Article 15*
Article 15 – Right of access for the data subject
Commission Proposal
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:
(a) the purposes of the processing; 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1. 4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
EDRi’s proposed amendment:
1. The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to whether the controller takes measures in respect of the data subject that are based on profiles as referred to in Article 20(1). This shall also apply to data which only permit singling out, where the data subject can verifiably authentify him/herself. Where such personal data are being processed, and/or such measures are taken, the controller shall provide the following information:
(a) the purposes of the processing; 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing, including profiles generated through automatic means or when this is not possible, the categories in which these profiles have been placed. Where the data subject makes the request in electronic form, the information shall be provided in electronic form unless otherwise requested by the data subject. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1. 4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
Justification
The proposed amendment strengthen data subjects’ right of access in relation to measures based on profiling, similar to the provisions in the current Directive 95/46/EC.
While the proposed amendment to Article 4 already clarifies that data permitting ‘singling out’, but not linked to a natural person, should be considered personal data, and thus should be covered under the right of access, this amendment specifies once again that access should also be given to such data, where the data subject can identify herself reliably. This helps to reinforce the right of access especially in an online context. An example would be the case where a data subject obtains verification from her ISP that she used a certain IP address at a given time and then uses this information to request access to data collected by a controller on the internet, who else would not be able to answer the request.
Removing the possibility to just provide “categories of recipients” prevents controller from supplying information with useless categories such as “carefully selected third parties”.