§ 57 BDSG
Right of access
(1)The controller shall, upon request by the data subject, inform the data subject whether personal data relating to that person are being processed. Where that is the case, the controller shall provide the data subject with the following information: 1 the personal data that are the subject of the processing and their categories,; 2 the available information on the origin of the data,; 3 the purposes of the processing and its legal basis,; 4 the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations,; 5 the period for which the personal data will be stored, or where that is not possible, the criteria used to determine that period and; 6 the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject.
(2)The controller may restrict, wholly or in part, the right of access pursuant to Subsection (1) to the extent that and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned in order to 1 avoid obstructing official or legal inquiries, investigations or procedures,; 2 avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties,; 3 protect public security,; 4 protect national security or; 5 protect the rights and freedoms of others.
(3)The controller may restrict the right of access pursuant to Subsection (1) for data which are stored in automated form in the files of the public body, where the data subject does not provide information that makes it possible to retrieve the data and the effort required to provide the information would be disproportionate to the information interest asserted by the data subject.
(4)The controller shall inform the data subject, without undue delay, in writing of any refusal or restriction of access and of the reasons therefor. This shall not apply insofar as the provision of such information would jeopardise the purposes referred to in Subsection (2). The controller shall document the factual or legal grounds on which the decision is based. The documentation shall be made available to the Federal Commissioner upon request. In the notification to the data subject, the controller shall draw the data subject's attention to the right to lodge a complaint with the Federal Commissioner.
(5)Where the right of access is restricted, the data subject shall be informed, in the notification pursuant to Subsection (4), first sentence, of the right to have the Federal Commissioner verify the lawfulness of the processing.
(6)In cases under Subsection (5), the notification by the Federal Commissioner to the data subject shall merely indicate that all necessary verifications by the Federal Commissioner have been carried out. The notification may also contain an indication that a data protection violation has been found. The notification under the first and second sentences shall be made without prejudice to Section 60.
(7)The controller shall document the factual or legal grounds for the restriction pursuant to Subsection (2). This documentation shall be made available to the Federal Commissioner upon request.
(8)Where the right of access of the data subject is exercised with respect to data transmitted to the Federal Commissioner or on his or her instructions, the Federal Commissioner shall make the decision on the refusal of information in agreement with the public body which has transmitted the data.