Rina Steenkamp - Privacy and technology
Chapter III Rights of the data subject
Section 2 Information and access to data
1. Subject to Article 12(4), the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed, and in clear and plain language, the following information:
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in an electronic and structured format, unless otherwise requested by the data subject. Without prejudice to Article 10, the controller shall take all reasonable steps to verify that the person requesting access to the data is the data subject.
2a. Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.
2b. This Article shall be without prejudice to the obligation to delete data when no longer necessary under Article 5(1)(e).
2c. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5)(da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
3. (deleted)
4. (deleted)
[Source: October 2013]
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what estimated period, which recipients receive the data, what is the general logic of the data that are undergoing the processing and what might be the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, such as in relation to the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
(51a) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Data controllers should be encouraged to develop interoperable formats that enable data portability. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract. Providers of information society services should not make the transfer of those data mandatory for the provision of their services.
(52) The controller should use all reasonable measures to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.
[Source: October 2013 | Notes: Recitals | Context: Recitals]
Article 15 provides the data subject's right of access to their personal data, building on Article 12(a) of Directive 95/46/EC and adding new elements, such as to inform the data subjects of the storage period, and of the rights to rectification and to erasure and to lodge a complaint.
[Source: January 2012 | Context: Proposal from the European Commission]
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
[Source: January 2012 | Context: Proposal from the European Commission]
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
(52) The controller should use all reasonable measures to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.
[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]
General Data Protection Regulation: | Directive 95/46/EC: |
---|---|
Article 15(1) | Article 12, point (a) |
Article 15(2) | Article 12, point (a) |
Member States shall guarantee every data subject the right to obtain from the controller: