Article 15 GDPR: Difference between revisions

From GDPRhub
Line 231: Line 231:


==== Right to obtain ====
==== Right to obtain ====
The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]): "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''".</ref> The data subject may define the scope of their request<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> and does not need to outline the reasons behind it. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.<ref>As the EDPB puts it, "''Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> However, if the request is unclear and a large amount of data is being processed, the controller may ask the data subject to specify what processing actiAccess vities the request relates to (Recital 63 GDPR). If the data subject nonetheless requests access to all their personal data, the controller has to provide this information,<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.</ref> as confirmed by the EDPB<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 35 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> and national courts.<ref>For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]).</ref>
However, if the request is unclear and a large amount of data is being processed, the controller may ask the data subject to specify what processing actiAccess vities the request relates to (Recital 63 GDPR). If the data subject nonetheless requests access to all their personal data, the controller has to provide this information,<ref>''Zanfir-Fortuna'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.</ref> as confirmed by the EDPB<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 35 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> and national courts.<ref>For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2021:6040&showbutton=true&keyword=AVG here]).</ref>


Access request
===== Access request =====
Typically the right to access under Article 15 GDPR is triggered by an access request. The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.<ref>EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]): "''As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller''".</ref> The data subject may define the scope of their request<ref>In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.</ref> <blockquote><u>Example:</u> On all help pages of a controller that deal with the right to access, data subjects are referred to an online form to "''request a copy''". If the form is filled out, the data subject gets a ZIP file with some, but not all, personal data. Other information under Article 15(1) and (2) GDPR is not provided at all. During the complaints procedure the controller argues that the data subject only made a "''request for a copy''" not a "''request under Article 15 GDPR''". The controller clearly violated Article 5(1)(a) and 12(1) GDPR.</blockquote>


CJEU in C-
===== Intention of the data subject irrelevant =====
 
A data subject does not need to outline the reasons behind it. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.<ref>As the EDPB puts it, "''Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant. <blockquote><u>Case law:</u> In ''[[C‑307/22 FT and DW]]'' a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access.</blockquote><blockquote>
reasons (Rn 5 EN)
<u>Example:</u> A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.<ref>See https://en.wikipedia.org/wiki/Faceless_(2007_film)</ref> Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was legal.</blockquote>
 
 
<u>Example:</u> A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage.<ref>See https://en.wikipedia.org/wiki/Faceless_(2007_film)</ref>


==== From the controller ====
==== From the controller ====

Revision as of 22:12, 5 March 2024

Article 15 - Right of access by the data subject
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals

Recital 58: Modalities for Transparent Information Provision
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Modalities and Scope of Right of Access
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary

The right to access has been a core element of the right to data protection and is for example already established in convention 108 from 1981. The right to access is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that the right to access is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.

Passive ex-post information about the personal data of the specific data subject

As a "passive" right to information, that must only be granted if a data subject makes a request, it is meant to provide more detailed and specific information on an ex-post basis, compared to the often more generic ex-ante information under Articles 13 and 14 GDPR. In other words: the right to information under Articles 13 and 14 GDPR provide a (generic) forward-looking information - usually for any user of the service, which must be provided proactively by the controller. The right to access, allows the data subject to get information on his specific personal data and situation, which does not only enable the data subject to exercise his or her rights (see especially Articles 16 to 22 GDPR)

Basis for the exercise of other rights, but available for any reason

The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations. Such information – a prerequisite to exercising data subjects GDPR rights (rectification, erasure, restriction, etc.)[1] – is a key principle of the entire data protection framework[2] and must be provided under Article 15 GDPR.[3] More precisely, the controller is obliged to provide accurate, transparent, intelligible, and easily accessible information about whether or not data is being processed, what the actual processing operations consist of, as well as full access to the data undergoing processing. Hindering the exercise of the right of access amounts to a violation of the GDPR. The right should be both free to exercise and not entail any unnecessary burden.

Other, parallel rights to access

The right to access itself provides for two parallel rights: the right to access to personal data in paragraph 1 and the right to get the (same) data in the forms of a copy of personal data in paragraph 3. In addition, the right to data portability in Article 20 GDPR allows to revive the (same) personal data in "structured, commonly used and machine-readable format". Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning health data or archives. Unless other EU or national law is explicitly a lex specialis in relation to the GDPR - usually in the form of a Restriction under Article 23 GDPR - these rights exist in parallel to the GDPR. This means, that if these laws are more restrictive, a data subject may choose to rely on Article 15 GDPR.

The CJEU has also rejected arguments that Article 15 GDPR may not be applied if this could lead to alleged "abuse", for example if a data subject makes an access request to generate evidence for a procedure. While many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish.

Complete access (differencial, logfiles, etc)

Diff: access, copy and Art 20

paper files (Rn 5 EN)

(1) The Right of Access

Article 15(1) describes the core essence of the right of access. Once the access request is received, the controller must verify whether processing of the data subject's personal data is actually taking place. If this is the case, the controller (i) confirms the existence of the processing, (ii) provides access to the personal data (in other words, a copy of the personal data "undergoing processing" under Article 15(3) GDPR or other relevant method to achieve the purpose), and (iii) informs the data subject about certain elements of the processing (Article 15(1)(a-h) and 15(2) GDPR). Regardless of the specific "segment" of access being referred to (i), (ii), or (iii), it is important to emphasise that the entire process must always comply with the requirements of completeness, clarity, and facilitation set forth in Article 12 of the GDPR.[4]

Right to obtain

However, if the request is unclear and a large amount of data is being processed, the controller may ask the data subject to specify what processing actiAccess vities the request relates to (Recital 63 GDPR). If the data subject nonetheless requests access to all their personal data, the controller has to provide this information,[5] as confirmed by the EDPB[6] and national courts.[7]

Access request

Typically the right to access under Article 15 GDPR is triggered by an access request. The GDPR does not impose any requirement regarding the form of the request by which the data subject or their authorised representative exercises the right of access.[8] The data subject may define the scope of their request[9]

Example: On all help pages of a controller that deal with the right to access, data subjects are referred to an online form to "request a copy". If the form is filled out, the data subject gets a ZIP file with some, but not all, personal data. Other information under Article 15(1) and (2) GDPR is not provided at all. During the complaints procedure the controller argues that the data subject only made a "request for a copy" not a "request under Article 15 GDPR". The controller clearly violated Article 5(1)(a) and 12(1) GDPR.

Intention of the data subject irrelevant

A data subject does not need to outline the reasons behind it. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.[10] While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant.

Case law: In C‑307/22 FT and DW a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access.

Example: A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.[11] Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was legal.

From the controller

The addressee of the obligation to provide access is the 'controller' within the meaning of Article 4(7) GDPR, namely the entity which determines the purposes and means of the processing. However, the object of an access request may include processing activities performed by a processor on behalf of the controller. In this case, accountability in addressing an access request stays with the controller.[12] This conclusion is also implicit in the wording of Article 15(3), which states that the controller shall provide a copy of the personal data 'undergoing processing'. As a matter of fact, the definition of controller under the GDPR does not require that the latter directly processes personal data, which is rather part of the definition of processor pursuant to Article 4(8) GDPR.

Before providing access, the controller shall, under Article 12(6) GDPR, take any necessary steps to verify the identity of the data subject, since the disclosure of personal data to a different person could qualify as a data breach.[13] However, the controller shall not use this requirement to hinder the exercise of the right of access. For example, when the data subject sends an access request from the same email as they used when first providing their personal data, there can be no doubt as to their identity.[14] Accordingly, a controller that requires disproportionate information from data subjects to identify them does not facilitate the exercise of such right (Article 12(2) GDPR) and violates the data minimisation principle, as the requested data (e.g. a copy of an ID) would not be strictly necessary in many cases.[15]

Confirmation as to ‘whether’ or not personal data are being processed

The initial step for data subjects when requesting access to their personal data is to determine whether or not the controller processes any data concerning them. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems. If the controller does process data related to the requesting data subject, it confirms the existence of processing operations.[16] The controller should respond even if no personal data are processed.

