15(2) and 15(3) in a way that enables a complete access to the requested information. The method chosen by the controller must, in line with that, be one that actually provides the data subject with the requested data and information, hence it would not be considered appropriate to solely refer the data subject to check the requested data stored on their own device, for example to check clickstream history and IP addresses on their mobile phone. 129. In accordance with the accountability principle, a controller must document their approach to be able to demonstrate how the means chosen to provide the necessary information under Art. 15 are appropriate in the circumstances at hand.
5.2.2 Different means to provide access 130. As already explained in section 2.2.2 above, when making an access request the data subjects are entitled to receive a copy of their data undergoing processing pursuant to Art. 15(3) together with the supplementary information, which is considered as the main modality for providing access to the personal data. 131. However, under some circumstances it could be appropriate for the controller to provide access through other ways than providing a copy. Such non-permanent modalities of access to the data could be, for example: oral information, inspection of files, onsite or remote access without possibility to download. These modalities may be appropriate ways of granting access for example in cases where it is in the interest of the data subject or the data subject asks for it. Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data in the record are correct by giving them a chance to have a glance at the original record. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Nor does giving access through other ways than providing a copy preclude the data subjects from the right to also have a copy, unless they recognisably waived this right. 132. The controller may choose, depending on the situation at hand, to provide the copy of the data undergoing processing, together with the supplementary information, in different ways, e.g. by e-mail, physical mail or by the use of a self-service tool. In any case, the controller has to consider appropriate technical and organizational measures, including adequate encryption when providing information via e-mail or online-self-service tools. 133. In the situation, where the controller is processing personal data regarding the person making the request only in a small scale, the copy of the personal data and the supplementary information can and should be provided through a rather simple procedure. Example 1: A local bookstore keeps a record of name and addresses of their customers that have ordered home delivery. A customer visits the bookstore and makes a request for access. In this situation it would be sufficient to print out the personal data concerning the customer directly from the business system, while also supplying the supplementary information in Art. 15(1) and (2). Example 2: A monthly donor to a charity organisation makes an access request through e-mail. The charity organisation holds information about donations made in the past twelve months, as well as names and e-mail addresses of the donors. The controller could provide the copy of the personal data and the supplementary information by responding to the e-mail, provided that all necessary safeguards are applied, taking into consideration for example the nature of the data.
41 Adopted - version for public consultation
