Article 15 GDPR

From GDPRhub
Article 15 - Right of access by the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals

Recital 58

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59

Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Right of access by the data subject

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Verification of the data subject's identity

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary on Article 15

The right of access encompasses three broad rights that a data subject may exercise:

  1. A right to know whether or not personal data is being processed,
  2. A right to receive information about the processed personal data,
  3. and the right to a copy of the processed personal data.

(1) Rights to confirmation and information about the processing

The right to confirmation extends beyond a positive confirmation that a data subject's personal data is being processed. A data subject may also demand confirmation that their personal data is not being processed.

The right to information covers the following elements, often seen as meta-information about the processing.

(a) Purposes of the processing

The purposes of the processing

See also Article 13(1)(c).

See also Article 14(1)(c).

(b) Categories of personal data

You can help us fill this section!

(c) Recipients of personal data

You can help us fill this section!

(d) Retention period of personal data

You can help us fill this section!

(e) Rights to rectification or erasure or restriction

You can help us fill this section!

(f) Right to lodge a complaint with a supervisory authority

You can help us fill this section!

(g) The source of the personal data if not collected from the data subject

You can help us fill this section!

(h) Existence of automated decision-making, including profiling

You can help us fill this section!

(2) Right to be informed about the safeguards relating to the transfer

You can help us fill this section!

(3) Copy of the personal data undergoing processing

You can help us fill this section!

(4) Mixed personal data and the rights and freedoms of others

You can help us fill this section!

Decisions

→ You can find all related decisions in Category:Article 15 GDPR

References