The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.
The Data Controller shall perform as requested in paragraph one. The request can be rejected only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
In the case that the Data Controller rejects the requests in paragraph one, the Data Controller shall record its rejection together with supporting reasons in the record as prescribed in section 39.
When the data subject makes a request as in paragraph one, and such request cannot be rejected based on the reasons in paragraph two, the Data Controller shall fulfill the request without delay, but shall not exceed thirty days from the date of receiving such request.
The Committee may prescribe rules for the access to and request to obtain a copy of the Personal Data in paragraph one, including the extension of the period under paragraph four, or other rules as appropriate.