Case-law: A controller should comply with the same requirements regarding the confirmation of the processing regardless whether it is positive or negative. Therefore, even if the controller is not processing any personal data of the data subject, it shall provide an answer in writing and via the appropriate means.[17]

Access to the personal data

In general terms, "access" refers to the set of actions that a controller takes to show the data subject the data undergoing processing. The data itself, not a description of the processing. Typically, this aspect of the right to access materialises in the form of a "copy" of personal data, as specifically described in Article 15(3) GDPR, to which commentary we refer. However, it should be noted that providing a "copy" of the data is not the only way in which a controller can ensure access. Either way, in accordance with Article 12, the outcome of the access must be accurate, clear, and tailored to the data subject's position.

access = inspect

Example: XXX

Under certain circumstances, the controller may find it suitable to offer alternative methods of data access instead of providing a copy. These temporary access modes may include verbal communication, file inspection, or remote/onsite access without download capabilities. Such methods may be appropriate in situations where the data subject's interests are at stake or if they specifically request it. Onsite access could also serve as an initial step when a large volume of non-digital data is being processed, enabling the data subject to understand which personal data is being processed and make an informed decision regarding which data they want to obtain through a copy.

EDPB: Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data processed by the controller are correct by giving data subjects a chance to view the original data. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Giving access through other ways than providing a copy does not preclude the data subjects from the right to also have a copy, unless they choose not to.[18]

Additional information

Under Article 15(1)(a) to (h) GDPR the controller is obliged to provide the data subject certain information about the processing.[19] In accordance with Article 12, this information must be accurate, clear and tailored[20] to the data subject's position. Reference to privacy policy modules can only be done when there is no substantial difference between the content of the privacy notice and the information to be provided under Article 15(1)(a) to (h) GDPR. In particular, the controller ensure that the information is accurate and up-to-date with respect to the data subject's request.[21] If this is not the case, as often occurs, controllers will have to provide tailored information in their response.[22]

Example: XXX

(a) Purposes of the processing

Under Article 15(1)(a), the controller must communicate the individual data processing purposes pursued with regard to a given user. This provision does not contain an obligation to mention the legal basis tied to each single purpose. However, such information should nevertheless be included, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.

Art 13 - legal basis missing

EDPB: Therefore, in order to facilitate the exercise of data subjects’ rights in line with Art. 12(2) GDPR, the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation or to indicate where they can find this information. In any event, the principle of transparent processing requires that the information on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).[23]

(b) Categories of personal data concerned

Article 15(1)(b) requires controllers to disclose the categories of personal data involved in the processing. In accordance with the data minimisation and transparency principles, such categories should be specifically listed and linked to the specific purpose. For example, data subjects have the right to know which categories of data are processed in the context of certain business activities. Thus, an e-commerce website should not process data relating to their political preferences.

(c) Recipients or categories of recipients

Article 15(1)(c) GDPR requires the controller to disclose information about recipients or categories of recipients to whom the personal data have been or will be disclosed. The wording has led to debate on whether controllers have to name each recipient or only categories. Controllers tend to stay generic, repeating the information provided in privacy policies.

This approach is not correct because it clearly contradicts the essential purpose of the right of access: allowing the data subject to "be aware of, and verify, the lawfulness of the processing" (Recital 63). To achieve such goal, the information provided must be as meaningful as possible for data subjects to make their choices, which would be impossible if a data subject does not know who exactly their data have been shared with.[24]

Example: In its privacy policy, a data controller affirms that the user's personal data can be passed on to “commercial partners and travel agencies”. This information, which is in principle acceptable for a privacy policy, is greatly insufficient in the context of an access request. For instance, it does not say anything about the geographical location of these partners, making it impossible to verify the lawfulness of the data transfer under Article 44 GDPR.

This is confirmed by Article 19 GDPR, which requires the controller to “inform the data subject about [the specific] recipients if the data subject requests it”.[25] The EDPB shares theses arguments,[26] as well as the CJEU.

Case-law: In C-154/21 Österreichische Post, the CJEU held that Article 15(1)(c) GDPR obliges the controller to disclose the identity of specific recipients of personal data if the data subject requests it, unless the request is manifestly unfounded or excessive, in which case information about categories of recipients is sufficient.[27]

The discussion around this issue is therefore settled: controllers must disclose the name of the particular recipients if the data subject requests so.

