Right of access
The right of access provides data subjects with the right to find out from the controller whether and, if so, which personal data is stored. The right to access includes the following information, among others:
- Purpose of the data processing
- Duration of data storage
- Origin of data
Consumers must also be informed that they have the following rights:
- Right to file a complaint
- Right to rectification
- Right to restriction of data processing
- Right to erasure
- Right to object
Upon request, data subjects can receive a free copy of the data stored about them, provided that the rights of other persons are not affected (further copies may be subject to a charge). If personal data are transferred to a third country or an international organisation, consumers have the right to be informed of the appropriate guarantees in connection with the transfer.
Where consumer request information from companies, these companies are required to verify consumers’ identities. This is to ensure that requests for information are not submitted for other persons. Yet, companies should not store data for the sole purpose of processing possible right to access requests.
In Germany, some exceptions apply due to the Federal Data Protection Act: In the case of data processing for archiving purposes in the public interest, controllers are not obliged to adhere to the right to access. Likewise, there is no obligation to provide access in the field of research if this would involve a disproportionate effort (see Research purposes). Finally, the right to access does not apply if there is no obligation to provide information either, if data processing is prescribed by law, if it serves to secure data, if the provision of information would be disproportionately time-consuming or if the information would violate secrecy obligations.
Article 15 GDPR (Right of access by the data subject)
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Source: Regulation (EU) 2016/679 (see also recitals 63 and 64)
Section 27(2) BDSG (Data processing for purposes of scientific or historical research and for statistical purposes)
The rights of data subjects provided in Articles 15, 16, 18 and 21 of Regulation (EU) 2016/679 shall be limited to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes, and such limits are necessary for the fulfilment of the research or statistical purposes. Further, the right of access according to Article 15 of Regulation (EU) 2016/679 shall not apply if the data are necessary for purposes of scientific research and the provision of information would involve disproportionate effort.
Section 28(2) BDSG (Data processing for archiving purposes in the public interest)
The right of access according to Article 15 of Regulation (EU) 2016/679 shall not apply if the archival material is not identified with the person’s name or no information is given which would enable the archival material to be found with reasonable administrative effort.
Section 29 BDSG (Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligations)
(1) In addition to the exceptions in Article 14 (5) of Regulation (EU) 2016/679, the obligation to provide information to the data subject according to Article 14 (1) to (4) of Regulation (EU) 2016/679 shall not apply as far as meeting this obligation would disclose information which by its nature must be kept secret, in particular because of overriding legitimate interests of a third party. The right of access according to Article 15 of Regulation (EU) 2016/679 shall not apply as far as access would disclose information which by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a third party. In addition to the exception in Article 34 (3) of Regulation (EU) 2016/679, the obligation to inform the data subject of a personal data breach according to Article 34 of Regulation (EU) 2016/679 shall not apply as far as meeting this obligation would disclose information which by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a third party. By derogation from the exception pursuant to the third sentence, the data subject pursuant to Article 34 of Regulation (EU) 2016/679 shall be informed if the interests of the data subject outweigh the interest in secrecy, in particular taking into account the threat of damage.
(2) If in the context of a client-lawyer relationship the data of third persons are transferred to persons subject to a legal obligation of professional secrecy, the transferring body shall not be obligated to inform the data subject according to Article 13 (3) of Regulation (EU) 2016/679 unless the data subject has an overriding interest in being informed.
(3) The supervisory authorities shall not have the investigative powers according to Article 58 (1) (e) and (f) of Regulation (EU) 2016/679 with regard to the persons listed in Section 203 (1), (2a) and (3) of the Criminal Code or their processors as far as exercising these powers would violate these persons’ obligations to secrecy. If in the context of an investigation a supervisory authority becomes aware of data subject to an obligation of secrecy as referred to in the first sentence, the obligation of secrecy shall also apply to the supervisory authority.
Section 34 BDSG (Right of access by the data subject)
(1) In addition to the exceptions in Section 27 (2), 28 (2) and 29 (1), second sentence, the data subject’s right of access according to Article 15 of Regulation (EU) 2016/679 shall not apply if
1. the data subject shall not be informed pursuant to Section 33 (1) no. 1, no. 2 (b) or (3), or
2. the data
a) were recorded only because they may not be erased due to legal or statutory provisions on retention, or
b) only serve purposes of monitoring data protection or safeguarding data,
and providing information would require a disproportionate effort, and appropriate technical and organizational measures make processing for other purposes impossible.
(2) The reasons for the refusal to provide information shall be documented. The data subject shall be informed of the reasons for refusing to provide information, unless providing the reasons in law and in fact on which the decision is based would undermine the intended purpose of refusing to provide the information. Data stored for the purpose of providing information to the data subject and preparing such provision may be processed only for this purpose and for purposes of data protection monitoring; processing for other purposes shall be restricted according to Article 18 of Regulation (EU) 2016/679.
(3) If a public body of the Federation does not provide information to a data subject, such information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would endanger the security of the Federation or a Land. The notification from the Federal Commissioner to the data subject with the results of the data protection assessment shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information.
(4) The data subject shall have the right to information about personal data processed by a public body neither in automated nor in non-automated form and stored in a filing system only if the data subject provides information enabling the data to be located and if the effort required is not disproportionate to the data subject’s interest in the information.