Article 15 GDPR: Difference between revisions
(44 intermediate revisions by 11 users not shown) | |||
Line 185: | Line 185: | ||
==Legal Text== | ==Legal Text== | ||
<center>'''Article 15 - Right of access by the data subject'''</center><span id="1">1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:</span> | <br /><center>'''Article 15 - Right of access by the data subject'''</center> | ||
<span id="1">1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:</span> | |||
::<span id="1a">(a) the purposes of the processing;</span> | ::<span id="1a">(a) the purposes of the processing;</span> | ||
Line 205: | Line 207: | ||
{{Recital/58 GDPR}}{{Recital/59 GDPR}}{{Recital/63 GDPR}}{{Recital/64 GDPR}} | {{Recital/58 GDPR}}{{Recital/59 GDPR}}{{Recital/63 GDPR}}{{Recital/64 GDPR}} | ||
==Commentary on Article 15== | ==Commentary== | ||
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and | The right to access has been a core element of the right to data protection and is for example already established in convention 108 from 1981. Just like the general principle of transparency in [[Article 5 GDPR|Article 5(1)(a) GDPR]] and the active information under [[Article 13 GDPR|Article 13]] and [[Article 14 GDPR|14 GDPR]] and many other transparency provisions, the right to access is mean to overcome "informational imbalance". | ||
The right to access is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that the right to access is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR. | |||
==== Passive ''ex-post'' information about the personal data of the specific data subject ==== | |||
As a "passive" right to information, that must only be granted if a data subject makes a request, it is meant to provide more detailed and specific information on an ''ex-post'' basis, compared to the often more generic ''ex-ante'' information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. | |||
In other words: the right to information under [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]] provide a (generic) forward-looking information of expected or possible processing - usually for in a uniform way for all users of the service, which must be provided proactively by the controller. The right to information is therefore naturally more generic and less precise. The right to access however, allows the data subject to get information on the actual processing of his or her specific personal data and his or her specific situation, which does not only enable the data subject to exercise his or her rights (see especially Articles 16 to 22 GDPR) but also allows to check if the controller has complied with the ''ex-ante'' information provided under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14 GDPR]]. | |||
<u>EDPB</u>: Pursuant to Article 12(2) GDPR, the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 40 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> | |||
While the wording of [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14 GDPR]] and Article 15(1) GDPR often overlaps, the controller has a different obligation under Article 15 GDPR to include the ''ex-post'' information about concrete, actual processing. If the information under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14 GDPR]] and Article 15 GDPR would be the same information, Article 15(1) GDPR would be largely deprived of any meaning. This also means that the common practice of just referring to the information under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14 GDPR]] is in many cases not compliant with the law. | |||
<u>Example:</u> A large platform lists all possible processing operations, purposes and recipients. Many of these elements are only relevant for users that use certain functions of the platform. If the controller response to an access request under Article 15 GDPR, just referring to the privacy policy for information under Article 15(1) GDPR would neither be transparent nor accurate. It would not allow the data subject to understand if his or her personal data was actually used for certain purposes or shared with third parties. | |||
<u>Example:</u> The controller just keeps a list of emails to send a newsletter. The controller informed the data subject under Article 13 GDPR that her data is used for this purpose only. The information in a response to an access request under Article 15(1) GDPR will not deviate from the information under Article 13 GDPR, as the factual ''ex-post'' processing is exactly overlapping with the ''ex-ante'' information given. | |||
==== Basis for the exercise of other rights, but intention irrelevant ==== | |||
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations. The right to access is a prerequisite to exercising data subjects rights (rectification, erasure, restriction, etc.)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).</ref> and is therefore a is a key principle of the entire data protection framework.<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', 7 May 2009, margin numbers 51–52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=74028&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]). See also, CJEU, Joined Cases C-141/12 and C-372/12, ''YS and Others'', 17 July 2014, margin number 57 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=155114&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]).</ref> | |||
The right to access is however also a "stand-alone" fundamental right, protected under Article 8(2) CFR. A data subject may just want to get information about the data processed about him or her - independent of the exercise of any other right under the GDPR. A data subject therefore does not need to give reasons for exercising the right to access. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.<ref>As the EDPB puts it, "''Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant. <blockquote><u>Case law:</u> In ''[[CJEU - C‑307/22 - Copies of Medical Records|C‑307/22 FT and DW]]'' a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access. | |||
<u>Example:</u> A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.<ref>See https://en.wikipedia.org/wiki/Faceless_(2007_film)</ref> Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was maybe exceptional but legal.</blockquote> | |||
==== Relationship with other rights to access information ==== | |||
Article 15 GDPR itself provides for two parallel rights: the right to access to personal data in paragraph 1 and the right to get the (same) data in the forms of a copy of personal data in paragraph 3. In addition, the right to data portability in Article 20 GDPR allows to revive the (same) personal data in "''structured, commonly used and machine-readable format''". | |||
Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning access to health data or archives. Unless other EU or national law is explicitly a ''lex specialis'' in relation to the GDPR - usually in the form of a Restriction under [[Article 23 GDPR]] - these other rights exist in parallel to the GDPR. This means a data subject may freely choose to rely on Article 15 GDPR or any other legal basis available to him or her. | |||
<u>Case law:</u> In ''[[CJEU - C‑307/22 - Copies of Medical Records|C‑307/22 FT and DW]]'' the CJEU has also rejected arguments that Article 15 GDPR may not be applied if there is existing national law that foresees a right to get a copy against a fee. EU law trumps national law in such cases. | |||
Consequently, a data subject can also make an access request under Article 15 GDPR for any other purpose - such as to generate evidence for a legal procedure. Even if many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish. In fact, the controller may equally rely on personal data as evidence under [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The use of Article 15 GDPR to obtain evidence would still be used to overcome "informational imbalance" in such cases. | |||
===(1) The Right of Access=== | ===(1) The Right of Access=== | ||
Article 15(1) describes the core essence of the right of access. Once the access request is received, the controller must verify whether processing of the data subject's personal data is actually taking place. If this is the case, the controller (i) confirms the existence of the processing, (ii) provides access to the personal data (in other words, a copy of the personal data "undergoing processing" under Article 15(3) GDPR or other relevant method to achieve the purpose), and (iii) informs the data subject about certain elements of the processing (Article 15(1)(a-h) and 15(2) GDPR). Regardless of the specific "segment" of access being referred to (i), (ii), or (iii), it is important to emphasise that the entire process must always comply with the requirements of completeness, clarity, and facilitation set forth in Article 12 of the GDPR.<ref>In other words, it is not just the (ii) copy that must be complete and clear, but also the (iii) explanation of the various elements included in the list set out in Article 15(1)(a-h). Furthermore, (i) a real confirmation as to whether or not personal data are being processed will only occur if the controller has thoroughly searched for the data on all the storage systems at its disposal. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), pp. 16-19 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> | |||
It should be pointed out that, as made clear in Recital 60 GDPR, the controller should provide data subjects with any further information if it is necessary to ensure a fair and transparent processing. For example, the EDPB pointed out that a controller should provide data subjects with information about the legal basis for the processing or at least point out where this information can be found when responding to an access request.<ref>EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 70 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> | |||
==== Right to obtain ==== | |||
The data subject has a right to obtain (request) information. Typically the right to access under Article 15 GDPR is triggered by an access request. The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]): "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''".</ref> The data subject may define the scope of their request<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> and the format of the request. | |||
Given that the controller must facilitate a request under [[Article 12 GDPR|Article 12(2) GDPR]] and most data subjects will have limited knowledge about the right to access, the controller may not take an overly formalistic approach to a request. The data subject must not explicitly rely on Article 15 GDPR, but may use laymen's terms to make a valid request. The request must not specify specific personal data or a specific reason for the exercise of the right to access. If the request is unclear, the controller shall ask the data subject to specify what processing activities the request relates to or for further information to identify the relevant data. | |||
The data subject has the right to make "blanket" requests for any personal data held about him or her. The controller may suggest a limitation - also in the interest of a prompt response - but if the data subject nonetheless requests access to all their personal data, the controller has to provide this information,<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.</ref> as confirmed by the EDPB<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 35 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> and national courts.<ref>For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]).</ref><blockquote><u>Example:</u> On all help pages of a controller that deal with the right to access, data subjects are referred to an online form to "''request a copy''". If the form is filled out, the data subject gets a ZIP file with some, but not all, personal data. Other information under Article 15(1) and (2) GDPR is not provided at all. During the complaints procedure the controller argues that the data subject only made a "''request for a copy''" not a "''request under Article 15 GDPR''". The controller clearly violated Article 5(1)(a) and 12(1) GDPR.</blockquote> | |||
