferred and derived data, including personal data created by a service provider, whereas the right to data portability only includes data provided by the data subject. Therefore, in case of an access request and unlike a data portability request, the data subject should be provided not only with personal data provided to the controller in order to make a subsequent analysis or assessment about these data but also with the result of any such subsequent analysis or assessment" (p. 15).
  27. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since their accuracy cannot be verified.(Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207, available here). However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR. In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer (LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18, available here).
  28. Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
  29. EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 14.
  30. Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
  31. Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).