Article 15 RGPD. Droit d'accès de la personne concernée
Article 15 GDPR. Right of access by the data subject
1. La personne concernée a le droit d’obtenir du responsable du traitement la confirmation que des données à caractère personnel la concernant sont ou ne sont pas traitées et, lorsqu’elles le sont, l’accès auxdites données à caractère personnel ainsi que les informations suivantes:
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
b) les catégories de données à caractère personnel concernées;
(b) the categories of personal data concerned;
c) les destinataires ou catégories de destinataires auxquels les données à caractère personnel ont été ou seront communiquées, en particulier les destinataires qui sont établis dans des pays tiers ou les organisations internationales;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) lorsque cela est possible, la durée de conservation des données à caractère personnel envisagée ou, lorsque ce n’est pas possible, les critères utilisés pour déterminer cette durée;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) l’existence du droit de demander au responsable du traitement la rectification ou l’effacement de données à caractère personnel, ou une limitation du traitement des données à caractère personnel relatives à la personne concernée, ou du droit de s’opposer à ce traitement;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) le droit d’introduire une réclamation auprès d’une autorité de contrôle;
(f) the right to lodge a complaint with a supervisory authority;
g) lorsque les données à caractère personnel ne sont pas collectées auprès de la personne concernée, toute information disponible quant à leur source;
(g) where the personal data are not collected from the data subject, any available information as to their source;
h) l’existence d’une prise de décision automatisée, y compris un profilage, visée à l’article 22, paragraphes 1 et 4, et, au moins en pareils cas, des informations utiles concernant la logique sous-jacente, ainsi que l’importance et les conséquences prévues de ce traitement pour la personne concernée.
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Lorsque les données à caractère personnel sont transférées vers un pays tiers ou à une organisation internationale, la personne concernée a le droit d’être informée des garanties appropriées, en vertu de l’article 46, en ce qui concerne ce transfert.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
ISO 27701
Paragraphes connexes
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 15(2) GDPR:
7.3.2 Determining information for PII principals
Control
The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.
Implementation guidance
The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.
Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:
— information about the purpose of the processing;
— contact details for the PII controller or its representative;
— information about the lawful basis for the processing;
— information on where the PII was obtained, if not obtained directly from the PII principal;
— information about whether the provision of PII is a statutory or contractual requirement, and where
appropriate, the possible consequences of failure to provide PII;
— information on obligations to PII principals, as determined in 7.3.1, and how PII principals can benefit from them, especially regarding accessing, amending, correcting, requesting erasure, receiving a copy of their PII and objecting to the processing;
— information on how the PII principal can withdraw consent;
— information about transfers of PII;
— information about recipients or categories of recipients of PII;
— information about the period for which the PII will be retained;
— information about the use of automated decision making based on the automated processing of PII;
— information about the right to lodge a complaint and how to lodge such a complaint;
— information regarding the frequency with which information is provided (e.g. “just in time” notification, organization defined frequency, etc.).
The organization should provide updated information if the purposes for the processing of PII are changed or extended.
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates). The organization should document compliance to such requirements as the basis for transfer.
Some jurisdictions can require that information transfer agreements be reviewed by a designated supervisory authority. Organizations operating in such jurisdictions should be aware of any such requirements.
NOTE Where transfers take place within a specific jurisdiction, the applicable legislation and/or regulation are the same for the sender and recipient.
7.5.2 Countries and international organizations to which PII can be transferred
Control
The organization should specify and document the countries and international organizations to which PII can possibly be transferred.
Implementation guidance
The identities of the countries and international organizations to which PII can possibly be transferred in normal operations should be made available to customers. The identities of the countries arising from the use of subcontracted PII processing should be included. The countries included should be considered in relation to 7.5.1.
Outside of normal operations, there can be cases of transfer made at the request of a law enforcement authority, for which the identity of the countries cannot be specified in advance, or is prohibited by applicable jurisdictions to preserve the confidentiality of a law enforcement investigation (see 7.5.1, 8.5.4 and 8.5.5).
3. Le responsable du traitement fournit une copie des données à caractère personnel faisant l’objet d’un traitement. Le responsable du traitement peut exiger le paiement de frais raisonnables basés sur les coûts administratifs pour toute copie supplémentaire demandée par la personne concernée. Lorsque la personne concernée présente sa demande par voie électronique, les informations sont fournies sous une forme électronique d’usage courant, à moins que la personne concernée ne demande qu’il en soit autrement.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
ISO 27701
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 15(3) GDPR:
8.3.1 Obligations to PII principals
Control
The organization should provide the customer with the means to comply with its obligations related to PII principals.
Implementation guidance
A PII controller’s obligations can be defined by legislation, by regulation and/or by contract. These obligations can include matters where the customer uses the services of the organization for implementation of these obligations. For example, this can include the correction or deletion of PII in a timely fashion.
Where a customer depends on the organization for information or technical measures to facilitate meeting the obligations to PII principals, the relevant information or technical measures should be specified in a contract.