==== From the controller ==== | |||
The addressee of the obligation to provide access is the controller within the meaning of [[Article 4 GDPR|Article 4(7) GDPR]], namely the entity which determines the purposes and means of the processing. However, the object of an access request may include processing activities performed by a processor on behalf of the controller. In this case, the duty to respond to the access request stays with the controller.<ref>EDPB, 'Guidelines 01/2022 on data subject rights - right of access', 28 March 2023, p. 125 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here])</ref> | |||
====Confirmation as to ‘whether’ or not personal data are being processed==== | |||
The initial step for data subjects when requesting access to their personal data is to determine whether or not the controller processes any data concerning them. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems. If the controller does process data related to the requesting data subject, it confirms the existence of processing operations.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 35 (available [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf here]).</ref> The controller should respond even if no personal data are processed. <blockquote><u>Case-law</u>: A controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means.<ref>See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710 here]).</ref></blockquote> | |||
==== Access to personal data ==== | |||
In general terms, "''access''" refers to the set of actions that a controller takes to show the data subject the data undergoing processing. The right to access is meant to give access to the personal data itself, not a description of the processing. | |||
In many cases, this aspect of the right to access materialises in the form of a "''copy''" of the original personal data, as specifically described in Article 15(3) GDPR (see below). However, the right to access under Article 15(1) and the right to obtain a copy of one's personal data under Article 15(3) GDPR are two separate rights. It should be noted that providing a "copy" of the data is not the only way in which a controller can ensure access. In some cases a copy may be the most appropriate approach, but a copy may not always be "''transparent''", for example if the raw data is not "''intelligible''" by an average data subject and copies may use technical language, but lack the "''clear and plain language''" required under [[Article 12 GDPR]]. | |||
Under certain circumstances, it may be more adequate to offer alternative methods of data access instead of providing a copy. These temporary access modes may include verbal communication, file inspection, or remote/on-site access that allows to see the personal data in a user interface. Such methods may be appropriate in situations where the data subject's interests are at stake or if they specifically request it. On-site access could also serve as an initial step when a large volume of non-digital data is being processed, enabling the data subject to understand which personal data is being processed and make an informed decision regarding which data they want to obtain through a copy. <blockquote><u>EDPB</u>: Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data processed by the controller are correct by giving data subjects a chance to view the original data. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Giving access through other ways than providing a copy does not preclude the data subjects from the right to also have a copy, unless they choose not to.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref></blockquote>The scope of the right to access includes all "personal data" as defined in [[Article 4 GDPR|Article 4(1) GDPR]] and includes all information relation to a data subject, no matter in which system, format or way the personal data is processed. It also covers information that is stored in other means than automated means, if the personal data is stored or intended to be stored in a "filing system" within the meaning of [[Article 4 GDPR|Article 4(6) GDPR]]. See also [[Article 2 GDPR|Article 2(1) GDPR]] on the scope of the GDPR when it comes to non-automated filing systems. | |||
<u>Example:</u> A hospital keeps paper records in a paper filing system. The right to access applies here as well. This also includes document that were not yet filed, but are intended to be file in the paper filing system. However, a sticky note on the desk of the doctor that is not intended to end up in the filing would not be covered. | |||
According to the EDPB, this includes, inter alia, special categories of personal data (Article 9 GDPR); personal data relating to criminal convictions and offences (Article 10 GDPR); data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire); observed data or raw data provided by the data subject by virtue of their use of the service or device (e.g. data processed by connected objects, transactional history, activity logs such as access logs, browsing history, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, or particular way of walking and speaking); data derived from other data, rather than directly provided by the data subject (e.g. credit score, classification based on common attributes of data subjects; country of residence derived from postcode); data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalisation or recommendation process).<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 33 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> Equally, data that relates to multiple persons (e.g. the fact that a data subject is on a list of "high performers") also relates to the individual person. This authoritative interpretation should help to settle the judicial debate that has emerged on the correct scope and interpretation of personal data, which directly affects what is included in the copy under Article 15(3) GDPR.<ref>For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since their accuracy cannot be verified: Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207, available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:1020 here]). However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR. In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer. LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18, (available [http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=27411 here]).</ref> | |||
To be included in the copy, the data must be undergoing processing. Accordingly, it is not possible to request access to personal data that does not already exist and that would have to be expressly generated, such as a detailed medical report.<ref>Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available [http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/D9EDB20F259B7F76C2258596003B9748/$file/%CE%9F%CE%9A%CE%A5%CE%A0%CE%A5%20%CE%91%CE%9D%CE%9F%CE%9D%CE%A5%CE%9C%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97.pdf here]).</ref> | |||
Deleted data or data that was anonymised does not constitute personal data anymore and does not fall under Article 15 GDPR. However, there is no exception for archived personal data, data in a "trash" folder, psydominised personal data or is otherwise hard to retrieve. | |||
In fact, also some "meta" information that must be provided under Article 15(1) GDPR, such as the recipients or sources of personal data, may itself constitute "personal data". For example, the information that a certain data subject's information is stored with an entity constitutes "''personal data''" by itself. The data subject may rely on either provision and may access the information as "''personal data''" or as "''information''" under Article 15(1) GDPR. | |||
==== Timing ==== | |||
The right to access covers information at the time the request is made.<ref>XXX FOOTNOTE XXXX</ref> This means that a controller must be able to freeze or copy personal data quickly, if a system may delete information during the period it takes to respond to an access request. The controller may not delete information to avoid an accurate response. As a matter of transparency, controllers should add any additional information that may have been added in the meantime and be transparent about the point in time the response refers to. | |||
<u>Example:</u> A controller deletes all personal data within 7 days to comply with the principle of storage limitation in Article 5(1)(X) GDPR. The controller must be able to copy the data within that time and cannot simply have the automatic deletion frustrate the right to access. | |||
In some cases, the requirement to give access before information is deleted (e.g. when CCTV footage is only stored for 48h) can be challenging for a controller. In cases where personal data only exists for seconds, it may even be factually impossible to respond to an access request. However, the wording of Article 15 GDPR does not foresee an exception. | |||
==== Identification and authentication ==== | |||
The data subject must provide the necessary information to ensure identification (see [[Article 12 GDPR|Article 12(2) GDPR]]) of the personal data and authentication of the request (see [[Article 12 GDPR|Article 12(6) GDPR]]). Before providing access, the controller must take all necessary steps to verify the identity of the data subject to comply with its obligations under [[Article 32 GDPR|Articles 32 GDPR]]. Obviously the risk of abuse of the right to access is more relevant than exercising the right to object to direct marketing in Article 21(2) GDPR. Consequently, the controller may have to take a stricter approach under Article 15 GDPR. The disclosure of personal data to a different person would usually qualify as a data breach under [[Article 34 GDPR]].<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).</ref> | |||
However, the controller shall not use this requirement to hinder the exercise of the right of access. <ref>Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available [https://www.aepd.es/es/documento/td-00013-2021.pdf here]).</ref> A controller must strike a balance between adequate security under [[Article 32 GDPR]] and not requesting disproportionate information from data subjects, given that they must facilitate the exercise of such right within the meaning of [[Article 12 GDPR|Article 12(2) GDPR]] and may not violate the data minimisation principle, when requested identification or authentication (e.g. a copy of an ID) is not necessary.<ref>Data Protection Commission, 16 December 2020, Groupon International Limited (available [https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf here]).</ref> | |||
Example: When the data subject can regenerate a password and access a platform via his email address, the controller may no-sens an access request from the same email as they used when first providing their personal data, there can usually be no reasonable doubt as to their identity. | |||
See more information under [[Article 12 GDPR|Article 12(2) GDPR]]. | |||
==== Additional information under Article 15(1)(a) to (h) ==== | |||
Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain information about the processing.<ref>The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.</ref> In accordance with Article 12, this information must be accurate, clear and tailored<ref>The information provided in response to an access request does not generally correspond to that required under [https://gdprhub.eu/index.php%3Ftitle=Article_13_GDPR Articles 13] and [https://gdprhub.eu/index.php%3Ftitle=Article_14_GDPR 14 GDPR]. Under Article 13, for example, the controller must provide a description of what he intends to do ''after'' obtaining the user data: (c) purposes of the processing for which personal data are ''intended''; (e) recipients or categories of recipients, ''if any''; (f) the fact that the controller ''intends'' to transfer personal data; (2)(e) ''possible'' consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's future intentions, but to what the controller actually, currently does with the previously received data : (1)(a) purpose of the processing (not ''intended'' purposes); (1)(b) categories of personal data ''concerned'' (not, ''if any''); (1)(c) recipients or categories of recipients to whom the personal data ''have been disclosed or will be disclosed''. These are two different perspectives. Article 13 gives an indication of what is going to happen, while Article 15 provides a specific indication of what is currently happening with the personal data. A confirmation to that can be found in Article 12(7) GDPR. When providing for an "''overview'' ''of the intended processing''”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.</ref><ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 37 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> to the concrete processing that the data subject seeks access for. References to information under Article 13 of 14 GDPR if the ''ex-ante'' foreseen and processing and the ''ex-post'' factual processing overlap exactly, which may be the case for uniform, smaller processing operations like a newsletter. In most cases, factually correct information under Article 15(1)(a) to (h) GDPR requires a tailored response. Overall, the controller ensure that the information is factually accurate and up-to-date with respect to the data subject's request.<ref>For instance, the information on the right to lodge a complaint under Article 15(1)(f) does not differ from the one mandated under Article 13(2)(d) GDPR.</ref> | |||
===== (a) Purposes of the processing ===== | |||
Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued with regard to a given user. It is related to the ''ex-ante'' information under [[Article 13 GDPR|Article 13(1)(c)]] and/or [[Article 14 GDPR|14(1)(c) GDPR]]. The same information must be provided, but from a factual ''ex-post'' perspective. Just like under [[Article 13 GDPR|Article 13(1)(c) GDPR]] the information must be linked to the specific personal data that the controller grants access to. A mere list of purposes is not sufficient. See more details under [[Article 13 GDPR|Article 13(1)(c) GDPR.]]<blockquote><u>Example:</u> The privacy policy mentions that certain personal data could be processed for various different purposes. However, the specific data subject's personal data was only found in the newsletter system of the controller. Therefore the factually accurate information would be that the personal data was only used for direct marketing. To ensure that the information is useful, the controller must explain which data was used for which purpose.</blockquote>Other than [[Article 13 GDPR|Article 13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]] this provision does not contain an obligation to mention the legal basis tied to each single purpose. A logical interpretation may be that the legislator would expect a controller to not change the legal basis or at least inform data subject about such a change instantly under [[Article 13 GDPR|Article 13(1)(c)]] and/or [[Article 14 GDPR|14(1)(c) GDPR]]. If there is any divergence, such information should nevertheless be included to ensure accurate and transparent information in line with Article 12 GDPR, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.<blockquote><u>EDPB</u>: In order to facilitate the exercise of data subjects’ rights in line with Article 12(2) GDPR, the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation or to indicate where they can find this information. In any event, the principle of transparent processing requires that the information on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref></blockquote> | |||
===== (b) Categories of personal data concerned ===== | |||
Just like the ''ex-ante'' information in [[Article 14 GDPR|Article 14(1)(d) GDPR]], Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. The purpose of this paragraph may be questionable, given that a data subject would also get access to the specific information that is processed. There may be some benefit in being provided with an overview of categories. Theoretically a data subject could also limit its request to only a list of categories. | |||
For further details see [[Article 14 GDPR|Article 14(1)(d) GDPR]]. | |||
===== (c) Recipients or categories of recipients ===== | |||
Similar to the ''ex-ante'' information in [[Article 13 GDPR|Article 13(1)(e)]] and [[Article 14 GDPR|14(1)(e) GDPR]], Article 15(1)(c) GDPR requires the controller to disclose information about "''recipients or categories of recipients''" to whom the personal data have been or will be disclosed. Just like the wording of [[Article 13 GDPR|Article 13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]] (see there), some controllers understood the provision as giving them a free choice to only disclose categories of recipients. In fact, especially in the case of ''ex-post'' specific information under Article 15 GDPR, the data subject has a right to get a list of the actual recipients, unless this is not available to the controller.<ref>See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available [https://ec.europa.eu/newsroom/article29/items/622227/en here]).</ref><ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38-39 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> <blockquote><u>Example</u>: In its privacy policy, a credit ranking agency affirms that the user's personal data can be passed on to “''customers that access your information to obtain credit information''”. This information is in acceptable as a forward-looking statement in a privacy policy when it is unclear which customer may access the information is the future. However, once the controller knows from the log files or accounting information that three specific online shops have bought the data, the name of the recipients must be disclosed under Article 15(1)(c). </blockquote>This is also confirmed by [[Article 19 GDPR]], which requires the controller to “''inform the data subject about'' [the specific] ''recipients if the data subject requests it''”.<ref>Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).</ref> <blockquote><u>Case-law</u>: In [[CJEU - C-154/21 - RW v Österreichische Post|C-154/21 ''Österreichische Post'']], the CJEU held that [[Article 15 GDPR#1c|Article 15(1)(c) GDPR]] obliges the controller to disclose the identity of specific recipients of personal data if the data subject requests it, unless the request is manifestly unfounded or excessive, in which case information about categories of recipients is sufficient.<ref>CJEU, C-154/21, ''RW v Österreichische Post'', 12 January 2023, among the others, margin number 24 (available [[CJEU - C-154/21 - RW v Österreichische Post|here]]). </ref> | |||
Furthermore, the controller must link which personal data was provided to which recipient, to ensure that the data subject has a transparent and clear picture about the sharing of his or her personal data. </blockquote> | |||
===== (d) Data retention period ===== | |||
Similar to the ''ex-ante'' information in [[Article 13 GDPR|Article 13(2)(a)]] and [[Article 14 GDPR|14(2)(a) GDPR]], Article 15(1)(d) GDPR requires the provision of information on the intended length of time for which personal data will be stored, whenever possible. If not possible, the criteria used to determine the period must be provided instead. | |||
The information provided by the controller must be specific enough for the data subject to be aware of the duration of storage with regard to their personal data. In case it is not feasible to specify the deletion time, the storage duration and its starting point or triggering event (such as the end of a contract or expiration of a warranty period) should be specified. A mere reference, such as "''deletion after the expiry of legal storage periods''" is insufficient. | |||
The information on data storage periods must be focused on the data subject's specific data. If different deletion periods apply to the personal data of the data subject, the deletion periods should be specified in relation to the corresponding processing operations and data categories.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 39 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> | |||
===== (e) Existence of rights ===== | |||
Similar to the ''ex-ante'' information in [[Article 13 GDPR|Article 13(2)(b)]] and [[Article 14 GDPR|14(2)(c) GDPR]], Article 15(1)(e) GDPR required to inform the data subject about the right to rectification, erasure or restriction of processing. The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations. | |||
It is unclear why the other rights (objection, data portability) that are mentioned in [[Article 13 GDPR|Article 13(2)(b)]] and [[Article 14 GDPR|14(2)(c) GDPR]] are not mentioned in Article 15(1)(e) GDPR. For all practical purposes, the information would have been provided to the data subject already under these Articles anyways. | |||
===== (f) Right to lodge a complaint ===== | |||
Similar to the ''ex-ante'' information in [[Article 13 GDPR|Article 13(2)(d)]] and [[Article 14 GDPR|14(2)(e) GDPR]], Article 15(1)(f) GDPR requires controllers to inform the data subject about the possibility to lodge a complaint with "''a supervisory authority''". This information does not require any kind of personalisation, given that a data subject can file a complaint with any authority under [[Article 77 GDPR]]. | |||
===== (g) Any available information on the source of the personal data ===== | |||
This provision is the ''ex-post'' counterpart to [[Article 14 GDPR|Article 14(2)(f) GDPR]]. This provision requires the data controller to inform the user about the actual individual sources from which their specific personal data has been collected. Just like under [[Article 14 GDPR|Article 14(2)(f) GDPR]] a source may be third party (like a data broker) or a technical source (like a camera). | |||
Just as with specific ''ex-post'' information about recipients (see above, Article 15(1)(c) GDPR), a higher degree of specificity is required in relation to the sources from which the controller has obtained the data.<ref>Controllers can only receive data from trusted sources which lawfully process personal data. ''Viceversa'', a controller may collect personal information from unauthorised entities without having to give any account of the legitimacy of such source. It would be impossible for the data subject to control lawfulness and exercise their GDPR rights towards the sources. CJEU, C-154/21, ''RW v Österreichische Post'' (available [[CJEU - C-154/21 - RW v Österreichische Post|here]]) should apply ''mutatis mutandi.''</ref> The controller must explain which personal data is obtained from what source. A mere list of all sources, without explaining which specific personal data was obtained from each source is not transparent, not all "''available information''" and therefore sufficient. | |||
In comparison to [[Article 14 GDPR|Article 14(2)(e) GDPR]] it is unclear how the additional element of "''any available''" information must be understood. In comparison with the requirement to take "''appropriate measures''" under Article 12(1) GDPR, it seems that Article 15(1)(c) GDPR goes further. "''Any available''" information would for example also include knowledge of employees, information that can be derived from business records (e.g. the sale of personal data) and alike. | |||