(d) Data retention period

Art. 15(1)(d) GDPR requires the provision of information on the intended length of time for which personal data will be stored, whenever possible. If not possible, the criteria used to determine the period must be provided instead. The information provided by the controller must be specific enough for the data subject to be aware of the duration of storage with regard to their personal data. In case it is not feasible to specify the deletion time, the storage duration and its starting point or triggering event (such as the end of a contract or expiration of a warranty period) should be specified. A mere reference, such as "deletion after the expiry of legal storage periods," is insufficient. The information on data storage periods must be focused on the data subject's specific data. If different deletion periods apply to the personal data of the data subject, the deletion periods should be specified in relation to the corresponding processing operations and data categories.[28]

(e) Existence of rights

The information required under Article 15(1)(e) GDPR (existence of the right to rectification, erasure or restriction) must not be a mere stylistic exercise. Rather, it must be tailored to the specific position of the data subject and refer to the ongoing processing operations.

EDPB: Pursuant to Art. 12(2) GDPR, the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided.[29]

(f) Right to lodge a complaint

Article 15(1)(f) GDPR requires controllers to inform the data subject about the possibility to lodge a complaint with "a supervisory authority". This information does not require any kind of personalisation.

(g) Any available information on the source of the personal data

This provision reflects and strengthens the transparency principle set out in Article 14(2)(f) of the GDPR. This provision requires the data controller to inform the user about the source from which their personal data has been collected. It is possible that, for legitimate (Article 14(5) GDPR) or illegitimate reasons, such information may not be communicated. In this sense, Article 15(1)(g) allows for remedying the information asymmetry by forcing the controller to communicate the sources of their data. Just as with specific information about recipients (see above, Article 15(1)(c) GDPR), a high degree of specificity is required in relation to the sources from which the controller has obtained the data.[30] Indeed, it seems to us that the literal tenor of the provision is even clearer in this respect, as it requires providing the data subject with "any available information".

Limited in comparison to Art 14 to "available"

Interence itself personal data (EN, Rz 19)

(h) Information about automated decision-making

This provision uses the same language as Article 13(2)(f) of the GDPR, to which we refer for further commentary. It is worth adding here that, in applying the logic underlying Article 15 GDPR, the controller's response should be as tailored as possible to the data subject's specific case (i.e. the automated decision or profiling he or she was subjected to).[31] Furthermore, and for the same reasons, due to the direct reference to Article 22 GDPR, it must be concluded that, in the case of relevant automated decisions under Article 22(1), the provision also covers explanations of any safeguards provided for in Article 22(3) GDPR. That includes, "at least", details on the type of "human intervention", the means by which the data subject's "point of view" can be expressed and how to "contest the decision".

(2) Right to receive information about the appropriate safeguards

In case the controller transfers data to a third country or international organisation and no adequacy decision is in place under Article 45 GDPR, suitable guarantees under Article 46 must be adopted. The data subject must be informed about these guarantees as per paragraph 2. This provision corresponds to the regulations in Article 13(1)(f) and Article 14(1)(f) GDPR. Where requested, the controller must provide copies of such safeguards[32] or indicate where they have been made available.[33]

Inconsistent with Art 13/14 because Art 47 and 49 missing.

(3) Right to receive a copy of the personal data

Article 15(3) GDPR constitutes the final component of the right of access, namely the right to receive a copy of all personal data undergoing processing. Such requirement to provide a copy strengthens the right of access under Article 15(1) GDPR [34] and means that the information on the personal data concerning the person who makes the request is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it.[35]

Personal data undergoing processing

The scope of the provision reflects the definition of personal data provided for in Article 4(1) GDPR. According to the EDPB, this includes, inter alia, special categories of personal data (Article 9 GDPR); personal data relating to criminal convictions and offences (Article 10 GDPR); data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire); observed data or raw data provided by the data subject by virtue of their use of the service or device (e.g. data processed by connected objects, transactional history, activity logs such as access logs, browsing history, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, or particular way of walking and speaking); data derived from other data, rather than directly provided by the data subject (e.g. credit score, classification based on common attributes of data subjects; country of residence derived from postcode); data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalisation or recommendation process); pseudonymised data as opposed to anonymised data.[36] This authoritative interpretation should help to settle the judicial debate that has emerged on the correct scope and interpretation of personal data, which directly affects what is included in the copy under Article 15(3) GDPR.[37] To be included in the copy, the data must be undergoing processing. Accordingly, it is not possible to request personal data that does not already exist and that would have to be expressly generated, such as a detailed medical report.[38]

