Chapter 1 - Legal basis for processing personal data
Sub-chapter 1 - Processing of special categories of personal data and processing for other purposes
Section 22 - Processing of special categories of personal dataSection 23 - Processing for other purposes by public bodiesSection 24 - Processing for other purposes by private bodiesSection 25 - Transfer of data by public bodies
Sub-chapter 2 - Special processing situations
Section 26 - Data processing for employment-related purposesSection 27 - Data processing for purposes of scientific or historical research and for statistical purposesSection 28 - Data processing for archiving purposes in the public interestSection 29 - Rights of the data subject and powers of the supervisory authorities in the case of secrecy obligationsSection 30 - Consumer loansSection 31 - Protection of commercial transactions in the case of scoring and credit reports
Chapter 2 - Rights of the data subject
Section 32 - Information to be provided where personal data are collected from the data subjectSection 33 - Information to be provided where personal data have not been obtained from the data subjectSection 34 - Right of access by the data subjectSection 35 - Right to erasureSection 36 - Right to objectSection 37 - Automated individual decision-making, including profiling
Chapter 3 - Obligations of controllers and processors
Section 38 - Data protection officers of private bodiesSection 39 - Accreditation
Chapter 4 - Supervisory authorities for data processing by private bodies
Section 40 - Supervisory authorities of the Länder
Chapter 5 - Penalties
Section 41 - Application of provisions concerning criminal proceedings and proceedings to impose administrative finesSection 42 - Penal provisionsSection 43 - Provisions on administrative fines
Chapter 6 - Legal remedies
Section 44 - Proceedings against a controller or processor

Part 3Implementing provisions for processing for purposes in accordance with Article1(1) of Directive (EU)2016/680

Chapter 1 - Scope, definitions and general principles for processing personal data
Section 45 - ScopeSection 46 - DefinitionsSection 47 - General principles for processing personal data
Chapter 2 - Legal basis for processing personal data
Section 48 - Processing of special categories of personal dataSection 49 - Processing for other purposesSection 50 - Processing for archiving, scientific and statistical purposesSection 51 - ConsentSection 52 - Processing on instructions from the controllerSection 53 - ConfidentialitySection 54 - Automated individual decision
Chapter 3 - Rights of the data subject
Section 55 - General information on data processingSection 56 - Notification of data subjectsSection 57 - Right of accessSection 58 - Right to rectification and erasure and to restriction of processingSection 59 - Modalities for exercising the rights of the data subjectSection 60 - Right to lodge a complaint with the Federal CommissionerSection 61 - Legal remedies against decisions of the Federal Commissioner or if he or she fails to take action
Chapter 4 - Obligations of controllers and processors
Section 62 - Processing carried out on behalf of a controllerSection 63 - Joint controllersSection 64 - Requirements for the security of data processingSection 65 - Notifying the Federal Commissioner of a personal data breachSection 66 - Notifying data subjects affected by a personal data breachSection 67 - Conducting a data protection impact assessmentSection 68 - Cooperation with the Federal CommissionerSection 69 - Prior consultation of the Federal CommissionerSection 70 - Records of processing activitiesSection 71 - Data protection by design and by defaultSection 72 - Distinction between different categories of data subjectsSection 73 - Distinction between facts and personal assessmentsSection 74 - Procedures for data transfersSection 75 - Rectification and erasure of personal data and restriction of processingSection 76 - LoggingSection 77 - Confidential reporting of violations
Chapter 5 - Transfers of data to third countries and to international organisations
Section 78 - General requirementsSection 79 - Data transfers with appropriate safeguardsSection 80 - Data transfers without appropriate safeguardsSection 81 - Other data transfers to recipients in third countries
Chapter 6 - Cooperation among supervisory authorities
Section 82 - Mutual assistance
Chapter 7 - Liability and penalties
Section 83 - CompensationSection 84 - Penal provisions