===== (h) Information about automated decision-making ===== | |||
This provision uses the same language as [[Article 13 GDPR|Article 13(2)(f)]] and [[Article 14 GDPR|14(2)(g) GDPR]] - see there for more details. Just like with all other information under Article 15 GDPR, the information would have to relate to the specific processing of the data subject (i.e. the automated decision or profiling he or she was subjected to).<ref>This provision alimented a heated discussion about whether Article 22(1)(h) establishes a "right to explanation" which means an obligation to clarify and explain automated decisions that have ''already'' been made, and thus directly ''concern'' the data subject. The wording of paragraph 1(h) only mentions the "''intended effects''" and not the actual ones, and therefore appears to contradict this idea. However, for the data subject to contest the decision under Article 22(3) and present their own point of view, it is necessary to obtain concrete explanations and eliminate the information asymmetry brought in by the algorithm. The main objective of Article 15 is to "genuinely" enable the data subject to comprehend the processing procedures and create the possibility of intervention, which would be not be possible otherwise. In this sense, ''Franck'' in Gola, DS-GVO, Article 15 GDPR, margin numbers 18 (C.H. Beck 2022, 3rd edition).</ref> Furthermore due to the direct reference to Article 22 GDPR, it must be concluded that, in the case of relevant automated decisions under Article 22(1), the provision also covers explanations of any safeguards provided for in Article 22(3) GDPR. That includes, "''at least''", details on the type of "''human intervention''", the means by which the data subject's "''point of view''" can be expressed and how to "''contest the decision''". | |||
=== | === (2) Right to receive information about the appropriate safeguards === | ||
Similar to the ''ex-ante'' information in [[Article 13 GDPR|Article 13(2)(f)]] and [[Article 14 GDPR|14(2)(f) GDPR]], Article 15(2) GDPR requires that in case the controller transfers data to a third country or international organisation and no adequacy decision is in place under Article 45 GDPR, the "''suitable guarantees''" under [[Article 46 GDPR]] must be disclosed. The data subject must be informed about these guarantees under paragraph 2. This provision corresponds to the regulations in Article 13(1)(f) and Article 14(1)(f) GDPR. Where requested, the controller must provide copies of such safeguards<ref>''Bäcker'', in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin number 29 (C.H. Beck 2020, 3rd Edition).</ref> or indicate where they have been made available.<ref>The EDPB has recalled the importance of transparency and information provided to data subjects. See, EDPB, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 10 November 2020 (Version for public consultations), p. 9, fn. 24 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf here]).</ref> | |||
The fact that Article 15(2) GDPR does - other than [[Article 13 GDPR|Article 13(2)(f)]] and [[Article 14 GDPR|14(2)(f) GDPR]] - not also directly refer to binding corporate rules under Article 47 GDPR seems to have no legal relevant, given that Article 46 GDPR itself mentions them. It is unclear if the missing reference to [[Article 49 GDPR]] is a mistake by the legislator or intended.<ref>XXX FOOTNOTE XXX</ref> | |||
=== (3) Right to receive a copy of the personal data === | |||
Compared with the previous Directive 95/46, Article 15(3) GDPR constitutes an additional right to receive a copy of all personal data undergoing processing. Such requirement to provide a copy strengthens the right of access under Article 15(1) GDPR and means that the information on the personal data concerning the person who makes the request is provided to the data subject not just as a report by the controller, but as a "''faithful reproduction"'' of the original. It also allows the data subject to retain all provided personal data, keep it and to come back to it.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> | |||
==== Personal data undergoing processing ==== | |||
The scope of the provision reflects the definition of personal data provided for in Article 4(1) GDPR and has the same meaning as in Article 15(1) GDPR. | |||
< | ==== Copy ==== | ||
The definition of "copy" was debated in legal doctrine and jurisprudence.<ref>For a detailed overview of the different perspectives, we suggest ''Haidinger'', in Knyrim, DatKomm, Article 15 GDPR, margin numbers 35-36 (Manz 2021).</ref> In summary, on one hand, it was argued that a copy is a document, whether analog or digital, created by extracting information from other documents or systems in use (such as email clients, meeting minutes, or data system files related to the data subject). On the other hand, it wasclaimed that a copy should, where possible, be an exact reproduction of the original document itself (such as an email or meeting minutes).<ref>In the case where the data is originally contained in an electronic system, the copy will always come from an extraction process.</ref> The matter is largely clarified by the CJEU now. | |||
Article 15( | <u>Case Law</u>: In [[CJEU - C-487/21 - F.F. v DSB|C-487/21 - ''F.F. v DSB'']], the CJEU clarified that the right to a copy under [[Article 15 GDPR#3|Article 15(3) GDPR]] entails that the data subject must be given a faithful and intelligible reproduction of all their personal data, which is necessary for them to exercise their rights. | ||
The CJEU shows a certain flexibility in the interpretation of the notion of "''copy''". A copy can be described as a "''faithful reproduction or transcription of an original''” in opposition to a “''purely general description''” of data. Therefore, in principle, Article 15(3) covers extracts from documents or even entire documents or extracts from databases. However, due to the teleological interpretation adopted by the court, what a controller is obliged to provide ultimately depends on the principle of effectiveness. | |||
It is crucial that the data subject is given the information in a durable, tangible form (such as text or electronic format) that can be stored and retrieved for future reference. | |||
Especially, when personal data is contained in documents that also contain other matters, such as a list of "low performers" or an email with information about the data subject, the context of the document may be more relevant than the "raw" personal data (e.g. only the name contained in the document). In light of [[Article 12 GDPR]], the context should be provided as far as possible, to ensure a transparent and accurate response to an access request. <blockquote> | |||
<u>EDPB</u>: The controller can, although is not necessarily obliged to provide the documents which contain personal data about the data subjects making the request in their original form. [...] This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48-49 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref></blockquote>Regardless of the manner in which the personal data is provided by the controller, whether through the original documents or a compilation of the data, the information should still adhere to the transparency standards specified in [[Article 12 GDPR]]. In certain situations, compiling and/or extracting the data in a comprehensible manner may be a means of complying with these standards. On the other hand, in some cases, it may be more effective to provide a copy of the actual document containing the personal data to facilitate better understanding. Therefore, the appropriate form of information provision must be determined on a case-by-case basis.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref><blockquote><u>EDPB</u>: In some cases, the personal data itself sets the requirements in what format the personal data should be provided. For example, when the personal data constitutes handwritten information by the data subject, the data subject may need to be provided with a photocopy of that handwritten information, as the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g.scripture analysis. The same applies in general for audio recordings because the voice of the data subject itself is personal data. In some cases, however, access can be given by providing a transcription of the conversation, for example, if agreed upon between the data subject and the controller.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref></blockquote> | |||
==== Further copies ==== | |||
The second sentence of Article 15(3) GDPR regulates cases where the data subject requests an additional copy of the same personal data.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin number 23 (C.H. Beck 2019).</ref> In such circumstances, the controller may charge a reasonable fee based on the costs of administration. If the controller decides to do so, it "''should indicate the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request''".<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> | |||
A further copy should not be confused with a new requests under Article 15 GDPR for personal data. Repetitive requests are regulated in [[Article 12 GDPR|Article 12(5) GDPR]], allowing to charge a fee or refuse to act if further requests are "''manifestly unfounded or excessive''". See [[Article 12 GDPR|Article 12(5) GDPR]] for further details. | |||
==== Request by electronic means ==== | |||
The GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Regardless, under Article 15(3), third sentence, GDPR, if the data subject submits an access request electronically, the format of the "information" should match the form of the request. In such cases, the copies under Article 15(3) GDPR must be provided in a common electronic format, unless the data subject specifies a different format. This also implies that in the case of a paper application, copies must be made available in paper form, if requested by the data subject. Ultimately, the data subject determines the format of the copies.<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 32 (C.H. Beck, 2nd Edition 2018).</ref> | |||
==== Commonly used electronic form ==== | |||
When determining the commonly used electronic form to provide information to a data subject, the controller should not rely solely on its own format but rather make an objective assessment. The assessment should consider whether there are specific formats commonly used in the controller's area of operation or in the given context. If there are no such formats, open formats set in an international standard such as ISO should generally be considered. However, the EDPB does not exclude the possibility of other formats being commonly used. When making this assessment, it is important to consider how easily the data subject can access the information in the provided format. The controller should provide information to the data subject on how to access a file in a specific format, including any programs or software that could be used to make it more accessible. The data subject should not be required to purchase software to access the information.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> If in doubt a controller can ask the data subject as to the formats he or she can read. Most software also allows to export personal data in different formats or convert the file in multiple formats. | |||
<u>Examples:</u> Typical formats for a copy that can be opened by freely available reader software are CSV, PDF, HTML, OpenDocument file, Microsoft Word or Excel files. In certain areas, other formats may be common tool. A technically advanced data subject may prefer an XML or JSON format for raw data. | |||
