Right of access

The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your questions regarding the hacking attacks and obtaining relevant documentation from the operators.

The Information Commissioner initially emphasises that it is only possible to provide specific opinion and answers to your questions in the course of an inspection or appeal procedure where all aspects of data processing and its compliance with the relevant General Data Protection Regulation (GDPR) provisions are assessed in the context of a specific case. Furthermore, the Information Commissioner cannot answer your question as to why you have been attacked via the network, solve your problem with hackers or give you advice outside its competences. Hence, at this point it is only possible to provide general explanations and guidance from data protection point of view, as follows bellow.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

The right of access by the data subject is governed by Article 15 of the GDPR. The right of access consists of three components i.e., confirmation whether personal data are processed, access to them, and information about the processing itself. The data subject can also obtain a copy of the processed personal data. As mentioned in Recital 63 of the GDPR and by the CJEU case law, the aim of Article 15 is to enable the data subject to be aware of the processing and verify the lawfulness thereof, or exercise other data subject rights.

However, there is a distinction between the right to obtain access to personal data under Article 15 of the GDPR and the right to receive a copy of administrative documents regulated in national law, the latter being a right to always receive a copy of the actual document. This does not mean that the right of access under Article 15 of the GDPR excludes the possibility to receive a copy of the document/media on which the personal data appear.

The GDPR does not specify any formal requirements for persons requesting access to data. In order to make the access request, it is sufficient for the requesting person to specify that he or she wants to know what his or her personal data the controller processes. Pursuant to Article 12 of the GDPR, the controller shall provide information on action taken on such a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

In accordance with Article 77 of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. In line with Article 78 of the GDPR, the data subject also has the right to an effective judicial remedy against a supervisory authority.

In view of the above, we suggest that you make a subject access request and if the controller does not respond within the prescribed timeframe or you are dissatisfied with the outcome, you can lodge a complaint with a competent supervisory authority.

Finally, we would like to add that the European Data Protection Board (EDPB) will soon adopt guidelines on the right of access, which will further clarify this right and address the most frequent practical questions and issues concerning the implementation of the right of access.

Kind regards,

Mojca Prelesnik,

Information Commissioner of the Republic of Slovenia

To mnenje je nastalo v okviru projekta »Programa pravice, enakost in državljanstvo 2014-2020«, ki ga financira Evropska unija.

Vsebina tega mnenja predstavlja neobvezno mnenje Informacijskega pooblaščenca in je izključno njegova odgovornost. Evropska komisija ne sprejema odgovornosti glede uporabe informacij, ki jih mnenje zajema.