Article 15
Right of access by the data subject
41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
Regulation
Art. 15 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. |
Directive
Art. 12 Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. |
Poland
In force until May 25, 2018: The Act on Personal Data Protection Art. 32 1. The data subject has a right to control the processing of his/her personal data contained in the filing systems, and in particular he/she has the right to: 1) obtain extensive information on whether such system exists and to establish the controller’s identity, the address of its seat and its full name, and in case the controller is a natural person to obtain his/her address and his/her full name, 2) obtain information as to the purpose, scope, and the means of processing of the data contained in the system, 3) obtain information since when his/her personal data are being processed and communication to him/her in an intelligible form of the content of the data, 4) obtain information as to the source of his/her personal data, unless the controller is obliged to keep it confidential as a state, trade or professional secrecy, 5) obtain information about the means in which the data are disclosed, and in particular about the recipients or categories of recipients of the data, 5a) obtain information about the prerequisites of taking the decision referred to in Article 26a paragraph 2, 6) demand the data to be completed, updated, rectified, temporally or permanently suspended or erased, in case they are not complete, outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected, 7) make a justified demand in writing, in cases referred to in Article 23 paragraph 1 point 4 and 5, for the blocking of the processing of his/her data, due to his/her particular situation, 8) object to the processing of his/her personal data in cases referred to in Article 23 paragraph 1 point 4 and 5, should the controller intend to process the data for marketing purposes or to object to the transfer of the data to another controller, 9) make a demand to a controller for reconsidering of the individual case settled in 13 contravention of Article 26a paragraph 1. 2. In case of the demand referred to in paragraph 1 point 7 the controller shall immediately stop the processing of the questioned data or without undue delay transmit the demand to the Inspector General who shall make an appropriate decision. 3. In case of the objection referred to in paragraph 1 point 8 further processing of the questioned data shall be prohibited. However, the controller is allowed to leave in filing system forename or forenames and a surname of a person with a PESEL identification number or address solely for the reason to avoid the data being used once more for the purposes to which the data subjects objected. 3a. In case of the demand referred to in Article 32 paragraph 1 point 9 the controller without undue delay shall consider the case or transmit it, together with his/her reasoned stand, to the Inspector General who shall issue an appropriate decision. 4. In case where data processing is for scientific, didactic, historical, statistical or archival purposes the controller may not notify the data subject about the processing of his/her personal data, if the provision of such information involves disproportionate efforts. 5. The concerned party may exercise his/her right to obtain information referred to in paragraph 1 point 1 to 5 once every six months.
Art. 33 1. At the request of a data subject, within the period of 30 days, the controller shall be obliged to notify the data subject about his/her rights, and provide him/her with the information referred to in Article 32 paragraph 1 point 1-5a as regards his/her personal data. 2. At the request of the data subject, the information referred to in paragraph 1 shall be given in writing.
Art. 34 The controller shall refuse to disclose the information referred to in Article 32 paragraph 1 point 1-5a to the data subject if it would lead to: 1) a disclosure of confidential information; 2) a threat to national defense or national security, to life and health of individuals or to public security and public order; 3) a threat to a vital economic or financial interest of the State; 4) a significant breach of personal rights of the data subject or of other persons |