=== (4) Limitations of the right to a copy === | |||
The right to obtain a copy under Article 15(3) GDPR is constrained by Article 15(4) GDPR. <blockquote><u>Common misunderstanding:</u> Many readers think that the limitations in Article 15(4) GDPR also cover the information that must be provided under Article 15(1) and (2) GDPR. This is not accurate. Article 15(4) only refers to the right to obtain a copy in Article 15(3) GDPR. </blockquote> | |||
=== | ==== Interpretation in the light of the Charter ==== | ||
Article 15(4) GDPR is drafted in rather absolute terms "''shall not affect the rights and freedoms of other''s". However, the right to access it a fundamental right under Article 8(2) CFR and may only be limited in accordance with Article 52(1) CFR, which requires that any limitation must be "''proportionate''". Article 15(4) GDPR must therefore be interpreted in the light of the Charter, which leads to the conclusion that conflicting rights must be "''balanced''" against the right to access on a case-by-case basis. | |||
=== | ==== Rights and freedoms of others ==== | ||
Under Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. The specific rights and freedoms are not named. According to Recital 63 such conflicting rights include the right to data protection of others or trade secrets or intellectual property.<ref>See Recital 63 GDPR.</ref> | |||
Recital 63 also mentions software that is protected by copyright. However, if information is already protected against use by others under copyright law, it seems that additional protection via the refusal of the fundamental right to access is usually not "''proportionate''". | |||
However, as affirmed by the recital, the fact that conflicting rights are involved cannot not be an excuse to deny the right of access. The controller must instead find less intrusive options to provide as much information as possible, while still protecting the rights of others. Usually other information can be blackened, redacted or otherwise protected.<blockquote><u>Example:</u> If camera footage recorded more than one person, the right to access may be granted. The controller must anonymise any other data subjects in the footage.<ref>Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available [https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-24FR-2021-sous-forme-anonymisee.pdf here]).</ref></blockquote> | |||
=== | ==== Rights and freedoms of the controller ==== | ||
Article 15(4) GDPR only mentions the rights and freedoms of "''others''". It is unclear if this also includes the controller or processor. | |||
=== Other limitations of Article 15(1) to (3) === | |||
Article 15(1) to (3) GDPR may also be limited by [[Article 12 GDPR|Article 12(5) GDPR]] in the case of "''manifestly unfounded or excessive requests''". Furthermore, Union or Member State law may restrict the right of access in accordance with [[Article 23 GDPR]]. Derogations regarding the processing of personal data for scientific, historical research, statistical or archiving purposes in the public interest can be based on [[Article 89 GDPR|Articles 89 GDPR]], as well as for processing carried out for journalistic purposes and academic artistic or literary expression on [[Article 85 GDPR]]. | |||
==Decisions== | ==Decisions== |
Latest revision as of 12:01, 24 October 2024
Legal Text
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data concerned;
- (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) where the personal data are not collected from the data subject, any available information as to their source
- (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Relevant Recitals
Commentary
The right to access has been a core element of the right to data protection and is for example already established in convention 108 from 1981. Just like the general principle of transparency in Article 5(1)(a) GDPR and the active information under Article 13 and 14 GDPR and many other transparency provisions, the right to access is mean to overcome "informational imbalance".
The right to access is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that the right to access is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.
Passive ex-post information about the personal data of the specific data subject
As a "passive" right to information, that must only be granted if a data subject makes a request, it is meant to provide more detailed and specific information on an ex-post basis, compared to the often more generic ex-ante information under Articles 13 and 14 GDPR.
In other words: the right to information under Articles 13 and 14 GDPR provide a (generic) forward-looking information of expected or possible processing - usually for in a uniform way for all users of the service, which must be provided proactively by the controller. The right to information is therefore naturally more generic and less precise. The right to access however, allows the data subject to get information on the actual processing of his or her specific personal data and his or her specific situation, which does not only enable the data subject to exercise his or her rights (see especially Articles 16 to 22 GDPR) but also allows to check if the controller has complied with the ex-ante information provided under Articles 13 or 14 GDPR.
EDPB: Pursuant to Article 12(2) GDPR, the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided.[1]
While the wording of Articles 13 or 14 GDPR and Article 15(1) GDPR often overlaps, the controller has a different obligation under Article 15 GDPR to include the ex-post information about concrete, actual processing. If the information under Articles 13 or 14 GDPR and Article 15 GDPR would be the same information, Article 15(1) GDPR would be largely deprived of any meaning. This also means that the common practice of just referring to the information under Articles 13 or 14 GDPR is in many cases not compliant with the law.
Example: A large platform lists all possible processing operations, purposes and recipients. Many of these elements are only relevant for users that use certain functions of the platform. If the controller response to an access request under Article 15 GDPR, just referring to the privacy policy for information under Article 15(1) GDPR would neither be transparent nor accurate. It would not allow the data subject to understand if his or her personal data was actually used for certain purposes or shared with third parties.
Example: The controller just keeps a list of emails to send a newsletter. The controller informed the data subject under Article 13 GDPR that her data is used for this purpose only. The information in a response to an access request under Article 15(1) GDPR will not deviate from the information under Article 13 GDPR, as the factual ex-post processing is exactly overlapping with the ex-ante information given.
Basis for the exercise of other rights, but intention irrelevant
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations. The right to access is a prerequisite to exercising data subjects rights (rectification, erasure, restriction, etc.)[2] and is therefore a is a key principle of the entire data protection framework.[3]
The right to access is however also a "stand-alone" fundamental right, protected under Article 8(2) CFR. A data subject may just want to get information about the data processed about him or her - independent of the exercise of any other right under the GDPR. A data subject therefore does not need to give reasons for exercising the right to access. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.[4] While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant.
Case law: In C‑307/22 FT and DW a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access. Example: A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.[5] Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was maybe exceptional but legal.
Relationship with other rights to access information
Article 15 GDPR itself provides for two parallel rights: the right to access to personal data in paragraph 1 and the right to get the (same) data in the forms of a copy of personal data in paragraph 3. In addition, the right to data portability in Article 20 GDPR allows to revive the (same) personal data in "structured, commonly used and machine-readable format".
Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning access to health data or archives. Unless other EU or national law is explicitly a lex specialis in relation to the GDPR - usually in the form of a Restriction under Article 23 GDPR - these other rights exist in parallel to the GDPR. This means a data subject may freely choose to rely on Article 15 GDPR or any other legal basis available to him or her.
Case law: In C‑307/22 FT and DW the CJEU has also rejected arguments that Article 15 GDPR may not be applied if there is existing national law that foresees a right to get a copy against a fee. EU law trumps national law in such cases.
Consequently, a data subject can also make an access request under Article 15 GDPR for any other purpose - such as to generate evidence for a legal procedure. Even if many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish. In fact, the controller may equally rely on personal data as evidence under Article 6(1)(f) GDPR. The use of Article 15 GDPR to obtain evidence would still be used to overcome "informational imbalance" in such cases.
(1) The Right of Access
Article 15(1) describes the core essence of the right of access. Once the access request is received, the controller must verify whether processing of the data subject's personal data is actually taking place. If this is the case, the controller (i) confirms the existence of the processing, (ii) provides access to the personal data (in other words, a copy of the personal data "undergoing processing" under Article 15(3) GDPR or other relevant method to achieve the purpose), and (iii) informs the data subject about certain elements of the processing (Article 15(1)(a-h) and 15(2) GDPR). Regardless of the specific "segment" of access being referred to (i), (ii), or (iii), it is important to emphasise that the entire process must always comply with the requirements of completeness, clarity, and facilitation set forth in Article 12 of the GDPR.[6]
It should be pointed out that, as made clear in Recital 60 GDPR, the controller should provide data subjects with any further information if it is necessary to ensure a fair and transparent processing. For example, the EDPB pointed out that a controller should provide data subjects with information about the legal basis for the processing or at least point out where this information can be found when responding to an access request.[7]
Right to obtain
The data subject has a right to obtain (request) information. Typically the right to access under Article 15 GDPR is triggered by an access request. The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.[8] The data subject may define the scope of their request[9] and the format of the request.
Given that the controller must facilitate a request under Article 12(2) GDPR and most data subjects will have limited knowledge about the right to access, the controller may not take an overly formalistic approach to a request. The data subject must not explicitly rely on Article 15 GDPR, but may use laymen's terms to make a valid request. The request must not specify specific personal data or a specific reason for the exercise of the right to access. If the request is unclear, the controller shall ask the data subject to specify what processing activities the request relates to or for further information to identify the relevant data.
