Article 15 GDPR: Difference between revisions

From GDPRhub
Line 206: Line 206:


==Commentary on Article 15==
==Commentary on Article 15==
Article 15 GDPR provides the data subjects the right to access their personal data. The right is divided in three parts: the right to receive confirmation whether personal data is being processed, the right to receive tailored information on the processing operations and the right to receive a copy of one’s personal data. While [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]] refer to information about the processing provided ''a priori'' and in a general sense, the right to access refers to a more specific information provided ''a posteriori''. As remarked by ''Ehmann'', the right to access is also a first step for the exercise of further rights,<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).</ref> as well as a means for data subjects to verify the accuracy of their data and the compliance of the processing with the GDPR (cf. Recital 63 GDPR).<ref>CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin numbers 57 et seqq. (available [https://curia.europa.eu/juris/document/document.jsf?docid=155114&doclang=EN here]). </ref>   
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness concerning any relevant processing operation, exercising practical control over their data and checking accuracy and lawfulness of data processing. Such information a prerequisite to possibly exercise data subjects GDPR rights (rectification, erasure, restriction, etc)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).</ref> – is a key principle of the entire data protection framework<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', § 51–52. See also, CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin number 57.</ref> and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not a data processing is taking place, what the actual processing operations are as well as full access to the data undergoing processing.  
===(1) The Right of Access===
===(1) The Right of Access===
Data Subject Initiative
Under Article 15(1) GDPR, the right of access includes three components: (i) the right to obtain from the controller confirmation as to whether data concerning him or her are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the following list (a) to (h).


The exercise of the right of access, as opposed to the obligation to inform from [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]] – that imposes a proactive obligation to the controller – requires an action from the data subject, that shall make a request to the controller. The right to access can only be exercised by the data subjects themselves, as well as by any legal representative of the data subject as regulated by national law, since there is no specific reference about the matter in the GDPR.
The request by which the data subject or another duly authorised person exercises the right of access does not require any formality<ref>See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 21: "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''". </ref> and may have different scope.<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> The data subject does not need to justify in any way the reasons for exercising their right of access nor has the controller any power in assessing such reasons.<ref>As the EDPB puts it, "''controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 9</ref> If the request is unclear and a large amount of data is being processed, the controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to ''Zanfir-Fortuna'', if the data subject requests access to all their personal data, the controller will have to comply with the request.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.</ref> The above is confirmed by the EDPB<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 15.</ref> so differing interpretations do no seem correct.<ref>For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]). </ref>


Form of the Request
As provided by Recital 64 GDPR and [[Article 12 GDPR|Article 12(6) GDPR]], the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).</ref> However, the controller shall only ask for proof of identity when there is a reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.<ref>Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available [https://www.aepd.es/es/documento/td-00013-2021.pdf here]). </ref> Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.<ref>Data Protection Commission, 16 December 2020, Groupon International Limited (available [https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf here]). </ref>
 
This access request does not need to fulfil any formalities, but rather clearly show the intention of the data subject to access their personal data.<ref>Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, p. 9 (available [https://ico.org.uk/media/for-organisations/documents/2619803/right-of-access-1-0-20210520.pdf here]). </ref> The data subject does not need to justify in any way the reasons for requesting their personal data. The controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to ''Zanfir-Fortuna'', if the data subject requests access to all their personal data, the controller will have to comply with the request.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020).</ref> Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.<ref>This is, however, controversial. For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]). </ref>
 
Verifying the Data Subject
 
As provided by Recital 64 GDPR and [[Article 12 GDPR|Article 12(6) GDPR]], the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.<ref>''Zanfir-Fortuna'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).</ref> However, the controller shall only ask for proof of identity when there is reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.<ref>Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available [https://www.aepd.es/es/documento/td-00013-2021.pdf here]). </ref> Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.<ref>Data Protection Commission, 16 December 2020, Groupon International Limited (available [https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf here]). </ref>


Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,<ref>Autoriteit Persoonsgegevens, 29 June 2020, BKR (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:3159 here]).</ref> regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.
Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,<ref>Autoriteit Persoonsgegevens, 29 June 2020, BKR (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:3159 here]).</ref> regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.


====Right to Receive Confirmation About the Processing====
====Right to Receive Confirmation About the Processing====
The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. This shall be done even when no personal data is processed, in the form of a negative confirmation. The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means.<ref>Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710 here]). </ref>
The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. According to the EDPB, the search for personal data should be performed on all the paper and computer records where personal data are being processed, including personal data stored in the back-up systems.<ref>EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 35.</ref> This shall be done even when no personal data is processed, in the form of a negative confirmation. <ref>The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710 here]). </ref>  


==== Right to Receive Information About the Processing ====
==== Right to Receive Information About the Processing ====
Line 242: Line 236:


=== (3) Right to Receive a Copy of the Personal Data ===
=== (3) Right to Receive a Copy of the Personal Data ===
According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046 Directive 95/46/EC], under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.<ref>Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available [http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/D9EDB20F259B7F76C2258596003B9748/$file/%CE%9F%CE%9A%CE%A5%CE%A0%CE%A5%20%CE%91%CE%9D%CE%9F%CE%9D%CE%A5%CE%9C%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97.pdf here]). </ref> In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.<ref>Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:1020 here]). </ref> However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.<ref>Rechtbank Gelderland, 28 April 2020, 365592 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:7103 here]). </ref> In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.<ref>LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available [http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=27411 here]). </ref>
According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046 Directive 95/46/EC], under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.<ref>Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available [http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/D9EDB20F259B7F76C2258596003B9748/$file/%CE%9F%CE%9A%CE%A5%CE%A0%CE%A5%20%CE%91%CE%9D%CE%9F%CE%9D%CE%A5%CE%9C%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97.pdf here]). </ref>  
 
In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.<ref>Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:1020 here]). </ref> However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.<ref>Rechtbank Gelderland, 28 April 2020, 365592 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:7103 here]). </ref> In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.<ref>LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available [http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=27411 here]). </ref>


Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Revision as of 15:45, 9 February 2022

Article 15 - Right of access by the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals

Recital 58: Modalities for Transparent Information Provision
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Modalities and Scope of Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary on Article 15

The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness concerning any relevant processing operation, exercising practical control over their data and checking accuracy and lawfulness of data processing. Such information – a prerequisite to possibly exercise data subjects GDPR rights (rectification, erasure, restriction, etc)[1] – is a key principle of the entire data protection framework[2] and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not a data processing is taking place, what the actual processing operations are as well as full access to the data undergoing processing.

(1) The Right of Access

Under Article 15(1) GDPR, the right of access includes three components: (i) the right to obtain from the controller confirmation as to whether data concerning him or her are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the following list (a) to (h).

The request by which the data subject or another duly authorised person exercises the right of access does not require any formality[3] and may have different scope.[4] The data subject does not need to justify in any way the reasons for exercising their right of access nor has the controller any power in assessing such reasons.[5] If the request is unclear and a large amount of data is being processed, the controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to Zanfir-Fortuna, if the data subject requests access to all their personal data, the controller will have to comply with the request.[6] The above is confirmed by the EDPB[7] so differing interpretations do no seem correct.[8]

As provided by Recital 64 GDPR and Article 12(6) GDPR, the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[9] However, the controller shall only ask for proof of identity when there is a reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.[10] Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.[11]

Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,[12] regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.

Right to Receive Confirmation About the Processing

The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. According to the EDPB, the search for personal data should be performed on all the paper and computer records where personal data are being processed, including personal data stored in the back-up systems.[13] This shall be done even when no personal data is processed, in the form of a negative confirmation. [14]

Right to Receive Information About the Processing

The controller is obliged to provide the data subject certain additional information about the processing contained in Article 15(1)(a) to (h) GDPR. This obligation partially overlaps with the information to be provided under Articles 13 and 14 GDPR. However, it is to be understood that the logic of this provision allows the data subject to ask for a more granular and specific information than the generic information provided under Articles 13 and 14 GDPR. Therefore, the data subject may request specific information about certain processing activities, and shall be entitled to receive a more extensive answer on them, as compared to the already provided information from the mentioned provisions.

The additional information entails, namely: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Regarding the information about recipients and categories of recipients, there is debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. At the moment, a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.[15]

In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.[16]

Additionally, it may also be inferred from the wording of Article 19 GDPR (“The controller shall inform the data subject about those recipients if the data subject requests it”) that the legislator intends to enable the data subject to have access to this information, since it is in their interest to know who is processing their personal data.

With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.[17] For further information, please refer to Article 22 GDPR.

(2) Right to Receive Information About the Appropriate Safeguards

The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[18]

(3) Right to Receive a Copy of the Personal Data

According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to Directive 95/46/EC, under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[19]

In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.[20] However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.[21] In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.[22]

Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

(4) Rights and Freedoms of Others

Furthermore, according to Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights, as provided by Recital 63 GDPR, may be trade secrets or intellectual property, in particular the copyright protecting the software. This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[23]

Other Limits

The controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[24] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Decisions

→ You can find all related decisions in Category:Article 15 GDPR

References

  1. Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).
  2. CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, § 51–52. See also, CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin number 57.
  3. See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 21: "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
  4. In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
  5. As the EDPB puts it, "controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 9
  6. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.
  7. EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 15.
  8. For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
  9. Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
  10. Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
  11. Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
  12. Autoriteit Persoonsgegevens, 29 June 2020, BKR (available here).
  13. EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 35.
  14. The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
  15. Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here and summarised here).
  16. WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 37.
  17. Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here).
  18. EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
  19. Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
  20. Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available here).
  21. Rechtbank Gelderland, 28 April 2020, 365592 (available here).
  22. LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available here).
  23. Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
  24. Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).