Right of access by the data subject
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
(44) Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
The Regulation does not actually provide for anything new as to the right to access but accepts the principle contained in the Directive: the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
Specific information must be given pursuant to the right of access. Compared to the previous system, new information elements are provided for, such as, in particular, the obligation to inform the data subject about the period of storage, of their right to rectification and erasure, of their right to lodge a complaint with a supervisory authority, of the specific safeguards taken in case of data transfer to a third country or an international organization or information on the existence of an automated decision including profiling.
If so requested, the data subject is entitled to be issued a copy of the data. Such copy must be free of charge because the final text provide for a payment of fees on the basis of the administrative costs of controller for the subsequent copies only. On the other hand, the text says nothing about the possible costs related to the access without a copy (while the previous version explicitly provided for the free access with no payment at regular intervals). The provision also states that the information may be provided electronically, unless otherwise requested, when the request for access was made electronically.
Finally, the final version of the Regulation stipulates in paragraph 4 that the right to obtain a copy must not adversely affect the rights and freedoms of others. In the previous version of the Regulation, an exception to the right to obtain a copy could be made if the issue of copies involved the disclosure of confidential data or was likely to infringe intellectual property rights on processing.
In its Article 12, the Directive already granted a broad right of access to e data to data subjects.
For controllers who have already implemented a procedure for access to their processing, the new provision will bring an update only.
The only exception to the right to obtain a copy of data undergoing processing in Article 15 (4) however, leaves us puzzled. According to this provision, the right to obtain a copy may not adversely affect the rights and freedoms of others.
The exception is dangerous insofar as it is formulated too broadly and that it seems to imply that any conflict between, on one hand, the right to obtain a copy and, on the other hand, the rights and freedoms of others will be always settled to the prejudice to the first one, which would be unacceptable.
European Data Protection Board (EDPB)
Guidelines on data subject rights - Right of access - 1/2022 (18 January 2022)
The right of access of data subjects is enshrined in Arti. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Aim and overall structure of the right of access
The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data so that they can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. This will make it easier - but is not a condition - for the individual to exercise other rights such as the right to erasure or rectification. The right of access according to data protection law is to be distinguished from similar rights with other objectives, for example the right of access to public documents which aims at guaranteeing transparency in public authorities’ decision-making and good administrative practice. However, the data subject does not have to give reasons for the access request and it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing or exercise other rights. The controller will have to deal with the request unless it is clear that the request is made under other rules than data protection rules. The right of access includes three different components:
- Confirmation as to whether data about the person is processed or not,
- Access to this personal data and
- Access to information about the processing, such as purpose, categories of data and recipients, duration of the processing, data subjects’ rights and appropriate safeguards in case of third country transfers.
General considerations on the assessment of the data subject’s request
When analysing the content of the request, the controller must assess whether the request concerns personal data of the individual making the request, whether the request falls within the scope of Art. 15 and whether there are other, more specific, provisions that regulate access in a certain sector. It must also assess whether the request refers to all or only parts of the data processed about the data subject. There are no specific requirements on the format of a request. The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject. However, the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller. The controller is not obliged to act on requests that are sent to completely random, or apparently incorrect, addresses. Where the controller is not able to identify data that refers to the data subject, it shall inform the data subject about this and may refuse to give access unless the data subject provides additional information that enables identification. Further more, if the controller has doubts about whether the data subject is who they claim to be, the controller must request additional information in order to confirm the identity of the data subject. The request for additional information must be proportionate to the type of data processed, the damage that could occur etc. in order to avoid excessive data collection.
Scope of the right of access
The scope of the right of access is determined by the scope of the concept of personal data as defined in Art. 4(1) GDPR. Aside from basic personal data like name, address, phone number etc. a broad variety of data may fall within this definition like medical findings, history of purchases, creditworthiness indicators, activity logs, search activities etc. Personal data which have undergone pseudonymisation are still personal data as opposed to anonymised data. The right of access refers to personal data concerning the person making the request. This should not be interpreted overly restrictively and may include data that could concern other persons too, for example communication history involving incoming and outgoing messages. In addition to providing access to the personal data, the controller has to provide additional information about the processing and on data subjects’ rights. Such information can be based on what is already compiled in the controller’s record of processing activities (Art. 30) and the privacy notice (Art. 13 and 14). However, this general information may have to be updated to the time of the request or tailored to reflect the processing operations that are carried out in relation to the specific person making the request.
How to provide access
The ways to provide access may vary depending on the amount of data and the complexity of the processing that is carried out. Unless explicitly stated otherwise, the request should be understood as referring to all personal data concerning the data subject and the controller may ask the data subject to specify the request if they process a large amount of data. The controller will have to search for personal data throughout all IT systems and non-IT filing systems based on search criteria that mirrors the way in which the information is structured, for example name and customer number. The communication of data and other information about the processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The more precise requirements in this regard depend on the circumstances of the data processing as well as the data subject’s ability to grasp and comprehend the communication (for example taking into account that the data subject is a child or a person with special needs). If the data consists of codes or other “raw data”, these may have to be explained in order to make sense to the data subject. The main modality for providing access is to provide the data subject with a copy of their data but other modalities (such as oral information and on site access) can be foreseen if the data subject requests it. The data can be sent by e-mail, provided that all necessary safeguards are applied taken into consideration, for example, the nature of the data, or in other ways, for example a self-service tool. Sometimes, when the amount of data is very vast and it would be difficult for the data subject to comprehend the information if given all in one bulk – especially in the online context - the most appropriate measure could be a layered approach. Providing information in different layers may facilitate the data subject’s understanding of the data. The controller must be able to demonstrate that the layered approach has an added value for the data subject and all layers should be provided at the same time if the data subject requests it.
The copy of the data and the additional information should be provided in a permanent form such as written text, which could be in a commonly used electronic form, so that the data subject can easily download it. The data can be given in a transcript or a compiled form as long as all the information is included and this does not alter or change the content of the information. The request must be fulfilled as soon as possible and in any event within one month of receipt of the request. This can be extended by two further months where necessary, taking into account the complexity and number of the request. The data subject then has to be informed about the reason for the delay. The controller must implement necessary measures to deal with requests as soon as possible and adapt these measures to the circumstances of the processing. Where data is stored only for a very short period, there must be measures to guarantee that a request for access can be fulfilled without the data being erased while the request is being dealt with. Where a large amount of data is processed, the controller will have to put in place routines and mechanisms that are adapted to the complexity of the processing. The assessment of the request should reflect the situation at the moment when the request was received by the controller. Even data that may be incorrect or unlawfully processed will have to be provided. Data that has already been deleted, for example in accordance with a retention policy, and therefore is no longer available to the controller does not have to be provided.
Limits and restrictions
The GDPR allows for certain limitations of the right of access. There are no further exemptions or derogations. The right of access is without any general reservation to proportionality with regard to the efforts the controller has to take to comply with the data subject´s request. According to Art. 15(4) the right to obtain a copy shall not adversely affect the rights and freedoms of others. The EDPB is of the opinion that these rights must be taken into consideration not only when granting access by providing a copy, but also, if access to data is provided by other means (on-site access for example). Art. 15(4) is not, however, applicable to the additional information on the processing as stated in Art. 15(1) lit. a.-h. The controller must be able to demonstrate that the rights or freedoms of others would be adversely affected in the concrete situation. Applying Art. 15(4) should not result in refusing the data subject’s request altogether; it would only result in leaving out or rendering illegible those parts that may have negative effects for the rights and freedoms of others. Art. 12(5) allows controllers to reject requests that are manifestly unfounded or excessive, or to charge a reasonable fee for such requests. These concepts have to be interpreted narrowly. Since there are very few prerequisites regarding access requests, the scope of considering a request as manifestly unfounded is rather limited. Excessive requests depend on the specifics of the sector in which the controller operates. The more often changes occur in the controller’s data base, the more often the data subject may be permitted to request access without it being excessive. Instead of refusing access, the controller may decide to charge a fee from the data subject. This would only be relevant in the case of excessive requests in order to cover the administrative costs that such requests may cause. The controller must be able to demonstrate the manifestly unfounded or excessive character of a request. Restrictions of the right of access may also exist in Member States’ national law as per Art. 23 GDPR and the derogations therein. Controllers who intend to rely on such restrictions must carefully check the requirements of the national provisions and take note of any specific conditions that may apply. Such conditions may be that the right of access is only temporarily delayed or that the restriction only applies to certain categories of data.
Article 29 Working Party
Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 - wp251rev.01 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.
Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.
Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.
The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.
Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:
- increased efficiencies; and
- resource savings.
They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.
However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.
These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.
Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.
The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.
This document covers:
- Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
- General provisions on profiling and automated decision-making – Chapter III
- Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
- Children and profiling – Chapter V
- Data protection impact assessments and data protection officers– Chapter VI
The Annexes provide best practice recommendations, building on the experience gained in EU Member States.
The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.
C-553/07 (7 May 2009) - Rijkeboer
Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.
Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.
C-486/12 (12 December 2013) - X
1. Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding the levying of fees in respect of the communication of personal data by a public authority.
2. Article 12(a) of Directive 95/46 must be interpreted as meaning that, in order to ensure that fees levied when the right to access personal data is exercised are not excessive for the purposes of that provision, the level of those fees must not exceed the cost of communicating such data. It is for the national court to carry out any verifications necessary, having regard to the circumstances of the case.
C-131/12 (13 May 2014)
1. Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).
2. Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.
3. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
4. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.
C-141/12 ; C-372/12 (17 July 2014) - YS e.a.
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.
2. Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.
3. Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.
C-398/15 (9 March 2017) - Manni
Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
1st proposal close
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2nd proposal close
1. The data subject shall have the right to obtain from the controller at
reasonable intervals and free of charge (...) confirmation as to whether or not personal data concerning him or her are being processed and w here such personal data are being processed access to the data and the following information:
(a) the purposes of the processing;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of the processing of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to a supervisory authority (...) ;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) in the case of decisions based on automated processing including profiling referred to in Article 20(1) and (3), information concerning the logic involved as well as the significance and envisaged consequences of such processing.
1a. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 42 relating to the transfer.
1b. On request and without an excessive charge, the controller shall provide a copy of the personal data undergoing processing to the data subject.
2a. The right to obtain a copy referred to in paragraph 1b (...) shall not apply where such copy cannot be provided without disclosing personal data of other data subjects or confidential data of the controller. Furthermore, this right shall not apply if disclosing personal data would infringe intellectual property rights in relation to processing of those personal data.
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
In force until May 25, 2018:
Right to Information
§ 26 DSG 2000
(1) A controller shall provide any person or group of persons with information about the data being processed about the person or the group of persons who so request in writing and prove his/her identity in an appropriate manner. Subject to the agreement of the controller, the request for information can be made orally. The information shall contain the processed data, the information about their origin, the recipients or categories of recipients of transmissions, the purpose of the use of data as well as its legal basis in intelligible form. Upon request of a data subject, the names and addresses of processors shall be disclosed in case they are charged with processing data relating to him. If no data of the person requesting information exist it is sufficient to disclose this fact (negative information). With the consent of the person requesting information, the information may be provided orally alongside with the possibility to inspect and make duplicates or photocopies instead of being provided in writing.
(2) The information shall not be given insofar as this is essential for the protection of the person requesting information for special reasons or insofar as overriding legitimate interests pursued by the controller or by a third party, especially overriding public interests, are an obstacle to furnishing the information. Overriding public interests can arise out of the necessity
1. to protect of the constitutional institutions of the Republic of Austria or
2. to safeguard of the operational readiness of the federal army or
3. to safeguard the interests of comprehensive national defence or
4. to protect important foreign policy, economic or financial interests of the Republic of Austria or the European Union or
5. to prevent and prosecute crimes.
The right to refuse information for the reasons stated in sub-paras. 1 to 5 is subject to control by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.
(3) Upon inquiry, the person requesting information has to cooperate in the information procedure to a reasonable extent to prevent an unwarranted and disproportionate effort on the part of the controller.
(4) Within eight weeks of the receipt of the request, the information shall be provided or a reason given in writing why the information is not or not completely provided. The information may be refused if the person requesting information has failed to cooperate in the procedure according to para. 3 or has not reimbursed the costs.
(5) In the areas of the executive responsible for the fields described in para. 2 sub-para. 1 to 5, the procedure in a case where public interests require that no information be given shall be as follows:
In all cases where no information is given even when in fact no data on the person requesting information is used instead of giving a reason in substance, an indication shall be given that no data are being used which are subject to the right to information. The legality of such course of action is subject to review by the Data Protection Authority pursuant to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.