The data subject has the right to make "blanket" requests for any personal data held about him or her. The controller may suggest a limitation - also in the interest of a prompt response - but if the data subject nonetheless requests access to all their personal data, the controller has to provide this information,[10] as confirmed by the EDPB[11] and national courts.[12]
Example: On all help pages of a controller that deal with the right to access, data subjects are referred to an online form to "request a copy". If the form is filled out, the data subject gets a ZIP file with some, but not all, personal data. Other information under Article 15(1) and (2) GDPR is not provided at all. During the complaints procedure the controller argues that the data subject only made a "request for a copy" not a "request under Article 15 GDPR". The controller clearly violated Article 5(1)(a) and 12(1) GDPR.
From the controller
The addressee of the obligation to provide access is the controller within the meaning of Article 4(7) GDPR, namely the entity which determines the purposes and means of the processing. However, the object of an access request may include processing activities performed by a processor on behalf of the controller. In this case, the duty to respond to the access request stays with the controller.[13]
Confirmation as to ‘whether’ or not personal data are being processed
The initial step for data subjects when requesting access to their personal data is to determine whether or not the controller processes any data concerning them. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems. If the controller does process data related to the requesting data subject, it confirms the existence of processing operations.[14] The controller should respond even if no personal data are processed.
Case-law: A controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means.[15]
Access to personal data
In general terms, "access" refers to the set of actions that a controller takes to show the data subject the data undergoing processing. The right to access is meant to give access to the personal data itself, not a description of the processing.
In many cases, this aspect of the right to access materialises in the form of a "copy" of the original personal data, as specifically described in Article 15(3) GDPR (see below). However, the right to access under Article 15(1) and the right to obtain a copy of one's personal data under Article 15(3) GDPR are two separate rights. It should be noted that providing a "copy" of the data is not the only way in which a controller can ensure access. In some cases a copy may be the most appropriate approach, but a copy may not always be "transparent", for example if the raw data is not "intelligible" by an average data subject and copies may use technical language, but lack the "clear and plain language" required under Article 12 GDPR.
Under certain circumstances, it may be more adequate to offer alternative methods of data access instead of providing a copy. These temporary access modes may include verbal communication, file inspection, or remote/on-site access that allows to see the personal data in a user interface. Such methods may be appropriate in situations where the data subject's interests are at stake or if they specifically request it. On-site access could also serve as an initial step when a large volume of non-digital data is being processed, enabling the data subject to understand which personal data is being processed and make an informed decision regarding which data they want to obtain through a copy.
EDPB: Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data processed by the controller are correct by giving data subjects a chance to view the original data. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Giving access through other ways than providing a copy does not preclude the data subjects from the right to also have a copy, unless they choose not to.[16]
The scope of the right to access includes all "personal data" as defined in Article 4(1) GDPR and includes all information relation to a data subject, no matter in which system, format or way the personal data is processed. It also covers information that is stored in other means than automated means, if the personal data is stored or intended to be stored in a "filing system" within the meaning of Article 4(6) GDPR. See also Article 2(1) GDPR on the scope of the GDPR when it comes to non-automated filing systems.
Example: A hospital keeps paper records in a paper filing system. The right to access applies here as well. This also includes document that were not yet filed, but are intended to be file in the paper filing system. However, a sticky note on the desk of the doctor that is not intended to end up in the filing would not be covered.
According to the EDPB, this includes, inter alia, special categories of personal data (Article 9 GDPR); personal data relating to criminal convictions and offences (Article 10 GDPR); data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire); observed data or raw data provided by the data subject by virtue of their use of the service or device (e.g. data processed by connected objects, transactional history, activity logs such as access logs, browsing history, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, or particular way of walking and speaking); data derived from other data, rather than directly provided by the data subject (e.g. credit score, classification based on common attributes of data subjects; country of residence derived from postcode); data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalisation or recommendation process).[17] Equally, data that relates to multiple persons (e.g. the fact that a data subject is on a list of "high performers") also relates to the individual person. This authoritative interpretation should help to settle the judicial debate that has emerged on the correct scope and interpretation of personal data, which directly affects what is included in the copy under Article 15(3) GDPR.[18]
To be included in the copy, the data must be undergoing processing. Accordingly, it is not possible to request access to personal data that does not already exist and that would have to be expressly generated, such as a detailed medical report.[19]
Deleted data or data that was anonymised does not constitute personal data anymore and does not fall under Article 15 GDPR. However, there is no exception for archived personal data, data in a "trash" folder, psydominised personal data or is otherwise hard to retrieve.
In fact, also some "meta" information that must be provided under Article 15(1) GDPR, such as the recipients or sources of personal data, may itself constitute "personal data". For example, the information that a certain data subject's information is stored with an entity constitutes "personal data" by itself. The data subject may rely on either provision and may access the information as "personal data" or as "information" under Article 15(1) GDPR.
Timing
The right to access covers information at the time the request is made.[20] This means that a controller must be able to freeze or copy personal data quickly, if a system may delete information during the period it takes to respond to an access request. The controller may not delete information to avoid an accurate response. As a matter of transparency, controllers should add any additional information that may have been added in the meantime and be transparent about the point in time the response refers to.
Example: A controller deletes all personal data within 7 days to comply with the principle of storage limitation in Article 5(1)(X) GDPR. The controller must be able to copy the data within that time and cannot simply have the automatic deletion frustrate the right to access.
In some cases, the requirement to give access before information is deleted (e.g. when CCTV footage is only stored for 48h) can be challenging for a controller. In cases where personal data only exists for seconds, it may even be factually impossible to respond to an access request. However, the wording of Article 15 GDPR does not foresee an exception.
Identification and authentication
The data subject must provide the necessary information to ensure identification (see Article 12(2) GDPR) of the personal data and authentication of the request (see Article 12(6) GDPR). Before providing access, the controller must take all necessary steps to verify the identity of the data subject to comply with its obligations under Articles 32 GDPR. Obviously the risk of abuse of the right to access is more relevant than exercising the right to object to direct marketing in Article 21(2) GDPR. Consequently, the controller may have to take a stricter approach under Article 15 GDPR. The disclosure of personal data to a different person would usually qualify as a data breach under Article 34 GDPR.[21]
However, the controller shall not use this requirement to hinder the exercise of the right of access. [22] A controller must strike a balance between adequate security under Article 32 GDPR and not requesting disproportionate information from data subjects, given that they must facilitate the exercise of such right within the meaning of Article 12(2) GDPR and may not violate the data minimisation principle, when requested identification or authentication (e.g. a copy of an ID) is not necessary.[23]
Example: When the data subject can regenerate a password and access a platform via his email address, the controller may no-sens an access request from the same email as they used when first providing their personal data, there can usually be no reasonable doubt as to their identity.
See more information under Article 12(2) GDPR.
Additional information under Article 15(1)(a) to (h)
Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain information about the processing.[24] In accordance with Article 12, this information must be accurate, clear and tailored[25][26] to the concrete processing that the data subject seeks access for. References to information under Article 13 of 14 GDPR if the ex-ante foreseen and processing and the ex-post factual processing overlap exactly, which may be the case for uniform, smaller processing operations like a newsletter. In most cases, factually correct information under Article 15(1)(a) to (h) GDPR requires a tailored response. Overall, the controller ensure that the information is factually accurate and up-to-date with respect to the data subject's request.[27]
(a) Purposes of the processing
Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued with regard to a given user. It is related to the ex-ante information under Article 13(1)(c) and/or 14(1)(c) GDPR. The same information must be provided, but from a factual ex-post perspective. Just like under Article 13(1)(c) GDPR the information must be linked to the specific personal data that the controller grants access to. A mere list of purposes is not sufficient. See more details under Article 13(1)(c) GDPR.
Example: The privacy policy mentions that certain personal data could be processed for various different purposes. However, the specific data subject's personal data was only found in the newsletter system of the controller. Therefore the factually accurate information would be that the personal data was only used for direct marketing. To ensure that the information is useful, the controller must explain which data was used for which purpose.
Other than Article 13(1)(c) and 14(1)(c) GDPR this provision does not contain an obligation to mention the legal basis tied to each single purpose. A logical interpretation may be that the legislator would expect a controller to not change the legal basis or at least inform data subject about such a change instantly under Article 13(1)(c) and/or 14(1)(c) GDPR. If there is any divergence, such information should nevertheless be included to ensure accurate and transparent information in line with Article 12 GDPR, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.
EDPB: In order to facilitate the exercise of data subjects’ rights in line with Article 12(2) GDPR, the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation or to indicate where they can find this information. In any event, the principle of transparent processing requires that the information on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).[28]
(b) Categories of personal data concerned
Just like the ex-ante information in Article 14(1)(d) GDPR, Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. The purpose of this paragraph may be questionable, given that a data subject would also get access to the specific information that is processed. There may be some benefit in being provided with an overview of categories. Theoretically a data subject could also limit its request to only a list of categories.
