Author: Alexander Dix

 

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

 

A. Preliminary remarks

The right of access has always been the data subject’s central individual right. It has therefore been described as “the Magna Carta of Data Protection”[1] and “a cornerstone of data subject’s informational empowerment.”[2] Art. 15 of the Regulation at the same time substantiates the human right of access to data under Art. 8 Abs. 2 of the Charter of Fundamental Rights of the European Union.[3] The right of access enables the data subject to check whether the data controller processes data concerning him in a lawful manner and it is often only through the right of access that the data subject is put in a position to exercise his rights to correction (Art. 16), deletion (Art. 17), restriction of processing (Art. 18), portability (Art. 20), the right to object (Art. 21) and the rights in connection with automated decision-making (Art. 22 para. 3).[4] Furthermore the right of access is an essential part of the fundamental right to effective judicial protection under Art 47 of the Charter[5] and important for the right to compensation under Art. 82. Thus, the right of access is also an essential element of self-protection (“Selbstdatenschutz”)[6] and of external supervision of data controllers. The exercise of access rights will be greatly facilitated in practice by the development of technical tools and business models[7] although they may not in every detail “emanate from the law stricto sensu”.[8] Access rights similar to Art. 15 can also be found in a number of non-European jurisdictions.[9]

As opposed to Arts. 13 and 14 the controller under Art. 15 only must give information if the data subject exercises his right. The data subject must fetch the information rather than the controller being obliged to actively provide for transparency. From the controller’s point of view Art. 15 provides for “passive transparency” (alongside the active obligations under Arts. 13 and 14 which are not diminished by Art. 15). The Court of Justice has stressed the distinct relevance of the right of access under Directive 95/46 which may not be restricted by references to the separate and different obligations to inform.[10] The Court is very likely to take a similar view with regard to the Regulation. Art. 15 does not in itself justify the processing of personal data concerning the data subject for which there is no other legal basis. In particular personal data may not be continued to be stored for the sole purpose to allow for subject access in the future if there is no other need for prolonged storage (Art. 11 para. 1). The Court of Justice has however considered the data controller to be obliged to store personal data on recipients and categories of recipients for a limited period.[11] The European Data Protection Board has adopted detailed Guidelines on the right of access.[12]

B. Legislative history

The right of access was first included in an international document in the 1980 OECD Guidelines governing the protection of privacy and transborder flows of personal data.[13] Interestingly these Guidelines described the right of access as part of the “Individual Participation Principle”. Following this example the Council of Europe included in its Convention No. 108 on the automatic processing personal data (the first binding international treaty in this field) an individual’s right “to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form.“[14] The Charter of Fundamental Rights reiterates this right more briefly in its Art. 8 para. 2. Directive 95/46[15] sought to harmonize the rules on data subject access in the European Union without much effect which may have contributed to the empirical finding that the right of access until the entry into force of the GDPR seems to be “underused and underappreciated in practice”.[16] Art. 15 GDPR has not been subject to particular controversy during the legislative process. However, the Commission’s proposal as well as the comments of the European Parliament – in contrast to the Directive 95/46[17] – did not contain an explicit right of access to the precise data processed concerning the data subject (merely to the categories of data). This right was only included in the text at the proposal by the Council. The scope of the right of access was extended considerably in relation to the Directive 95/46. In particular a right to receive a copy of the data processed (Art. 15 para. 3) was adopted as proposed by the Commission.

C. Right of access

I. Area of application

 

Art. 15 applies to any processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (Art. 2 para. 1). This includes – following the broad definition of a filing system[18] – structured paper files which may be accessed following certain criteria (either by names or periods). However, the provision does not apply to data which are processed by a natural person during a purely personal or household activity (Art. 2 para. 2 lit. c). This may include private address directories or calendars[19], but only if they are not published and no third parties can access them.[20] With regard to social networks – also mentioned in Recital 15 in this context – the right of access of third persons vis-à-vis the user of the network is only excluded when he has limited access to his profile to members of his family or a specific group of persons (“friends”) because the household exception would then apply.[21] Directive (EU) 2016/680 contains an equivalent right of access to data processed by law enforcement agencies, which does however not extend to automated decision-making and excludes a right to a copy of the data.[22]

The data subject does not normally have to give reasons or to otherwise legitimize his request by any legal or other interest (→ Art. 12 mn. 23). Exceptions only apply where legal restrictions for the protection of private interests of third parties (Art. 23 para. 1 lit. i) require a case-by-case balancing between these interests and the data subject’s interest in access. According to Recital 63 when the data controller processes a large quantity of information concerning the data subject the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates. However, if this request is not complied with the controller will have to give complete access.

 

 

[…]

 

 

 

 

[1]E.g. Wedde in Roßnagel, Handbuch Datenschutzrecht, Ch. 4.4, mn. 2.

[2]Ausloos/Dewitte, IDPL 2018, 4, 7.

[3]Cf. Recitals 1 and 2 GDPR; L’ Hoiry/Norris, (2015) 5 IDPL 190.

[4]See the settled jurisprudence of the ECJ, most recently judgment of 20.12.2017, C-434/16, ECLI:​EU:​C:​2017:994 (Nowak), para. 57.

[5]ECJ, Judgment of 6.10.2015, C-362/14, ECLI:​EU:​C:​2015:650 (Schrems I), para. 95; ECJ, Judgment of 16.7.2020, C-311/18, ECLI:​EU:​C:​2020:559 (Schrems II), para. 187; European Data Protection Board, Recommendations 2/2020 on the European Essential Guarantees for surveillance measures, para. 43 et seq. See also Art. 79 GDPR.

[6]Cf. Roßnagel in Roßnagel, Handbuch Datenschutzrecht, Ch. 3.4, mn. 74 et seq.; Mallmann in Simitis, BDSG, § 19 mn. 3.

[7]See the references given by Ausloos/Dewitte, IDPL 2018, 4, 28.

[8]Ausloos/Dewitte, IDPL 2018, 28.

[9] Cf. Specht-Riemenschneider in Data Access, Consumer Interests and Public Welfare, 401, 404 et seq.

[10]ECJ, Judgment of 7.5.2009, – C – 553/07 –, ECLI:​EU:​C:​2009:293 (Rijkeboer), paras. 67–69.

[11]ECJ, Judgment of 7.5.2009, – C – 553/07 –, ECLI:​EU:​C:​2009:293 (Rijkeboer), para.15.

[12] EDPB, Guidelines 01/2022.

[13]Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 23 September 1980, in: OECD, Thirty Years after the OECD Privacy Guidelines, Annex A.

[14]Art 8 lit. b Convention No. 108. This will be replaced by Art. 9 (1) lit. b of the modernized Convention No. 108 (not yet in force) which contains a more specific right “to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1.” (Art. 11 Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 10.10.2018 (ETS 223).

[15]Art. 12 lit. a.

[16]See the detailed analysis by Ausloos/Dewitte, IDPL 2018, 4, 6 et seq., 17.

[17]Art. 12 lit. a.

[18]Art. 4 Nr. 6.

[19]Recital 8.

[20]Cf. ECJ, Judgment of 11.12.2014 – C-212/13 –, ECLI:​EU:​C:​2014:2428 (Rynes), paras. 32, 33.

[21]Cf. Article 29 Working Party, WP 163, 5–7.

[22]Art. 14.