Article 15
Right of access by the data subject
41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
Regulation
Art. 15 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. |
Directive
Art. 12 Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. |
Spain
Article 14. Right to consult the General Data Protection Register.- Organic Law 15/1999 on the protection of Personal Data.- Anyone may consult the General Data Protection Register to learn about the existence of personal data, their purpose and the identity of the controller. The General Register shall be open to public consultation free of charge. Article 15.- Right of access.- Organic Law 15/1999 on the protection of Personal Data.- 1. The data subject shall have the right to request and obtain free of charge information on his personal data subjected to processing, on the origin of such data and on their communication or intended communication. 2. The information may be obtained by simply displaying the data for consultation or by indicating the data subjected to processing in writing, or in a copy, fax or photocopy, whether certified a true copy or not, in legible and intelligible form, and without using keys or codes which require the use of specific devices. 3. The right of access referred to in this Article may be exercised only at intervals of not less than twelve months, unless the data subject can prove a legitimate interest in doing so, in which case it may be exercised before then. Article 27.- RIght of Access.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. The right of access is the right of the data subject to obtain information about whether his own personal data is subject to processing, the purpose of the processing that, if appropriate, is being done, as well as the information available on the origin of such data and the communications made or planned for them. 2. By virtue of the right of access the data subject may obtain from the data controller information regarding specific data, data included in a certain file, or the entire set of his data subjected to processing. The aforesaid notwithstanding, when reasons of particular complexity justify it, the data controller may ask the data subject to specify the files for which he wishes to exercise the right of access, for which purpose he shall provide him a list of all the files. 3. The right of access is independent from that granted to data subjects by special laws and in particular by Act 30/1992, of 26 November, on the Legal System of the Public Administration and the Common Administrative Procedure. Article 28.- Exercising the Right of Access.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. Upon exercising the right of access, the data subject may choose to receive the information through one or several of the following file consultation systems: a) Screen display. b) Letter, copy or photocopy sent by post, registered or not. c) Facsimile. d) E-mail or other electronic communication systems. e) Any other system that is suitable to the configuration or material implementation of the filing system or to the nature of the processing, offered by the data controller. 2. The file consultation systems provided in the previous subsection may be restricted depending on the configuration or material implementation of the filing system or the nature of the processing, whenever that offered to the data subject is free and ensures written communication if so required. 3. Upon facilitating access the data controller shall comply with the provisions of Title VIII hereof. Should the data controller offer a specific system for the effective exercise of the right of access and the data subject rejects it, the data controller shall not be liable for the possible risks to the security of the information that may arise from the choice. Similarly, if the data controller offers a specific system for the effective exercise of the right of access and the data subject demands it be done through a procedure that involves a disproportionate cost, being similarly effective and guaranteeing the same security as the procedure offered by the data controller, the costs arising from such a decision shall be at the expense of the data subject. Article 29.- Granting Access.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. The data controller shall settle the request for access within one month from its receipt. On the expiry of this time limit, if the request for access has not been expressly answered, the data subject may file a claim provided in Article 18 of Organic Law 15/1999, of 13 December. Should the data controller not hold data subject’s personal data, he shall equally communicate this within the same period of time. 2. If the request is upheld and the data controller does not include in his communication the information to which Article 27.1 refers, access shall be made effective within the ten days following such communication. 3. The information provided, by whatever means, shall be legible and understandable, without using keys or codes that require the use of specific mechanical devices. Such information shall comprise all the basic data of the data subject, those resulting from any computer process or preparation, as well as the information available on the origin of the data, their recipients and specification of the particular uses and purposes for which data has been stored. Article 30.- Denial of Access.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. The data controller may deny access to the personal data when the right has already been exercised during the twelve months prior to the request, unless a legitimate interest is accredited for this purpose. 2. Access may also be denied if thus provided by law or a directly applicable community rule of law or when these prevent the data controller from disclosing to data subjects the processing of the data to which the access refers. 3. In any case, the data controller shall inform the data subject of his right to obtain the protection of the Spanish Data Protection Agency or, if appropriate, the supervisory authorities of the Autonomous Communities, pursuant to the provisions of Article 18 of Organic Law 15/1999, of 13 December.
|