Article 15 GDPR
Legal Text
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data concerned;
- (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) where the personal data are not collected from the data subject, any available information as to their source
- (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Relevant Recitals
Commentary on Article 15
The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and/or increase their awareness concerning any relevant processing operation, exercising practical control over their data and checking accuracy and lawfulness of data processing. Such information – a prerequisite to possibly exercise data subjects GDPR rights (rectification, erasure, restriction, etc)[1] – is a key principle of the entire data protection framework[2] and must be provided under Article 15 GDPR. More precisely, the controller is obliged to provide transparent, intelligible, and easily accessible information about whether or not a data processing is taking place, what the actual processing operations are as well as full access to the data undergoing processing.
(1) The Right of Access
Under Article 15(1) GDPR, the right of access includes three components: (i) the right to obtain from the controller confirmation as to whether data concerning him or her are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the following list (a) to (h).
The request by which the data subject or another duly authorised person exercises the right of access does not require any formality[3] and may have different scope.[4] The data subject does not need to justify in any way the reasons for exercising their right of access nor has the controller any power in assessing such reasons.[5] If the request is unclear and a large amount of data is being processed, the controller may, however, ask the data subject to specify what processing activities the request relates to, as laid down by Recital 63 GDPR. Nonetheless, according to Zanfir-Fortuna, if the data subject requests access to all their personal data, the controller will have to comply with the request.[6] The above is confirmed by the EDPB[7] so differing interpretations do no seem correct.[8]
As provided by Recital 64 GDPR and Article 12(6) GDPR, the controller shall also take the necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[9] However, the controller shall only ask for proof of identity when there is a reasonable doubt; the controller shall not use this requirement to hinder the exercise of the right. For example, when the data subject exercises the right from the same email as the email from which they provided their personal data on the first place, there shall be no doubt as for their identity.[10] Requiring proof of the data subject’s identity without a reasonable doubt would also be a breach of the data minimization principle, since the data requested for it, such as a copy of an ID, would not be necessary.[11]
Hindering the exercise of the right to access is, overall, a violation of the GDPR, as held by the Dutch DPA,[12] regardless the way in which it is carried out, e.g. by charging a fee for the access or the copy of the data or by obliging the data subject to exercise the right via a complicated procedure or means. The right shall be free to exercise, and shall not entail any unnecessary burden.
Right to Receive Confirmation About the Processing
The starting point of the right to access is the right to receive a confirmation about whether one’s own personal data are being processed. According to the EDPB, the search for personal data should be performed on all the paper and computer records where personal data are being processed, including personal data stored in the back-up systems.[13] This shall be done even when no personal data is processed, in the form of a negative confirmation. [14]
Right to Receive Information About the Processing
The controller is obliged to provide the data subject certain additional information about the processing contained in Article 15(1)(a) to (h) GDPR. This obligation partially overlaps with the information to be provided under Articles 13 and 14 GDPR. However, it is to be understood that the logic of this provision allows the data subject to ask for a more granular and specific information than the generic information provided under Articles 13 and 14 GDPR. Therefore, the data subject may request specific information about certain processing activities, and shall be entitled to receive a more extensive answer on them, as compared to the already provided information from the mentioned provisions.
The additional information entails, namely: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Regarding the information about recipients and categories of recipients, there is debate on whether the controller shall provide the name of each recipient or rather only the categories of recipients. At the moment, a preliminary ruling is pending before the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.[15]
In this regard, the WP29, in their Guidelines on Transparency under the GDPR, has stated that, in accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. The Guidelines already indicate that, in practice, the general obligation of information will generally include the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. However, given the more specific nature of Article 15, this may be interpreted as an obligation of the controllers to disclose the name of the particular recipients if the data subject requests so.[16]
Additionally, it may also be inferred from the wording of Article 19 GDPR (“The controller shall inform the data subject about those recipients if the data subject requests it”) that the legislator intends to enable the data subject to have access to this information, since it is in their interest to know who is processing their personal data.
With respect to automated decision making, the Austrian DPA has held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. Additionally, in the same decision the DPA stated that the protection of a trade secret should form an exception to the complainants' right to obtaining such information.[17] For further information, please refer to Article 22 GDPR.
(2) Right to Receive Information About the Appropriate Safeguards
The additional information also includes, as provided by Article 15(2) GDPR, information about the appropriate safeguards pursuant to international transfers of data from Article 46 GDPR, where personal data are transferred to a third country or to an international organisation. The EDPB has remarked in this regard the importance of transparency and information provided to the data subjects.[18]
(3) Right to Receive a Copy of the Personal Data
According to Article 15(3) GDPR, the controller is obliged to provide the data subject “a copy of the personal data undergoing processing”. As opposed to Directive 95/46/EC, under the GDPR the data subject is entitled to a copy of such personal data. A summary of it, for example, is not enough. However, it is not possible either to request personal data that does not already exist and that must be expressly generated, such as a detailed medical report.[19]
In this sense, there is also debate on what is to be considered personal data and, therefore, is included in the right to access. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since they may not be checked for its accuracy.[20] However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR.[21] In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer.[22]
Additionally, as stated by Article 15(3) GDPR, for further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
(4) Rights and Freedoms of Others
Furthermore, according to Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. Some examples of possible clashes between rights, as provided by Recital 63 GDPR, may be trade secrets or intellectual property, in particular the copyright protecting the software. This may also be problematic in the case of, e.g., camera footages, in which more than one person may be shown. Nonetheless, as remarked by the recital, this shall not be an excuse to deny the right to access. A solution for this could be blurring the images so other persons are not recognisable on them, as advised by DPAs, for example, when the angle of a camera results in an excessive processing of data, contrary to the minimization principle.[23]
Other Limits
The controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from these controllers when their responses to their requests were delayed constitutes an abuse of the right.[24] Anyhow, and according to the same Article, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Decisions
→ You can find all related decisions in Category:Article 15 GDPR
References
- ↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 09/08/2021).
- ↑ CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, § 51–52. See also, CJEU, 17 July 2014, Minister voor Immigratie, Integratie en Asiel, C‑141/12, margin number 57.
- ↑ See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 21: "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
- ↑ In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the investigation, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
- ↑ As the EDPB puts it, "controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 9
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). Such approach is supported by, among others, the text of Recital 58 GDPR, that emphasizes the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out, due to the technological complexity of the practice and the proliferation of actors.
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 15.
- ↑ For example, the District Court of Northern Holland has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
- ↑ Cf. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
- ↑ Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
- ↑ Autoriteit Persoonsgegevens, 29 June 2020, BKR (available here).
- ↑ EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version for open consultation), 18.1.2022, p. 35.
- ↑ The Italian DPA has stated that the controller should comply with the same requirements regarding the confirmation of the processing regardless the confirmation is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide such answer in writing and via the appropriate means. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
- ↑ Oberster Gerichtshof, 18 February 2021, 6Ob159/20f (available here and summarised here).
- ↑ WP29, Guidelines on Transparency under Regulation 2016/679, 11 April 2018, p. 37.
- ↑ Datenschutzbehörde, 8 September 2020, 2020-0.436.002 (available here).
- ↑ EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 10 November 2020, pp. 35-37.
- ↑ Cf. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
- ↑ Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207 (available here).
- ↑ Rechtbank Gelderland, 28 April 2020, 365592 (available here).
- ↑ LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18 (available here).
- ↑ Cf. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
- ↑ Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).