For further details see Article 14(1)(d) GDPR.
(c) Recipients or categories of recipients
Similar to the ex-ante information in Article 13(1)(e) and 14(1)(e) GDPR, Article 15(1)(c) GDPR requires the controller to disclose information about "recipients or categories of recipients" to whom the personal data have been or will be disclosed. Just like the wording of Article 13(1)(c) and 14(1)(c) GDPR (see there), some controllers understood the provision as giving them a free choice to only disclose categories of recipients. In fact, especially in the case of ex-post specific information under Article 15 GDPR, the data subject has a right to get a list of the actual recipients, unless this is not available to the controller.[29][30]
Example: In its privacy policy, a credit ranking agency affirms that the user's personal data can be passed on to “customers that access your information to obtain credit information”. This information is in acceptable as a forward-looking statement in a privacy policy when it is unclear which customer may access the information is the future. However, once the controller knows from the log files or accounting information that three specific online shops have bought the data, the name of the recipients must be disclosed under Article 15(1)(c).
This is also confirmed by Article 19 GDPR, which requires the controller to “inform the data subject about [the specific] recipients if the data subject requests it”.[31]
Case-law: In C-154/21 Österreichische Post, the CJEU held that Article 15(1)(c) GDPR obliges the controller to disclose the identity of specific recipients of personal data if the data subject requests it, unless the request is manifestly unfounded or excessive, in which case information about categories of recipients is sufficient.[32] Furthermore, the controller must link which personal data was provided to which recipient, to ensure that the data subject has a transparent and clear picture about the sharing of his or her personal data.
(d) Data retention period
Similar to the ex-ante information in Article 13(2)(a) and 14(2)(a) GDPR, Article 15(1)(d) GDPR requires the provision of information on the intended length of time for which personal data will be stored, whenever possible. If not possible, the criteria used to determine the period must be provided instead.
The information provided by the controller must be specific enough for the data subject to be aware of the duration of storage with regard to their personal data. In case it is not feasible to specify the deletion time, the storage duration and its starting point or triggering event (such as the end of a contract or expiration of a warranty period) should be specified. A mere reference, such as "deletion after the expiry of legal storage periods" is insufficient.
The information on data storage periods must be focused on the data subject's specific data. If different deletion periods apply to the personal data of the data subject, the deletion periods should be specified in relation to the corresponding processing operations and data categories.[33]
(e) Existence of rights
Similar to the ex-ante information in Article 13(2)(b) and 14(2)(c) GDPR, Article 15(1)(e) GDPR required to inform the data subject about the right to rectification, erasure or restriction of processing. The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations.
It is unclear why the other rights (objection, data portability) that are mentioned in Article 13(2)(b) and 14(2)(c) GDPR are not mentioned in Article 15(1)(e) GDPR. For all practical purposes, the information would have been provided to the data subject already under these Articles anyways.
(f) Right to lodge a complaint
Similar to the ex-ante information in Article 13(2)(d) and 14(2)(e) GDPR, Article 15(1)(f) GDPR requires controllers to inform the data subject about the possibility to lodge a complaint with "a supervisory authority". This information does not require any kind of personalisation, given that a data subject can file a complaint with any authority under Article 77 GDPR.
(g) Any available information on the source of the personal data
This provision is the ex-post counterpart to Article 14(2)(f) GDPR. This provision requires the data controller to inform the user about the actual individual sources from which their specific personal data has been collected. Just like under Article 14(2)(f) GDPR a source may be third party (like a data broker) or a technical source (like a camera).
Just as with specific ex-post information about recipients (see above, Article 15(1)(c) GDPR), a higher degree of specificity is required in relation to the sources from which the controller has obtained the data.[34] The controller must explain which personal data is obtained from what source. A mere list of all sources, without explaining which specific personal data was obtained from each source is not transparent, not all "available information" and therefore sufficient.
In comparison to Article 14(2)(e) GDPR it is unclear how the additional element of "any available" information must be understood. In comparison with the requirement to take "appropriate measures" under Article 12(1) GDPR, it seems that Article 15(1)(c) GDPR goes further. "Any available" information would for example also include knowledge of employees, information that can be derived from business records (e.g. the sale of personal data) and alike.
(h) Information about automated decision-making
This provision uses the same language as Article 13(2)(f) and 14(2)(g) GDPR - see there for more details. Just like with all other information under Article 15 GDPR, the information would have to relate to the specific processing of the data subject (i.e. the automated decision or profiling he or she was subjected to).[35] Furthermore due to the direct reference to Article 22 GDPR, it must be concluded that, in the case of relevant automated decisions under Article 22(1), the provision also covers explanations of any safeguards provided for in Article 22(3) GDPR. That includes, "at least", details on the type of "human intervention", the means by which the data subject's "point of view" can be expressed and how to "contest the decision".
(2) Right to receive information about the appropriate safeguards
Similar to the ex-ante information in Article 13(2)(f) and 14(2)(f) GDPR, Article 15(2) GDPR requires that in case the controller transfers data to a third country or international organisation and no adequacy decision is in place under Article 45 GDPR, the "suitable guarantees" under Article 46 GDPR must be disclosed. The data subject must be informed about these guarantees under paragraph 2. This provision corresponds to the regulations in Article 13(1)(f) and Article 14(1)(f) GDPR. Where requested, the controller must provide copies of such safeguards[36] or indicate where they have been made available.[37]
The fact that Article 15(2) GDPR does - other than Article 13(2)(f) and 14(2)(f) GDPR - not also directly refer to binding corporate rules under Article 47 GDPR seems to have no legal relevant, given that Article 46 GDPR itself mentions them. It is unclear if the missing reference to Article 49 GDPR is a mistake by the legislator or intended.[38]
(3) Right to receive a copy of the personal data
Compared with the previous Directive 95/46, Article 15(3) GDPR constitutes an additional right to receive a copy of all personal data undergoing processing. Such requirement to provide a copy strengthens the right of access under Article 15(1) GDPR and means that the information on the personal data concerning the person who makes the request is provided to the data subject not just as a report by the controller, but as a "faithful reproduction" of the original. It also allows the data subject to retain all provided personal data, keep it and to come back to it.[39]
Personal data undergoing processing
The scope of the provision reflects the definition of personal data provided for in Article 4(1) GDPR and has the same meaning as in Article 15(1) GDPR.
Copy
The definition of "copy" was debated in legal doctrine and jurisprudence.[40] In summary, on one hand, it was argued that a copy is a document, whether analog or digital, created by extracting information from other documents or systems in use (such as email clients, meeting minutes, or data system files related to the data subject). On the other hand, it wasclaimed that a copy should, where possible, be an exact reproduction of the original document itself (such as an email or meeting minutes).[41] The matter is largely clarified by the CJEU now.
Case Law: In C-487/21 - F.F. v DSB, the CJEU clarified that the right to a copy under Article 15(3) GDPR entails that the data subject must be given a faithful and intelligible reproduction of all their personal data, which is necessary for them to exercise their rights.
The CJEU shows a certain flexibility in the interpretation of the notion of "copy". A copy can be described as a "faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. Therefore, in principle, Article 15(3) covers extracts from documents or even entire documents or extracts from databases. However, due to the teleological interpretation adopted by the court, what a controller is obliged to provide ultimately depends on the principle of effectiveness.
It is crucial that the data subject is given the information in a durable, tangible form (such as text or electronic format) that can be stored and retrieved for future reference.
Especially, when personal data is contained in documents that also contain other matters, such as a list of "low performers" or an email with information about the data subject, the context of the document may be more relevant than the "raw" personal data (e.g. only the name contained in the document). In light of Article 12 GDPR, the context should be provided as far as possible, to ensure a transparent and accurate response to an access request.
