Article 15 GDPR
Legal Text
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data concerned;
- (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) where the personal data are not collected from the data subject, any available information as to their source
- (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Relevant Recitals
Commentary on Article 15
The right to access can be considered to be the other side of the coin of the right to be informed from Articles 13 and 14 GDPR. While the right to be informed refers to information about the processing provided a priori and in a general sense, the right to access refers to a more specific information provided a posteriori. As remarked by Ehmann, the right to access is also a first step for the exercise of further rights,[1] as well as a means for data subjects to verify the accuracy of their data and the compliance of the processing with the GDPR (cf. Recital 63 GDPR).[2]
(1) The Right of Access
Article 15 GDPR provides the data subjects the right to access their personal data. The right is divided in three parts: the right to receive confirmation whether personal data is being processed, the right to receive a copy of one’s personal data, and the right to receive additional information on the processing of personal data.
Procedural Aspects
The exercise of the right of access, as opposed to the obligation to inform from Articles 13 and 14 GDPR – that imposes a proactive obligation to the controller – requires an action from the data subject, that shall make a request to the controller. The right to access can only be exercised by the data subjects themselves, as well as by any legal representative of the data subject as regulated by national law, since there is no specific reference about the matter in the GDPR.
This access request does not need to fulfil any formalities, but rather clearly show the intention of the data subject to access their personal data.[3] The data subject does not need to justify in any way the reasons for requesting their personal data. The controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to Zanfir-Fortuna, if the data subject requests access to all their personal data, the controller will have to comply with the request.[4] Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.[5]
As provided by Recital 64 GDPR and Article 12(6) GDPR, the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[6] However, the controller shall only ask for proof of identity when there is reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.[7] Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.[8]
Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,[9] regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.
However, the controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[10] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Right to Receive Confirmation About the Processing
The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. This shall be done even when no personal data is processed, in the form of a negative confirmation. The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means.[11]
Right to Receive Information About the Processing
The controller is obliged to provide the data subject certain additional information about the processing contained in Article 15(1)(a) to (h) GDPR. This obligation partially overlaps with the information to be provided under Articles 13 and 14 GDPR. However, it is to be understood that the logic of this provision allows the data subject to ask for a more granular and specific information than the generic information provided under Articles 13 and 14 GDPR. Therefore, the data subject may request specific information about certain processing activities, and shall be entitled to receive a more extensive answer on them, as compared to the already provided information from the mentioned provisions.
The additional information entails, namely: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Regarding the information about recipients and categories of recipients, there is debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. At the moment, a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.[12]
In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.[13]
Additionally, it may also be inferred from the wording of Article 19 GDPR (“The controller shall inform the data subject about those recipients if the data subject requests it”) that the legislator intends to enable the data subject to have access to this information, since it is in their interest to know who is processing their personal data.
With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.[14] For further information, please refer to Article 22 GDPR.
(2) Right to Receive Information About the Appropriate Safeguards
The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[15]
(3) Right to Receive a Copy of the Personal Data
According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to Directive 95/46/EC, under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[16] In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.[17] However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.[18] In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.[19]
Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
(4) Rights and Freedoms of Others
Furthermore, according to Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights, as provided by Recital 63 GDPR, may be trade secrets or intellectual property, in particular the copyright protecting the software. This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[20]
Decisions
→ You can find all related decisions in Category:Article 15 GDPR
References
- ↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).
- ↑ CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin numbers 57 et seqq. (available here).
- ↑ Information Commissioner’s Office, 21 October 2020, Guide to the Right to Access, October 21, 2020, p. 9 (available here).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020).
- ↑ This is, however, controversial. For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
- ↑ Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
- ↑ Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
- ↑ Autoriteit Persoonsgegevens, 29 June 2020, BKR (available here).
- ↑ Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).
- ↑ Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
- ↑ Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here and summarised here).
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 37.
- ↑ Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here).
- ↑ EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
- ↑ Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
- ↑ Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available here).
- ↑ Rechtbank Gelderland, 28 April 2020, 365592 (available here).
- ↑ LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available here).
- ↑ Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).