Règlement général sur la protection des données (RGPD)
Dernière version consolidée (Rectificatif, JO L 127 du 23.5.2018, p. 2 (2016/679)). EUR-Lex – 02016R0679-20160504 – FR
General Data Protection Regulation (EU GDPR)
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
Explication
ISO 27701
Considérants
Lignes directrices & Jurisprudence
Leave a comment
(EN)
Data Subject Request Letter Sample
Concern: Request to access my personal data
Dear Madam, Dear Sir,
I would like to know if you have any data concerning me, processed manually or by automated means, whether stored in digital databases or paper files…
[…]
Login
lire le texte complet
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 15 GDPR:
7.3.2 Determining information for PII principals
Control
The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.
Implementation guidance
The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.
Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:
— information about the purpose of the processing;
— contact details for the PII controller or its representative;
— information about the lawful basis for the processing;
— information on where the PII was obtained, if not obtained directly from the PII principal;
— information about whether the provision of PII is a statutory or contractual requirement, and where
appropriate, the possible consequences of failure to provide PII;
— information on obligations to PII principals, as determined in 7.3.1, and how PII principals can benefit from them, especially regarding accessing, amending, correcting, requesting erasure, receiving a copy of their PII and objecting to the processing;
— information on how the PII principal can withdraw consent;
— information about transfers of PII;
— information about recipients or categories of recipients of PII;
— information about the period for which the PII will be retained;
— information about the use of automated decision making based on the automated processing of PII;
— information about the right to lodge a complaint and how to lodge such a complaint;
— information regarding the frequency with which information is provided (e.g. “just in time” notification, organization defined frequency, etc.).
The organization should provide updated information if the purposes for the processing of PII are changed or extended.
7.3.8 Providing copy of PII processed
Control
The organization should be able to provide a copy of the PII that is processed when requested by the PII principal.
Implementation guidance
The organization should provide a copy of the PII that is processed in a structured, commonly used, format accessible by the PII principal.
Some jurisdictions define cases where the organization should provide a copy of the PII processed in a format allowing portability to the PII principals or to recipient PII controllers (typically structured, commonly used and machine readable).
The organization should ensure that any copies of PII provided to a PII principal relate specifically to that PII principal.
Where the requested PII has already been deleted subject to the retention and disposal policy (as described in 7.4.7), the PII controller should inform the PII principal that the requested PII has been deleted.
In cases where the organization is no longer able to identify the PII principal (e.g. as a result of a de- identification process), the organization should not seek to (re-)identify the PII principals for the sole reason of implementing this control. However, in some jurisdictions, legitimate requests can require that additional information should be requested from the PII principal to enable re-identification and subsequent disclosure.
Where technically feasible, it should be possible to transfer a copy of the PII from one organization directly to another organization, at the request of the PII principal.
7.3.9 Handling requests
Control
The organization should define and document policies and procedures for handling and responding to legitimate requests from PII principals.
Implementation guidance
Legitimate requests can include requests for a copy of PII processed, or requests to lodge a complaint.
Some jurisdictions allow the organization to charge a fee in certain cases (e.g. excessive or repetitive requests).
Requests should be handled within the appropriate defined response times.
Some jurisdictions define response times, depending on the complexity and number of the requests, as well as requirements to inform PII principals of any delay. The appropriate response times should be defined in the privacy policy.
(63) Une personne concernée devrait avoir le droit d'accéder aux données à caractère personnel qui ont été collectées à son sujet et d'exercer ce droit facilement et à des intervalles raisonnables, afin de prendre connaissance du traitement et d'en vérifier la licéité. Cela inclut le droit des personnes concernées d'accéder aux données concernant leur santé, par exemple les données de leurs dossiers médicaux contenant des informations telles que des diagnostics, des résultats d'examens, des avis de médecins traitants et tout traitement ou intervention administrés. En conséquence, toute personne concernée devrait avoir le droit de connaître et de se faire communiquer, en particulier, les finalités du traitement des données à caractère personnel, si possible la durée du traitement de ces données à caractère personnel, l'identité des destinataires de ces données à caractère personnel, la logique qui sous-tend leur éventuel traitement automatisé et les conséquences que ce traitement pourrait avoir, au moins en cas de profilage. Lorsque c'est possible, le responsable du traitement devrait pouvoir donner l'accès à distance à un système sécurisé permettant à la personne concernée d'accéder directement aux données à caractère personnel la concernant. Ce droit ne devrait pas porter atteinte aux droits ou libertés d'autrui, y compris au secret des affaires ou à la propriété intellectuelle, notamment au droit d'auteur protégeant le logiciel. Cependant, ces considérations ne devraient pas aboutir à refuser toute communication d'informations à la personne concernée. Lorsque le responsable du traitement traite une grande quantité de données relatives à la personne concernée, il devrait pouvoir demander à celle-ci de préciser, avant de lui fournir les informations, sur quelles données ou quelles opérations de traitement sa demande porte.
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
(64) Le responsable du traitement devrait prendre toutes les mesures raisonnables pour vérifier l'identité d'une personne concernée qui demande l'accès à des données, en particulier dans le cadre des services et identifiants en ligne. Un responsable du traitement ne devrait pas conserver des données à caractère personnel à la seule fin d'être en mesure de réagir à d'éventuelles demandes.
(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
Jurisprudence
CJUE, College van burgemeester en wethouders van Rotterdam/Rijkeboer, aff. C-553/07 (2009).
CJUE, Nowak/Data Protection Commissioner, aff. C-434/16 (2017).
URL copied
Preparing download ...
(EN)