EDPB: The controller can, although is not necessarily obliged to provide the documents which contain personal data about the data subjects making the request in their original form. [...] This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents.[42]
Regardless of the manner in which the personal data is provided by the controller, whether through the original documents or a compilation of the data, the information should still adhere to the transparency standards specified in Article 12 GDPR. In certain situations, compiling and/or extracting the data in a comprehensible manner may be a means of complying with these standards. On the other hand, in some cases, it may be more effective to provide a copy of the actual document containing the personal data to facilitate better understanding. Therefore, the appropriate form of information provision must be determined on a case-by-case basis.[43]
EDPB: In some cases, the personal data itself sets the requirements in what format the personal data should be provided. For example, when the personal data constitutes handwritten information by the data subject, the data subject may need to be provided with a photocopy of that handwritten information, as the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g.scripture analysis. The same applies in general for audio recordings because the voice of the data subject itself is personal data. In some cases, however, access can be given by providing a transcription of the conversation, for example, if agreed upon between the data subject and the controller.[44]
Further copies
The second sentence of Article 15(3) GDPR regulates cases where the data subject requests an additional copy of the same personal data.[45] In such circumstances, the controller may charge a reasonable fee based on the costs of administration. If the controller decides to do so, it "should indicate the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request".[46]
A further copy should not be confused with a new requests under Article 15 GDPR for personal data. Repetitive requests are regulated in Article 12(5) GDPR, allowing to charge a fee or refuse to act if further requests are "manifestly unfounded or excessive". See Article 12(5) GDPR for further details.
Request by electronic means
The GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Regardless, under Article 15(3), third sentence, GDPR, if the data subject submits an access request electronically, the format of the "information" should match the form of the request. In such cases, the copies under Article 15(3) GDPR must be provided in a common electronic format, unless the data subject specifies a different format. This also implies that in the case of a paper application, copies must be made available in paper form, if requested by the data subject. Ultimately, the data subject determines the format of the copies.[47]
Commonly used electronic form
When determining the commonly used electronic form to provide information to a data subject, the controller should not rely solely on its own format but rather make an objective assessment. The assessment should consider whether there are specific formats commonly used in the controller's area of operation or in the given context. If there are no such formats, open formats set in an international standard such as ISO should generally be considered. However, the EDPB does not exclude the possibility of other formats being commonly used. When making this assessment, it is important to consider how easily the data subject can access the information in the provided format. The controller should provide information to the data subject on how to access a file in a specific format, including any programs or software that could be used to make it more accessible. The data subject should not be required to purchase software to access the information.[48] If in doubt a controller can ask the data subject as to the formats he or she can read. Most software also allows to export personal data in different formats or convert the file in multiple formats.
Examples: Typical formats for a copy that can be opened by freely available reader software are CSV, PDF, HTML, OpenDocument file, Microsoft Word or Excel files. In certain areas, other formats may be common tool. A technically advanced data subject may prefer an XML or JSON format for raw data.
(4) Limitations of the right to a copy
The right to obtain a copy under Article 15(3) GDPR is constrained by Article 15(4) GDPR.
Common misunderstanding: Many readers think that the limitations in Article 15(4) GDPR also cover the information that must be provided under Article 15(1) and (2) GDPR. This is not accurate. Article 15(4) only refers to the right to obtain a copy in Article 15(3) GDPR.
Interpretation in the light of the Charter
Article 15(4) GDPR is drafted in rather absolute terms "shall not affect the rights and freedoms of others". However, the right to access it a fundamental right under Article 8(2) CFR and may only be limited in accordance with Article 52(1) CFR, which requires that any limitation must be "proportionate". Article 15(4) GDPR must therefore be interpreted in the light of the Charter, which leads to the conclusion that conflicting rights must be "balanced" against the right to access on a case-by-case basis.
Rights and freedoms of others
Under Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. The specific rights and freedoms are not named. According to Recital 63 such conflicting rights include the right to data protection of others or trade secrets or intellectual property.[49]
Recital 63 also mentions software that is protected by copyright. However, if information is already protected against use by others under copyright law, it seems that additional protection via the refusal of the fundamental right to access is usually not "proportionate".
However, as affirmed by the recital, the fact that conflicting rights are involved cannot not be an excuse to deny the right of access. The controller must instead find less intrusive options to provide as much information as possible, while still protecting the rights of others. Usually other information can be blackened, redacted or otherwise protected.
Example: If camera footage recorded more than one person, the right to access may be granted. The controller must anonymise any other data subjects in the footage.[50]
Rights and freedoms of the controller
Article 15(4) GDPR only mentions the rights and freedoms of "others". It is unclear if this also includes the controller or processor.
Other limitations of Article 15(1) to (3)
Article 15(1) to (3) GDPR may also be limited by Article 12(5) GDPR in the case of "manifestly unfounded or excessive requests". Furthermore, Union or Member State law may restrict the right of access in accordance with Article 23 GDPR. Derogations regarding the processing of personal data for scientific, historical research, statistical or archiving purposes in the public interest can be based on Articles 89 GDPR, as well as for processing carried out for journalistic purposes and academic artistic or literary expression on Article 85 GDPR.
Decisions
→ You can find all related decisions in Category:Article 15 GDPR
References
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 40 (available here).
- ↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).
- ↑ CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, 7 May 2009, margin numbers 51–52 (available here). See also, CJEU, Joined Cases C-141/12 and C-372/12, YS and Others, 17 July 2014, margin number 57 (available here).
- ↑ As the EDPB puts it, "Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available here).
- ↑ See https://en.wikipedia.org/wiki/Faceless_(2007_film)
- ↑ In other words, it is not just the (ii) copy that must be complete and clear, but also the (iii) explanation of the various elements included in the list set out in Article 15(1)(a-h). Furthermore, (i) a real confirmation as to whether or not personal data are being processed will only occur if the controller has thoroughly searched for the data on all the storage systems at its disposal. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), pp. 16-19 (available here).
- ↑ EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 70 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 22 (available here): "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
- ↑ In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
- ↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 35 (available here).
- ↑ For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
- ↑ EDPB, 'Guidelines 01/2022 on data subject rights - right of access', 28 March 2023, p. 125 (available here)
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 35 (available here).
- ↑ See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 33 (available here).
- ↑ For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since their accuracy cannot be verified: Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207, available here). However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR. In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer. LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18, (available here).
- ↑ Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
- ↑ XXX FOOTNOTE XXXX
- ↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
- ↑ Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
- ↑ Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
- ↑ The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- ↑ The information provided in response to an access request does not generally correspond to that required under Articles 13 and 14 GDPR. Under Article 13, for example, the controller must provide a description of what he intends to do after obtaining the user data: (c) purposes of the processing for which personal data are intended; (e) recipients or categories of recipients, if any; (f) the fact that the controller intends to transfer personal data; (2)(e) possible consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's future intentions, but to what the controller actually, currently does with the previously received data : (1)(a) purpose of the processing (not intended purposes); (1)(b) categories of personal data concerned (not, if any); (1)(c) recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed. These are two different perspectives. Article 13 gives an indication of what is going to happen, while Article 15 provides a specific indication of what is currently happening with the personal data. A confirmation to that can be found in Article 12(7) GDPR. When providing for an "overview of the intended processing”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 37 (available here).
- ↑ For instance, the information on the right to lodge a complaint under Article 15(1)(f) does not differ from the one mandated under Article 13(2)(d) GDPR.
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38 (available here).
- ↑ See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38-39 (available here).
- ↑ Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).
- ↑ CJEU, C-154/21, RW v Österreichische Post, 12 January 2023, among the others, margin number 24 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 39 (available here).
- ↑ Controllers can only receive data from trusted sources which lawfully process personal data. Viceversa, a controller may collect personal information from unauthorised entities without having to give any account of the legitimacy of such source. It would be impossible for the data subject to control lawfulness and exercise their GDPR rights towards the sources. CJEU, C-154/21, RW v Österreichische Post (available here) should apply mutatis mutandi.
- ↑ This provision alimented a heated discussion about whether Article 22(1)(h) establishes a "right to explanation" which means an obligation to clarify and explain automated decisions that have already been made, and thus directly concern the data subject. The wording of paragraph 1(h) only mentions the "intended effects" and not the actual ones, and therefore appears to contradict this idea. However, for the data subject to contest the decision under Article 22(3) and present their own point of view, it is necessary to obtain concrete explanations and eliminate the information asymmetry brought in by the algorithm. The main objective of Article 15 is to "genuinely" enable the data subject to comprehend the processing procedures and create the possibility of intervention, which would be not be possible otherwise. In this sense, Franck in Gola, DS-GVO, Article 15 GDPR, margin numbers 18 (C.H. Beck 2022, 3rd edition).
- ↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin number 29 (C.H. Beck 2020, 3rd Edition).
- ↑ The EDPB has recalled the importance of transparency and information provided to data subjects. See, EDPB, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 10 November 2020 (Version for public consultations), p. 9, fn. 24 (available here).
- ↑ XXX FOOTNOTE XXX
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available here).
- ↑ For a detailed overview of the different perspectives, we suggest Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 35-36 (Manz 2021).
- ↑ In the case where the data is originally contained in an electronic system, the copy will always come from an extraction process.
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48-49 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available here).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available here).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin number 23 (C.H. Beck 2019).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 15 (available here).
- ↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 32 (C.H. Beck, 2nd Edition 2018).
- ↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48 (available here).
- ↑ See Recital 63 GDPR.
- ↑ Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).