The right to information under Article 15 of the GDPR is one of the rights of the data subject under the GDPR. How far this right should ultimately go in practice is legally considered controversial. Now, the European Data Protection Board (EDSA; also "European Data Protection Board") has issued a first draft of a guideline on Art. 15 GDPR and the right of access. Even though this is only a first draft, which will now initially be the subject of a public consultation process, it can be said that the EDSA is positioning itself in favor of a broad interpretation for data subjects.

Learn the details of the content of this draft guideline here.

Content of the right to information according to Art. 15 DSGVO

The right of access is intended to enable the data subject to easily obtain information about the processing of his or her own personal data. In this way, the data subject should be able to verify the lawfulness of the processing and the accuracy of the data. This also serves to facilitate the exercise of other data subject rights.

If the data subject makes a request for information, however, he or she does not have to give a reason. The controller is therefore not in a position to refuse the request because the data subject would not be able to check the lawfulness or assert other rights. The data controller must provide information in response to the request, unless the request is manifestly unfounded or excessive.

Roughly speaking, the right to information can be divided into three components in terms of content:

  • The information whether data about the person of the data subject have been processed or not
  • The provision of the respective personal data
  • The information about the processing (e.g. purpose, categories of data and recipients, duration of processing, etc.)

Content: Information about the processing

The controller must evaluate whether the request for information actually relates to personal data of the data subject. In addition, it must be taken into account whether this data falls within the scope of Art. 15 GDPR at all or whether more specific regulations apply in the area of activity of the controller, which may restrict the information.

There are no special requirements regarding the format of the information. The controller shall provide the information through an appropriate channel suitable for the data subject. Unless otherwise specified in the request, the data controller must provide information about all processed data. In doing so, he must search all of his systems.

If the data controller does not find any data of the data subject, he shall also inform the data subject of this. In this case, or if the data controller has doubts about the identity of the data subject, it may request further information (appropriate with regard to the category of data that may be affected) for identification purposes.

Scope: making the data available

The EDSA also addresses the question of the scope of the right of access. In this regard, the EDSA refers to the definition of personal data in Art. 4 I GDPR.

In addition to providing information about all processed data that fall under this definition, the controller must also provide information about the form of processing and the possible rights of the data subject.

Limits of the right of access according to Art. 15 GDPR

The effort required to obtain information must always be proportionate. In addition, no rights or freedoms of third parties may be violated. The existence of these constellations must then be made clear by the person responsible, if necessary.

The responsible party may also refuse requests that are obviously unfounded or excessive. According to the EDSA, this is only the case in a very small number of narrowly defined cases.

In addition, the right of access may also be restricted by national law (in Germany, e.g., the BDSG) (Art. 23 GDPR).

Details for practice

The text of the Draft EDSA can be viewed online. In it, EDSA addresses all the issues raised here in great detail.

If you have any questions about the right to information and its implementation, our team of experts will be happy to help you!

DSB buchen