Article 15
Right of access by the data subject
41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
Regulation
Art. 15 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. |
Directive
Art. 12 Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. |
Germany
Section 19 (1) The data subject shall, at his request, be provided with information on 1. stored data concerning him, including any reference in them to their origin, 2. the recipients or categories of recipients to whom the data are transmitted, and 3. the purpose of storage. The request should specify the type of personal data on which information is to be provided. If the personal data are stored neither by automated procedures nor in non-automated filing systems, information shall be provided only in so far as the data subject supplies particulars making it possible to locate the data and the effort needed to provide the information is not out of proportion to the interest in such information expressed by the data subject. The controller shall exercise due discretion in determining the procedure for providing such information and, in particular, the form in which it is provided. (2) Sub-Section 1 above shall not apply to personal data which are stored merely because they may not be erased due to legal, statutory or contractual provisions on their retention or exclusively serve purposes of data security or data protection control and the provision of information would require disproportionate effort. (3) If the provision of information relates to the transfer of personal data to authorities for the protection of the constitution, to the Federal Intelligence Service, the Federal Armed Forces Counterintelligence Office and, where the security of the Federation is concerned, other authorities of the Federal Ministry of Defence, it shall be admissible only with the consent of such bodies. (4) Information shall not be provided if 1. this would be prejudicial to the proper performance of the duties of the controller, 2. this would impair public safety or order or otherwise be detrimental to the Federation or a Land or 3. the data or the fact that they are being stored must be kept secret in accordance with a legal provision or by virtue of their nature, in particular on account of an overriding justified interest of a third party and for this reason the interest of the data subject in the provision of information must be subordinated. (5) Reasons need not be stated for the refusal to provide information if the statement of the actual and legal reasons on which the decision is based would jeopardize the purpose pursued by refusing to provide information. In such case it shall be pointed out to the data subject that he/she may appeal to the Federal Commissioner for Data Protection and Freedom of Information. (6) If no information is provided to the data subject, it shall at his/her request be supplied to the Federal Commissioner for Data Protection and Freedom of Information unless the relevant supreme federal authority determines in a particular case that this would jeopardize the security of the Federation or a Land. The transfer from the Federal Commissioner to the data subject must not allow any conclusions to be drawn as to the knowledge at the disposal of the controller, unless the latter consents to more extensive information being provided. (7) Information shall be provided free of charge. Section 34 Provision of information to the data subject (1) At the request of the data subject, the controller shall provide information 1. on stored data about the data subject, also where they refer to the origin of these data, 2. on the recipient or type of recipients to whom the data are provided, and 3. the reason for storage. The data subject should provide a detailed description of the type of personal data he or she would like information about. If the personal data are commercially stored for the purpose of transfer, information about the origin and the recipients shall be provided even if this information is not stored. Information about the origin and recipients may be withheld if the interest in protecting trade secrets outweighs the data subject’s interest in the information. (1a) In the cases covered by Section 28 (3) fourth sentence, the transferring body shall store the origin of the data and the recipient for two years following the transfer and shall provide the data subject with information about the origin of the data and the recipient upon request. The first sentence shall apply to the recipient accordingly. (2) In the cases covered by Section 28b, the decision-making body shall provide the data subject with the following information upon request: 1. probability values calculated or stored for the first time within the six months preceding the receipt of the information request, 2. the types of data used to calculate the probability values, and 3. how probability values are calculated and their significance, with reference to the individual case and in a form understandable to a general audience. The first sentence shall apply mutatis mutandis when the decision-making body 1. stores the data used to calculate probability values without reference to specific persons but creates such reference when calculating the probability value, or 2. uses data stored by another body. If a body other than the decision-making body calculated 1. the probability value or 2. one component of the probability value, it shall provide the decision-making body at its request with the information necessary to satisfy the information claims under the first and second sentences. In the cases covered by sentence 3 No. 1, the decision-making body shall provide the data subject with the name and address of the other body as well as the information necessary to reference the individual case, so that the data subject may assert his/her claim to information, where the decision-making body does not provide this information itself. In this case, the body that calculated the probability value shall fulfil the data subject’s request for information under the first and second sentences free of charge. The body responsible for calculating the probability value shall not be subject to the obligation referred to in the third sentence where the decision-making body uses its right under the fourth sentence. (3) Any body which stores personal data commercially for the purpose of transfer shall provide the data subject upon request information about stored data concerning the data subject, even where these data are neither processed by automatic procedures nor stored in a non-automated filing system. The data subject shall be informed also about data which currently have no reference to specific persons but for which the controller is to create such reference when responding to the information request, which the controller does not store but uses for the purpose of providing information. Information about the origin and recipients may be withheld if the interest in protecting trade secrets outweighs the data subject’s interest in the information. (4) Any body which collects, stores or modifies personal data commercially for the purpose of transfer shall provide the data subject upon request information about 1. probability values for certain future action by the data subject transferred within the twelve months preceding the receipt of the information request, as well as the names and last-known addresses of third parties to whom the values were transferred, 2. probability values at the time of the information request calculated according to the method used by the calculating body, 3. the types of data used to calculate the probability values under Nos. 1 and 2, and 4. how probability values are calculated and their significance, with reference to the individual case and in a form understandable to a general audience. The first sentence shall apply mutatis mutandis when the responsible body 1. stores the data used to calculate probability values without reference to specific persons but creates such reference when calculating the probability value, or 2. uses data stored by another body. (5) Data stored for the purpose of providing information to data subjects pursuant to sub-sections 1a to 4 may be used only for this purpose and for data protection control; they shall be blocked for other purposes. (6) Upon request, the information shall be provided in written form, unless another form would be more appropriate in the circumstances. (7) There shall be no obligation to provide information when the data subject does not have to be notified in accordance with Section 33 (2) first sentence Nos. 2, 3 and 5 to 7. (8) The information shall be free of charge. If the personal data are stored commercially for the purpose of transfer, the data subject may request information in written form once per calendar year free of charge. For each additional request a fee may be charged, if the data subject can use the information for commercial purposes with respect to third parties. The fee may not exceed the direct costs of providing the information. No fee may be charged if 1. there is reason to believe that data are stored improperly or without permission, or 2. the information shows that the data are to be corrected under Section 35 (1) or to be erased under Section 35 (2) second sentence No. 1. (9) If a fee is charged to provide information, the data subject shall be given the possibility of personal information about the data concerning him/her within the framework of his/her entitlement to information. The data subject shall be informed of this possibility. |