Rina Steenkamp | My annotated GDPR | Chapter III | Section 2

Article 15(1)

1. Subject to Article 12(4), the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed, and in clear and plain language, the following information:

(a) the purposes of the processing for each category of personal data;
(b) the categories of personal data concerned;
(c) the recipients to whom the personal data are to be or have been disclosed, including to recipients in third countries;
(d) the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) (deleted)
(h) the significance and envisaged consequences of such processing;
(ha) meaningful information about the logic involved in any automated processing;
(hb) without prejudice to Article 21, in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been made.

Article 15(2)

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in an electronic and structured format, unless otherwise requested by the data subject. Without prejudice to Article 10, the controller shall take all reasonable steps to verify that the person requesting access to the data is the data subject.

Article 15(2a)

2a. Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.

Article 15(2b)

2b. This Article shall be without prejudice to the obligation to delete data when no longer necessary under Article 5(1)(e).

Article 15(2c)

2c. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5)(da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.

Article 15(3)

3. (deleted)

Article 15(4)

4. (deleted)

[Source: October 2013]

Recital 51

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what estimated period, which recipients receive the data, what is the general logic of the data that are undergoing the processing and what might be the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, such as in relation to the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.

Recital 51a

(51a) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Data controllers should be encouraged to develop interoperable formats that enable data portability. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract. Providers of information society services should not make the transfer of those data mandatory for the provision of their services.

Recital 52

(52) The controller should use all reasonable measures to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Article 15(1) [Amended: October 2013]

1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;
(d) the period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(g) communication of the personal data undergoing processing and of any available information as to their source;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.

Article 15(2) [Amended: October 2013]

Article 15(3) [Deleted: October 2013]

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

Article 15(4) [Deleted: October 2013]

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 51 [Amended: October 2013]

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.

Recital 52

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]

Directive 95/46/EC

General Data Protection Regulation:	Directive 95/46/EC:
Article 15(1)	Article 12, point (a)
Article 15(2)	Article 12, point (a)

Chapter II General rules on the lawfulness of the processing of personal data

Section V The data subject's right of access to data

Article 12 Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:
- - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
- - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);
[...]

My annotated General Data Protection Regulation

Article 15 Right to access and to obtain data for the data subject

October 2013

Article 15(1)

Article 15(2)

Article 15(2a)

Article 15(2b)

Article 15(2c)

Article 15(3)

Article 15(4)

Recital 51

Recital 51a

Recital 52

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 15(1) [Amended: October 2013]

Article 15(2) [Amended: October 2013]

Article 15(3) [Deleted: October 2013]

Article 15(4) [Deleted: October 2013]

Recital 51 [Amended: October 2013]

Recital 52

Directive 95/46/EC

Cross-reference

Chapter II General rules on the lawfulness of the processing of personal data

Section V The data subject's right of access to data

Article 12 Right of access