(6) The information shall be given free of charge if it concerns the current data files of a use of data and if the person requesting information has not yet made a request for information to the same controller regarding the same application purpose in the current year. In all other cases a flat rate compensation of 18, 89 Euro may be charged; deviations are permitted to cover actually incurred higher expenses. A compensation already paid shall be refunded, irrespective of any claims for damages, if data have been used illegally or if the information has otherwise led to a correction.
(7) As of the moment the controller has knowledge of a request for information, the controller shall not erase the data relating to the person requesting information until four months have passed or in case a complaint is lodged with the Data Protection Authority pursuant to § 31, until the final conclusion of the proceedings. This deadline does not apply if a request for deletion by the person requesting information corresponds to § 27 para 1 sub-para. 2 or § 28.
(8) To the extent a data application is by law open to inspection by a person or group of persons with regard to data processed on them they shall have the right to information in accordance with the provisions providing the right to inspect. To the procedure of inspection (and its refusal) the regulations of the law providing the right of inspection are to be applied. Parts of an information according to para 1 that are not covered by the right of inspection may, however, be asserted according to this federal law.
(9) For information on Criminal Records, the special regulations of the Criminal Records Act 1968 shall apply.
(10) In case legal provisions lead to a qualification as controller, though the data are processed for a third party in order to carry out a job (§ 4 para 1 sub-para. 4 last sentence), the person requesting information may also first direct the request for information to the entity that ordered the job. This entity has to provide the person requesting information, to the extent the one does not know already, with the name and address of the effective controller within two weeks, free of costs, so that the person requesting information may assert his right of information according to para 1 against him. In case a request for information is directed to a service provider and is obvious that the person requesting information mistakes him for the controller of the data application operated by him, the service provider shall forward the request for information immediately to the controller and to inform the person requesting information, that no data are processed by him as controller. Within eight weeks after the request for information has been received by the service provider the controller has to grant information to the person requesting information or argue in writing, for which reason it is not granted or not completely. In those sectors of public administration what are charged to implement the functions named in para 2 sub-para. 1 to 5, information shall not be given to the extent necessary for the protection of public interests. If, subsequently, the request is directed to the controller, such has to act according to para 5. To operators of joint information systems § 50 para 1 is to be applied exclusively.
(1) The data subject shall, at his request, be provided with information on
1. stored data concerning him, including any reference in them to their origin,
2. the recipients or categories of recipients to whom the data are transmitted, and
3. the purpose of storage.
The request should specify the type of personal data on which information is to be provided. If the personal data are stored neither by automated procedures nor in non-automated filing systems, information shall be provided only in so far as the data subject supplies particulars making it possible to locate the data and the effort needed to provide the information is not out of proportion to the interest in such information expressed by the data subject. The controller shall exercise due discretion in determining the procedure for providing such information and, in particular, the form in which it is provided.
(2) Sub-Section 1 above shall not apply to personal data which are stored merely because they may not be erased due to legal, statutory or contractual provisions on their retention or exclusively serve purposes of data security or data protection control and the provision of information would require disproportionate effort.
(3) If the provision of information relates to the transfer of personal data to authorities for the protection of the constitution, to the Federal Intelligence Service, the Federal Armed Forces Counterintelligence Office and, where the security of the Federation is concerned, other authorities of the Federal Ministry of Defence, it shall be admissible only with the consent of such bodies.
(4) Information shall not be provided if
1. this would be prejudicial to the proper performance of the duties of the controller,
2. this would impair public safety or order or otherwise be detrimental to the Federation or a Land or
3. the data or the fact that they are being stored must be kept secret in accordance with a legal provision or by virtue of their nature, in particular on account of an overriding justified interest of a third party
and for this reason the interest of the data subject in the provision of information must be subordinated.
(5) Reasons need not be stated for the refusal to provide information if the statement of the actual and legal reasons on which the decision is based would jeopardize the purpose pursued by refusing to provide information. In such case it shall be pointed out to the data subject that he/she may appeal to the Federal Commissioner for Data Protection and Freedom of Information.
(6) If no information is provided to the data subject, it shall at his/her request be supplied to the Federal Commissioner for Data Protection and Freedom of Information unless the relevant supreme federal authority determines in a particular case that this would jeopardize the security of the Federation or a Land. The transfer from the Federal Commissioner to the data subject must not allow any conclusions to be drawn as to the knowledge at the disposal of the controller, unless the latter consents to more extensive information being provided.
