Navegaci贸n
RGPD > Art铆culo聽15. Derecho de acceso del interesado
Descargar PDF

Art铆culo聽15 RGPD. Derecho de acceso del interesado

Article 15 GDPR. Right of access by the data subject

1. El interesado tendr谩 derecho a obtener del responsable del tratamiento confirmaci贸n de si se est谩n tratando o no datos personales que le conciernen y, en tal caso, derecho de acceso a los datos personales y a la siguiente informaci贸n:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

Comentario de expertos
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

a) los fines del tratamiento;

(a)聽the purposes of the processing;

b) las categor铆as de datos personales de que se trate;

(b)聽the categories of personal data concerned;

c) los destinatarios o las categor铆as de destinatarios a los que se comunicaron o ser谩n comunicados los datos personales, en particular destinatarios en terceros u organizaciones internacionales;

(c)聽the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) de ser posible, el plazo previsto de conservaci贸n de los datos personales o, de no ser posible, los criterios utilizados para determinar este plazo;

(d)聽where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) la existencia del derecho a solicitar del responsable la rectificaci贸n o supresi贸n de datos personales o la limitaci贸n del tratamiento de datos personales relativos al interesado, o a oponerse a dicho tratamiento;

(e)聽the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) el derecho a presentar una reclamaci贸n ante una autoridad de control;

(f)聽the right to lodge a complaint with a supervisory authority;

g) cuando los datos personales no se hayan obtenido del interesado, cualquier informaci贸n disponible sobre su origen;

(g)聽where the personal data are not collected from the data subject, any available information as to their source;

h) la existencia de decisiones automatizadas, incluida la elaboraci贸n de perfiles, a que se refiere el art铆culo聽22, apartados聽1 y聽4, y, al menos en tales casos, informaci贸n significativa sobre la l贸gica aplicada, as铆 como la importancia y las consecuencias previstas de dicho tratamiento para el interesado.

(h)聽the existence of automated decision-making, including profiling, referred to in Article聽22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Textos enlazados

2. Cuando se transfieran datos personales a un tercer pa铆s o a una organizaci贸n internacional, el interesado tendr谩 derecho a ser informado de las garant铆as adecuadas en virtud del art铆culo聽46 relativas a la transferencia.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 15(2) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


para acceder al texto completo

Textos enlazados

3. El responsable del tratamiento facilitar谩 una copia de los datos personales objeto de tratamiento. El responsable podr谩 percibir por cualquier otra copia solicitada por el interesado un canon razonable basado en los costes administrativos. Cuando el interesado presente la solicitud por medios electr贸nicos, y a menos que este solicite que se facilite de otro modo, la informaci贸n se facilitar谩 en un formato electr贸nico de uso com煤n.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

ISO 27701

(RU)

ISO/IEC 27701, 锌褉懈薪褟褌褘泄 胁 2019, 写芯斜邪胁懈谢 写芯锌芯谢薪懈褌械谢褜薪芯械 褉褍泻芯胁芯写褋褌胁芯 泻 ISO/IEC 27002 写谢褟 泻芯薪褌褉芯谢械褉芯胁 锌械褉褋芯薪邪谢褜薪褘褏 写邪薪薪褘褏 (袩袠袠).

袩褉懈胁芯写懈屑 褋芯芯褌胁械褌褋褌胁褍褞褖懈泄 锌邪褉邪谐褉邪褎 泻 褋褌邪褌褜械 15(3) GDPR:

8.3.1 袨斜褟蟹邪褌械谢褜褋褌胁邪 锌芯 芯褌薪芯褕械薪懈褞 泻 褋褍斜褗械泻褌邪屑 袩袠袠

小褉械写褋褌胁芯 褍锌褉邪胁谢械薪懈褟

袨褉谐邪薪懈蟹邪褑懈褟 写芯谢卸薪邪 芯斜械褋锌械褔懈褌褜 泻谢懈械薪褌邪 屑械褏邪薪懈蟹屑邪屑懈 胁褘锌芯谢薪械薪懈褟 褋胁芯懈褏 芯斜褟蟹邪褌械谢褜褋褌胁, 褋胁褟蟹邪薪薪褘褏 褋 锌褉懈薪褑懈锌邪屑懈 袩袠袠.

袪褍泻芯胁芯写褋褌胁芯 锌芯 胁薪械写褉械薪懈褞

袨斜褟蟹邪薪薪芯褋褌懈 泻芯薪褌褉芯谢械褉邪 袩袠袠 屑芯谐褍褌 斜褘褌褜 芯锌褉械写械谢械薪褘 蟹邪泻芯薪芯写邪褌械谢褜褋褌胁芯屑, 褉械谐谢邪屑械薪褌芯屑 懈 / 懈谢懈 写芯谐芯胁芯褉芯屑.


para acceder al texto completo

4. El derecho a obtener copia mencionado en el apartado聽3 no afectar谩 negativamente a los derechos y libertades de otros.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Comentario de expertos ISO 27701 Considerandos Ley de Directrices y caso Deja un comentario
Comentario de expertos

(EN)

Data Subject Request Letter Sample

Concern: Request to access my personal data

Dear Madam, Dear Sir,

I would like to know if you have any data concerning me, processed manually or by automated means, whether stored in digital databases or paper files鈥


para acceder al texto completo

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 15 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


para acceder al texto completo

Considerandos

(63) Los interesados deben tener derecho a acceder a los datos personales recogidos que le conciernan y a ejercer dicho derecho con facilidad y a intervalos razonables, con el fin de conocer y verificar la licitud del tratamiento. Ello incluye el derecho de los interesados a acceder a datos relativos a la salud, por ejemplo los datos de sus historias cl铆nicas que contengan informaci贸n como diagn贸sticos, resultados de ex谩menes, evaluaciones de facultativos y cualesquiera tratamientos o intervenciones practicadas. Todo interesado debe, por tanto, tener el derecho a conocer y a que se le comuniquen, en particular, los fines para los que se tratan los datos personales, su plazo de tratamiento, sus destinatarios, la l贸gica impl铆cita en todo tratamiento autom谩tico de datos personales y, por lo menos cuando se base en la elaboraci贸n de perfiles, las consecuencias de dicho tratamiento. Si es posible, el responsable del tratamiento debe estar facultado para facilitar acceso remoto a un sistema seguro que ofrezca al interesado un acceso directo a sus datos personales. Este derecho no debe afectar negativamente a los derechos y libertades de terceros, incluidos los secretos comerciales o la propiedad intelectual y, en particular, los derechos de propiedad intelectual que protegen programas inform谩ticos. No obstante, estas consideraciones no deben tener como resultado la negativa a prestar toda la informaci贸n al interesado. Si trata una gran cantidad de informaci贸n relativa al interesado, el responsable del tratamiento debe estar facultado para solicitar que, antes de facilitarse la informaci贸n, el interesado especifique la informaci贸n o actividades de tratamiento a que se refiere la solicitud.

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

(64) El responsable del tratamiento debe utilizar todas las medidas razonables para verificar la identidad de los interesados que soliciten acceso, en particular en el contexto de los servicios en l铆nea y los identificadores en l铆nea. El responsable no debe conservar datos personales con el 煤nico prop贸sito de poder responder a posibles solicitudes.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Ley de Directrices y caso Deja un comentario
[js-disqus]