Copy

The definition of "copy" is a topic of debate in both legal doctrine and jurisprudence.[39] In summary, on one hand, it is argued that a copy is a document, whether analog or digital, created by extracting information from other documents or systems in use (such as email clients, meeting minutes, or data system files related to the data subject). On the other hand, it is claimed that a copy should, where possible, be an exact reproduction of the original document itself (such as an email or meeting minutes).[40] In recent guidelines regarding the right of access, the EDPB does not provide a conclusive answer, although the wording of the text suggests the existence of a non-absolute right to a copy of the original document itself, rather than just an extract.

EDPB: The controller can, although is not necessarily obliged to provide the documents which contain personal data about the data subjects making the request in their original form. [...] This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents.[41]

Regardless of the manner in which the personal data is provided by the controller, whether through the original documents or a compilation of the data, the information should still adhere to the transparency standards specified in Article 12 of the GDPR. In certain situations, compiling and/or extracting the data in a comprehensible manner may be a means of complying with these standards. On the other hand, in some cases, it may be more effective to provide a copy of the actual document containing the personal data to facilitate better understanding. Therefore, the appropriate form of information provision must be determined on a case-by-case basis.[42]

EDPB: In some cases, the personal data itself sets the requirements in what format the personal data should be provided. For example, when the personal data constitutes handwritten information by the data subject, the data subject may need to be provided with a photocopy of that handwritten information, as the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g.scripture analysis. The same applies in general for audio recordings because the voice of the data subject itself is personal data. In some cases, however, access can be given by providing a transcription of the conversation, for example, if agreed upon between the data subject and the controller.[43]

A certain flexibility in the interpretation of the notion of "copy" is also present in the CJEU case law. A copy can be described as a "faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. Therefore, in principle, Article 15(3) covers extracts from documents or even entire documents or extracts from databases. However, due to the teleological interpretation adopted by the court, what a controller is obliged to provide ultimately depends on the principle of effectiveness .

Case Law: The CJEU stated that the right to a copy under Article 15(3) GDPR entails that the data subject must be given a faithful and intelligible reproduction of all their personal data, which is necessary for them to exercise their rights.[44]

Either way, it is crucial that the data subject is given the information in a durable, tangible form (such as text or electronic format) that can be stored and retrieved for future reference. Written information, including electronic forms, is generally preferred as it is more likely to endure over time. In cases where it is appropriate, the copy of personal data may be stored on an electronic storage device such as a CD or USB.

Further copies

The second sentence of Article 15(3) GDPR regulates cases where the data subject requests a new copy of their personal data. In such circumstances, the controller may charge a reasonable fee based on the costs of administration. If the controller decides to do so, it "should indicate the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request".[45]

Request by electronic means

The GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Regardless, under Article 15(3), third sentence, GDPR, if the data subject submits an access request electronically, the format of the "information" should match the form of the request. In such cases, both the information under Article 15(1)(a-h) and the copies under Article 15(3) GDPR must be provided in a common electronic format, unless the data subject specifies a different format, which must then be granted. This also implies that in the case of a paper application, copies must be made available in paper form. Ultimately, the data subject determines the format of the copies.[46]

Commonly used electronic form

If a data subject requests information electronically, the controller must provide the information electronically if possible, unless the data subject specifies otherwise (Article 12(3) GDPR). Article 15(3) GDPR requires that the controller provides the answer to an access request in a commonly used electronic form, unless the data subject requests otherwise. This provision assumes that controllers who can receive electronic requests can also provide electronic responses.[47]

When determining the commonly used electronic form to provide information to a data subject, the controller should not rely solely on its own format but rather make an objective assessment. The assessment should consider whether there are specific formats commonly used in the controller's area of operation or in the given context. If there are no such formats, open formats set in an international standard such as ISO should generally be considered. However, the EDPB does not exclude the possibility of other formats being commonly used. When making this assessment, it is important to consider how easily the data subject can access the information in the provided format. The controller should provide information to the data subject on how to access a file in a specific format, including any programs or software that could be used to make it more accessible. The data subject should not be required to purchase software to access the information.[48]

Online Tools

Recital 63, full access;

(4) Limits

The right of access is constrained by Article 15(4) GDPR (rights and freedoms of others) and Article 12(5) GDPR (manifestly unfounded or excessive requests). Furthermore, Union or Member State law may restrict the right of access in accordance with Article 23 GDPR. Derogations regarding the processing of personal data for scientific, historical research, statistical or archiving purposes in the public interest can be based on Articles 89(2) and 89(3) GDPR accordingly, as well as for processing carried out for journalistic purposes and academic artistic or literary expression on Art. 85(2) GDPR.

Rights and freedoms of others

Under Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. For example, such conflicting rights include trade secrets or intellectual property, in particular the copyright protection accorded to software (Recital 63 GDPR). This issue may also be problematic in the case of camera footage showing more than one person. However, as affirmed by the recital, this cannot not be an excuse to deny the right of access. The conflict in the aforementioned example could be resolved by blurring the images of other persons to render them unrecognisable. This measure has for example been recommended by DPAs when the angle of a camera results in the excessive processing of data, contrary to the minimisation principle.[49]

Rights and freedoms of the controller

Other limits

The controller may charge a reasonable fee or refuse to act on the request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, in accordance with Article 12(5) GDPR. For example, the District Court of Limburg has ruled that submitting unclear access requests to controllers with the sole purpose of initiating procedures to collect damages from them when their responses to access requests were delayed constitutes an abuse of the right.[50] The controller nevertheless bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

