Article 15*

Article 15 – Right of access for the data subject

Commission Proposal

1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Go to related Recital 51

Go to related Recital 52

EDRi’s proposed amendment:

1. The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to whether the controller takes measures in respect of the data subject that are based on profiles as referred to in Article 20(1). This shall also apply to data which only permit singling out, where the data subject can verifiably authentify him/herself. Where such personal data are being processed, and/or such measures are taken, the controller shall provide the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to including all recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
(i) in the case of measures based on profiles, meaningful information about the logic about the logic used in the profiling;
(j) where applicable, in what manner and for what specific purposes the data will be processed for statistical purposes and how will be ensured that data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information.

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing, including profiles generated through automatic means or when this is not possible, the categories in which these profiles have been placed. Where the data subject makes the request in electronic form, the information shall be provided in electronic form unless otherwise requested by the data subject.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Justification

The proposed amendment strengthen data subjects’ right of access in relation to measures based on profiling, similar to the provisions in the current Directive 95/46/EC.

While the proposed amendment to Article 4 already clarifies that data permitting ‘singling out’, but not linked to a natural person, should be considered personal data, and thus should be covered under the right of access, this amendment specifies once again that access should also be given to such data, where the data subject can identify herself reliably. This helps to reinforce the right of access especially in an online context. An example would be the case where a data subject obtains verification from her ISP that she used a certain IP address at a given time and then uses this information to request access to data collected by a controller on the internet, who else would not be able to answer the request.

Removing the possibility to just provide “categories of recipients” prevents controller from supplying information with useless categories such as “carefully selected third parties”.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
  • EDRi.org
%d bloggers like this: