3 minute read
derogations
in whole or partly, they must inform the data subject without delay and at the latest within one month of receipt of the request of
the reason why,
Advertisement
the right to lodge a complaint with a supervisory authority,
the possibility to seek a judicial remedy.
192. Before charging a reasonable fee based on Art. 12(5) GDPR, controllers should provide an indication of their plan to do so to the data subjects. The latter have to be enabled to decide whether they will withdraw the request to avoid being charged.
193. Unjustified rejections of requests of the right of access can be regarded as infringements of data subject´s rights pursuant to Art. 12 to 22 GDPR and can therefore be subject to the exercise of corrective powers by competent supervisory authorities, including administrative fines based on Art. 83 (5) (b) GDPR. If data subjects consider there is an infringement of their data subject rights, they have the right to lodge a complaint based on Art. 77 GDPR.
6.4 Possible restrictions in Union or Member States law based on Article 23 GDPR and derogations
194. The scope of the obligations and rights provided for in Art. 15 GDPR may be restricted by way of legislative measures in Union or Member States law. Several Member States have made use of this option91 .
195. Controllers, who plan to rely on a restriction based on national law must carefully check the requirements of the provision of the respective national legislation. Furthermore, it is important to note, that restrictions of the right of access in Member States (or Union) law which are based on Art. 23 must strictly fulfil the conditions laid down in this Article. The EDPB has issued the Guidelines 10/2020 on restrictions under Art. 23 GDPR with further explanations on this. In terms of the right of access, the EDPB recalls that controllers should lift the restrictions as soon as the circumstances that justify them no longer apply92 .
196. Legislative measures laying down the provisions for the application of restrictions under Art. 23 GDPR may also foresee that the exercise of a right is delayed in time, that a right is exercised partially or circumscribed to certain categories of data or that a right can be exercised indirectly through an independent supervisory authority93 .
91 See for exampl e s ections 32 to 37 of the German Federal Data Protection Act (BDSG) and Arti cle 5 and 5a of the Pol ish Act on the Protection of Personal Data. 92 Paragraph 76of the Guidelines 10/2020 on restrictions under Art. 23 GDPR, Version 2.0, adopted on 13 October 2021. 93 Paragraph 12 of the Guidelines 10/2020 on restrictions under Art. 23 GDPR, Version 2.0, adopted on 13 October 2021. Secti on 34 (3) of the German Federal data protection act for example s tates that i f a public authority does n´t provide i nformation to a data s ubject complying with a request for the ri ght of access because of certain res tri ctions, s uch i nformation shall be provided to the federal s upervisory authority at the request of the data s ubj ect, unless the res ponsible s upreme federal authority (of the authority which was subject to the request) determi nes i n the i ndividual case that doing s o would endanger the s ecurity of the Federati on or a Land. The Ital ian DPCode provides for i ndirect access (through the authority) i n case the access could i mpact wi th adverse cons equence on a number of i nterests (e.g. Interes t to contrast money l aundering) see Art. 2-L of the Italian DPCode.
57
