Article 15 GDPR: Difference between revisions
Line 233: | Line 233: | ||
This line of thought does not seem correct as it does not allow the user to "''be aware of, and verify, the lawfulness of the processing''" (Recital No 63 of the GDPR).<ref>In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so. See, WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, [https://ec.europa.eu/newsroom/article29/items/622227 p. 37]. </ref> Moreover, it seems to openly contradict the clear wording of [[Article 19 GDPR]], which requires the controller to “''inform the data subject about'' [the specific] ''recipients if the data subject requests it''”.<ref>Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement its systems with appropriate technical and organizational measures for doing so).</ref> The EDPB seems to share the same view.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 37.</ref> At the moment, however, the question is open and a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.<ref>Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ba1d6267-c184-4993-b7ed-4347c384b2a8&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210218_OGH0002_0060OB00159_20F0000_000 here] and summarised [[OGH - 6Ob159/20f|here]]). </ref> | This line of thought does not seem correct as it does not allow the user to "''be aware of, and verify, the lawfulness of the processing''" (Recital No 63 of the GDPR).<ref>In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so. See, WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, [https://ec.europa.eu/newsroom/article29/items/622227 p. 37]. </ref> Moreover, it seems to openly contradict the clear wording of [[Article 19 GDPR]], which requires the controller to “''inform the data subject about'' [the specific] ''recipients if the data subject requests it''”.<ref>Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement its systems with appropriate technical and organizational measures for doing so).</ref> The EDPB seems to share the same view.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 37.</ref> At the moment, however, the question is open and a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.<ref>Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=ba1d6267-c184-4993-b7ed-4347c384b2a8&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210218_OGH0002_0060OB00159_20F0000_000 here] and summarised [[OGH - 6Ob159/20f|here]]). </ref> | ||
With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under [[Article 22 GDPR|Article 22(1) and (4) GDPR]]. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.<ref>Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=f2a9b55f-02bc-446d-a8fa-4fd931cb1b57&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200908_2020_0_436_002_00) here]). </ref> For further information, please refer to [[Article 22 GDPR]]. | With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under [[Article 22 GDPR|Article 22(1) and (4) GDPR]]. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.<ref>Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available [https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=f2a9b55f-02bc-446d-a8fa-4fd931cb1b57&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200908_2020_0_436_002_00) here]). </ref> For further information, please refer to [[Article 22 GDPR]]. |
Revision as of 18:04, 9 February 2022
Legal Text
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data concerned;
- (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) where the personal data are not collected from the data subject, any available information as to their source
- (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Relevant Recitals
Commentary on Article 15
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness concerning any relevant processing operation, exercising practical control over their data and checking accuracy and lawfulness of data processing. Such information – a prerequisite to possibly exercise data subjects GDPR rights (rectification, erasure, restriction, etc)[1] – is a key principle of the entire data protection framework[2] and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not a data processing is taking place, what the actual processing operations are as well as full access to the data undergoing processing.
(1) The Right of Access
Under Article 15(1) GDPR, the right of access includes three components: (i) the right to obtain from the controller confirmation as to whether data concerning him or her are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the following list (a) to (h).
The request by which the data subject or another duly authorised person exercises the right of access does not require any formality[3] and may have different scope.[4] The data subject does not need to justify in any way the reasons for exercising their right of access nor has the controller any power in assessing such reasons.[5] If the request is unclear and a large amount of data is being processed, the controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to Zanfir-Fortuna, if the data subject requests access to all their personal data, the controller will have to comply with the request.[6] The above is confirmed by the EDPB[7] so differing interpretations do no seem correct.[8]
As provided by Recital 64 GDPR and Article 12(6) GDPR, the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[9] However, the controller shall only ask for proof of identity when there is a reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.[10] Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.[11]
Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,[12] regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.
Right to Receive Confirmation About the Processing
The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems.[13] The controller should respond even if no personal data is processed, in the form of a negative confirmation.[14]
Right to Receive Information About the Processing
Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain additional information about the processing.[15] This information is different from that provided through the privacy policies under Articles 13 and 14 GDPR.[16] It must be precise and tailored to the specific position of the data subject.
According to the EDPB, the information provided under Article 15(1)(a) must be specific in relation to the individual purposes pursued for a given user. Moreover, although the provision does not contain an obligation to mention the legal basis adopted, such information should nevertheless be included since otherwise it would be impossible to verify the lawfulness of a certain processing operation.[17]
Categories of personal data should also be communicated under Article 15(1)(b). The data minimisation and transparency principles suggest that the categories should be specifically listed and tied to the specific purpose.
Example: the user has the right to know which categories of data are processed on his or her behalf. For example, an e-commerce website should not process data relating to the political preferences of the data subject.
Article 15(1)(c) GDPR requires the controller to disclose information about recipients and categories of recipients to whom the personal data have been or will be disclosed. There is debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. Controllers tend to omit the specific indication of recipients, preferring to opt for the more generic option, in which they only describe categories of recipients that may already be mentioned in the privacy policies.
Example: general categories such as “partners", "vendors”, “hosting providers”, “cooperation partners and other recipients” do not say anything about the geographical location of such partners (making it impossible to verify the lawfulness of the transfer under Article 44 GDPR et ss) and their data processing purposes.
This line of thought does not seem correct as it does not allow the user to "be aware of, and verify, the lawfulness of the processing" (Recital No 63 of the GDPR).[18] Moreover, it seems to openly contradict the clear wording of Article 19 GDPR, which requires the controller to “inform the data subject about [the specific] recipients if the data subject requests it”.[19] The EDPB seems to share the same view.[20] At the moment, however, the question is open and a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.[21]
With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.[22] For further information, please refer to Article 22 GDPR.
(2) Right to Receive Information About the Appropriate Safeguards
The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[23]
(3) Right to Receive a Copy of the Personal Data
According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to Directive 95/46/EC, under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[24]
In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.[25] However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.[26] In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.[27]
Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
(4) Rights and Freedoms of Others
Furthermore, according to Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights, as provided by Recital 63 GDPR, may be trade secrets or intellectual property, in particular the copyright protecting the software. This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[28]
Other Limits
The controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[29] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Decisions
→ You can find all related decisions in Category:Article 15 GDPR
References
- ↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).
- ↑ CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, § 51–52. See also, CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin number 57.
- ↑ See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 21: "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
- ↑ In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
- ↑ As the EDPB puts it, "controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 9
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 15.
- ↑ For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
- ↑ Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
- ↑ Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
- ↑ Autoriteit Persoonsgegevens, 29 June 2020, BKR (available here).
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 35.
- ↑ The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
- ↑ The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- ↑ Under Article 13, for example, the controller must provide a description of what he intends to do after obtaining the user data: (c) purposes of the processing for which personal data are intended; (e) recipients or categories of recipients, if any; (f) the fact that the controller intends to transfer personal data; (2)(e) possible consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's intentions, but to what the controller actually does with the previously received data : (1)(a) purpose of the processing; (1)(b) categories of personal data concerned; (1)(c) recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed. These are two very different pieces of information. The former gives a rough indication of what is going to happen, while the latter provides a specific indication of what is happening with the personal data. Interestingly, when providing for an "overview of the intended processing”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 36.
- ↑ In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so. See, WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 37.
- ↑ Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement its systems with appropriate technical and organizational measures for doing so).
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 37.
- ↑ Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here and summarised here).
- ↑ Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here).
- ↑ EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
- ↑ Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
- ↑ Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available here).
- ↑ Rechtbank Gelderland, 28 April 2020, 365592 (available here).
- ↑ LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available here).
- ↑ Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
- ↑ Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).