Decisions

→ You can find all related decisions in Category:Article 15 GDPR

References

  1. Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).
  2. CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, 7 May 2009, margin numbers 51–52 (available here). See also, CJEU, Joined Cases C-141/12 and C-372/12, YS and Others, 17 July 2014, margin number 57 (available here).
  3. The right of access under Article 15(1) GDPR includes three components: (i) the right to obtain confirmation from the controller as to whether data concerning them are being processed, (ii) the right to obtain access to the personal data undergoing processing and (iii) the right to obtain information on certain aspects of the processing as outlined in the list under Article 15(1)(a-h) GDPR.
  4. In other words, it is not just the (ii) copy that must be complete and clear, but also the (iii) explanation of the various elements included in the list set out in Article 15(1)(a-h). Furthermore, (i) a real confirmation as to whether or not personal data are being processed will only occur if the controller has thoroughly searched for the data on all the storage systems at its disposal. See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), pp. 16-19 (available here).
  5. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.
  6. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 35 (available here).
  7. For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
  8. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 22 (available here): "As noted previously, the GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Therefore, there are in principle no requirements under the GDPR that the data subjects must observe when choosing a communication channel through which they enter into contact with the controller".
  9. In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.
  10. As the EDPB puts it, "Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available here).
  11. See https://en.wikipedia.org/wiki/Faceless_(2007_film)
  12. EDPB, 'Guidelines 01/2022 on data subject rights - right of access', 28 March 2023, p. 125 (available here)
  13. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020).
  14. Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
  15. Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
  16. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 18 January 2022 (Version 1.0), p. 35 (available here).
  17. See, Garante per la protezione dei dati personali, 7 July 2020, 9445710 (available here).
  18. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available here).
  19. The additional information concerns the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  20. The information provided in response to an access request does not generally correspond to that required under Articles 13 and 14 GDPR. Under Article 13, for example, the controller must provide a description of what he intends to do after obtaining the user data: (c) purposes of the processing for which personal data are intended; (e) recipients or categories of recipients, if any; (f) the fact that the controller intends to transfer personal data; (2)(e) possible consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's future intentions, but to what the controller actually, currently does with the previously received data : (1)(a) purpose of the processing (not intended purposes); (1)(b) categories of personal data concerned (not, if any); (1)(c) recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed. These are two different perspectives. Article 13 gives an indication of what is going to happen, while Article 15 provides a specific indication of what is currently happening with the personal data. A confirmation to that can be found in Article 12(7) GDPR. When providing for an "overview of the intended processing”, Article 12(7) GDPR only refers to Articles 13 and 14, and not to Article 15 GDPR. It follows that the information under Article 15 is not an overview, but a complete description of the processing operations.
  21. For instance, the information on the right to lodge a complaint under Article 15(1)(f) does not differ from the one mandated under Article 13(2)(d) GDPR.
  22. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 37 (available here).
  23. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38 (available here).
  24. See, WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available here).
  25. Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).
  26. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 38-39 (available here).
  27. CJEU, C-154/21, RW v Österreichische Post, 12 January 2023, among the others, margin number 24 (available here).
  28. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 39 (available here).
  29. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 40 (available here).
  30. Controllers can only receive data from trusted sources which lawfully process personal data. Viceversa, a controller may collect personal information from unauthorised entities without having to give any account of the legitimacy of such source. It would be impossible for the data subject to control lawfulness and exercise their GDPR rights towards the sources. CJEU, C-154/21, RW v Österreichische Post (available here) should apply mutatis mutandi.
  31. This provision alimented a heated discussion about whether Article 22(1)(h) establishes a "right to explanation" which means an obligation to clarify and explain automated decisions that have already been made, and thus directly concern the data subject. The wording of paragraph 1(h) only mentions the "intended effects" and not the actual ones, and therefore appears to contradict this idea. However, for the data subject to contest the decision under Article 22(3) and present their own point of view, it is necessary to obtain concrete explanations and eliminate the information asymmetry brought in by the algorithm. The main objective of Article 15 is to "genuinely" enable the data subject to comprehend the processing procedures and create the possibility of intervention, which would be not be possible otherwise. In this sense, Franck in Gola, DS-GVO, Article 15 GDPR, margin numbers 18 (C.H. Beck 2022, 3rd edition).
  32. Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin number 29 (C.H. Beck 2020, 3rd Edition).
  33. The EDPB has recalled the importance of transparency and information provided to data subjects. See, EDPB, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 10 November 2020 (Version for public consultations), p. 9, fn. 24 (available here).
  34. By clarifying that it encompasses comprehensive information on all data undergoing processing and not just a summary of it.
  35. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 13 (available here).
  36. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 33 (available here).
  37. For example, the District Court of Amsterdam has held that internal notes or tags are not to be treated as personal data for these purposes, since their accuracy cannot be verified: Rechtbank Amsterdam, 11 March 2021, C/13/687315 / HA RK 20-207, available here). However, the District Court of Gelderland has ruled, to the contrary, that internal notes and communication between employees containing name, address and information about the interviews themselves, but also information about their non-verbal communication, use of voice, notes his answers to specific questions and tracks how these answers change over time, reflect on the aspects of the data subject’s personality and how they think, and are hence personal data to be provided under Article 15 GDPR. In a similar sense, the Regional Labour Court of the Land Baden-Württemberg in Germany has stated that the right to access includes information about personal performance and behavioural data in possession of employer. LArbG Baden-Württemberg, 20 December 2018, 17 Sa 11/18, (available here).
  38. Commissioner for Personal Data Protection, 25 May 2020, 11.17.001.007.251 (available here).
  39. For a detailed overview of the different perspectives, we suggest Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 35-36 (Manz 2021).
  40. In the case where the data is originally contained in an electronic system, the copy will always come from an extraction process.
  41. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48-49 (available here).
  42. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available here).
  43. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 49 (available here).
  44. CJEU, case C-487/21, F.F. v DSB, 4 May 2023, available here
  45. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 15 (available here).
  46. Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 32 (C.H. Beck, 2nd Edition 2018).
  47. The requirement applies to all information that needs to be provided, not only the copy but also the explanation under Article 15(1) and (2) GDPR. Therefore, if the data subject requests access electronically, all information must be provided in a commonly used electronic form.
  48. EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 48 (available here).
  49. Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
  50. Rechtbank Limburg, 2 April 2021, AWB 20/2151, AWB 20/2152, AWB 20/2153, AWB 20/3315 en AWB 21/890 t/m AWB 897 (available here).