  • Home
  • Germany BDSG
  • Part 3
  • Section 57 - Right of access

Section 57

Right of access

Control Controller Data subjects Request Shall
(1) The controller shall inform data subjects on request whether data concerning them are being processed. Data subjects shall also have the right to information about
Categories Personal data
1. the personal data being processed and the categories to which they belong;
2. the available information on the origin of the data;
Legal basis
3. the purposes of and legal basis for the processing;
Categories Disclose Organisation Third countries
4. the recipients or categories of recipients to whom the data have been disclosed, in particular recipients in third countries or international organisations;
5. the period for which the data will be stored, or if that is not possible, the criteria used to determine that period;
Control Controller Erasure Rectification Restriction of processing Right to rectification
6. the existence of the right to rectification or erasure of data or restriction of processing of data by the controller;
Commission Commissioner Complaint Federal Federal Commissioner Section
7. the right pursuant to Section 60 to lodge a complaint with the Federal Commissioner, and
Commission Commissioner Federal Federal Commissioner
8. the contact details of the Federal Commissioner.
Disproportionate Measures Monitor Monitoring Organisation Personal data Proportionate Provisions Retention Safeguard Section Shall
(2) Subsection 1 shall not apply to personal data recorded only because they may not be erased due to legal or statutory provisions on retention, or only for purposes of monitoring data protection or safeguarding data, if providing information would require a disproportionate effort, and appropriate technical and organisational measures make processing for other purposes impossible.
Disproportionate Proportionate Shall
(3) No information shall be provided if the data subject does not provide information enabling the data to be located and if the effort required is therefore disproportionate to the data subject’s interest in the information.
Control Controller Section
(4) Subject to the conditions of Section 56 (2), the controller may dispense with the provision of information pursuant to subsection 1, first sentence, or restrict, wholly or partly, the provision of information pursuant to subsection 1, second sentence.
Affected Authorities Constitution Counterintelligence Federal Federation Intelligence Personal data Security Security Shall
(5) If the information to be provided relates to the transfer of personal data to the authorities for the protection of the Constitution, the Federal Intelligence Service, the Military Counterintelligence Service and, as far as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, such provision shall be permitted only with the approval of these bodies.
Access Control Controller Notification Notify Section Shall
(6) The controller shall notify the data subject, without delay, in writing of any refusal or restriction of access. This shall not apply if providing this information would entail a threat as referred to in Section 56 (2). The notification pursuant to the first sentence shall include the reasons for the refusal or the restriction unless providing the reasons would undermine the intended purpose of the refusal or restriction of access.
Access Authority Commission Commissioner Complaint Conduct Control Controller Extensive Federal Federal authority Federal Commissioner Federation Judicial remedy Law Necessary Notification Remedy Request Section Security Security Shall
(7) If the data subject is notified pursuant to subsection 6 of the refusal or restriction of access, he or she may exercise his or her right of access also via the Federal Commissioner. The controller shall inform the data subject of this possibility and that, in accordance with Section 60, the data subject may lodge a complaint with the Federal Commissioner or seek a judicial remedy. If the data subject exercises his or her right pursuant to the first sentence, the information shall be provided to the Federal Commissioner at the request of the data subject, unless the responsible supreme federal authority determines in the individual case that doing so would threaten the security of the Federation or a Land. The Federal Commissioner shall at least inform the data subject that all necessary checks have been conducted or that the Federal Commissioner has conducted a review. This notification may include information as to whether violations of data protection law were found. The notification from the Federal Commissioner to the data subject shall not permit any conclusions to be drawn concerning the information held by the controller unless the latter agrees to the provision of more extensive information. The controller may refuse to such provision only as far as and for as long as he or she could dispense with or restrict information pursuant to subsection 4. The Federal Commissioner shall also inform the data subject of his or her right to seek a judicial remedy.
Control Controller Shall
(8) The controller shall document the factual or legal reasons on which the decision is based.