(7) Information shall be provided free of charge.
Provision of information to the data subject
(1) At the request of the data subject, the controller shall provide information
1. on stored data about the data subject, also where they refer to the origin of these data,
2. on the recipient or type of recipients to whom the data are provided, and
3. the reason for storage.
The data subject should provide a detailed description of the type of personal data he or she would like information about. If the personal data are commercially stored for the purpose of transfer, information about the origin and the recipients shall be provided even if this information is not stored. Information about the origin and recipients may be withheld if the interest in protecting trade secrets outweighs the data subject’s interest in the information.
(1a) In the cases covered by Section 28 (3) fourth sentence, the transferring body shall store the origin of the data and the recipient for two years following the transfer and shall provide the data subject with information about the origin of the data and the recipient upon request. The first sentence shall apply to the recipient accordingly.
(2) In the cases covered by Section 28b, the decision-making body shall provide the data subject with the following information upon request:
1. probability values calculated or stored for the first time within the six months preceding the receipt of the information request,
2. the types of data used to calculate the probability values, and
3. how probability values are calculated and their significance, with reference to the individual case and in a form understandable to a general audience.
The first sentence shall apply mutatis mutandis when the decision-making body
1. stores the data used to calculate probability values without reference to specific persons but creates such reference when calculating the probability value, or
2. uses data stored by another body.
If a body other than the decision-making body calculated
1. the probability value or
2. one component of the probability value,
it shall provide the decision-making body at its request with the information necessary to satisfy the information claims under the first and second sentences. In the cases covered by sentence 3 No. 1, the decision-making body shall provide the data subject with the name and address of the other body as well as the information necessary to reference the individual case, so that the data subject may assert his/her claim to information, where the decision-making body does not provide this information itself. In this case, the body that calculated the probability value shall fulfil the data subject’s request for information under the first and second sentences free of charge. The body responsible for calculating the probability value shall not be subject to the obligation referred to in the third sentence where the decision-making body uses its right under the fourth sentence.
(3) Any body which stores personal data commercially for the purpose of transfer shall provide the data subject upon request information about stored data concerning the data subject, even where these data are neither processed by automatic procedures nor stored in a non-automated filing system. The data subject shall be informed also about data
which currently have no reference to specific persons but for which the controller is to create such reference when responding to the information request,
which the controller does not store but uses for the purpose of providing information.
Information about the origin and recipients may be withheld if the interest in protecting trade secrets outweighs the data subject’s interest in the information.
(4) Any body which collects, stores or modifies personal data commercially for the purpose of transfer shall provide the data subject upon request information about
1. probability values for certain future action by the data subject transferred within the twelve months preceding the receipt of the information request, as well as the names and last-known addresses of third parties to whom the values were transferred,
2. probability values at the time of the information request calculated according to the method used by the calculating body,
3. the types of data used to calculate the probability values under Nos. 1 and 2, and
4. how probability values are calculated and their significance, with reference to the individual case and in a form understandable to a general audience.
The first sentence shall apply mutatis mutandis when the responsible body
1. stores the data used to calculate probability values without reference to specific persons but creates such reference when calculating the probability value, or
2. uses data stored by another body.
(5) Data stored for the purpose of providing information to data subjects pursuant to sub-sections 1a to 4 may be used only for this purpose and for data protection control; they shall be blocked for other purposes.
(6) Upon request, the information shall be provided in written form, unless another form would be more appropriate in the circumstances.
(7) There shall be no obligation to provide information when the data subject does not have to be notified in accordance with Section 33 (2) first sentence Nos. 2, 3 and 5 to 7.
(8) The information shall be free of charge. If the personal data are stored commercially for the purpose of transfer, the data subject may request information in written form once per calendar year free of charge. For each additional request a fee may be charged, if the data subject can use the information for commercial purposes with respect to third parties. The fee may not exceed the direct costs of providing the information. No fee may be charged if
1. there is reason to believe that data are stored improperly or without permission, or
2. the information shows that the data are to be corrected under Section 35 (1) or to be erased under Section 35 (2) second sentence No. 1.
(9) If a fee is charged to provide information, the data subject shall be given the possibility of personal information about the data concerning him/her within the framework of his/her entitlement to information. The data subject shall be informed of this possibility.